11-09-2011 09:40 AM
I have a Cisco 1811W that after several years in service suddenly stopped allowing any wireless connection to laptops on the domain. It allows hard wired connections and devices that are just using the wireless hot spot like iPads and Iphones but not devices on the domain. These same laptops connect wirelessly without issue at our other facilities which use the same hardware.
Here is the config file...
Here is the config file of the router in question...
router#show run
Building configuration...
Current configuration : 11776 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1083484987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1083484987
revocation-check none
rsakeypair TP-self-signed-xxxx
!
!
dot11 syslog
!
dot11 ssid xxxx
vlan 44
authentication open
authentication key-management wpa
wpa-psk ascii 7
!
dot11 ssid xxxx
vlan 144
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
!
ip dhcp pool xxx-LAN
networkxxx.xxx.xxx.xxx 255.255.255.0
domain-name xxxx
dns-server xxx.xxx.xxx.xxx
default-router xxx.xxx.xxx.xxx
lease 0 2
!
ip dhcp pool VLAN44
network xxx.xxx.xxx.xxx 255.255.255.0
default-router xxx.xxx.xxx.xxx
domain-name xxxx
dns-server xxx.xxx.xxx.xxx
lease 4
!
ip dhcp pool VLAN144
network xxx.xxx.xxx.xxx 255.255.255.0
default-router xxx.xxx.xxx.xxx
domain-name xxxx
dns-server 12.127.16.67 12.127.16.68
lease 4
!
!
ip cef
ip domain name xxxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip inspect tcp reassembly queue length 24
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip inspect name IPFW ftp
ip inspect name IPFW realaudio
ip inspect name IPFW smtp
ip inspect name IPFW h323
ip inspect name IPFW ftps
ip inspect name IPFW http
ip inspect name IPFW https
ip inspect name IPFW icmp
ip inspect name IPFW imap
ip inspect name IPFW imaps
ip inspect name IPFW irc
ip inspect name IPFW ircs
ip inspect name IPFW ntp
ip inspect name IPFW pop3
ip inspect name IPFW pop3s
ip inspect name IPFW radius
ip inspect name IPFW sip
ip inspect name IPFW sip-tls
ip inspect name IPFW ssh
ip inspect name IPFW telnet
ip inspect name IPFW telnets
ip inspect name IPFW vdolive
ip inspect name IPFW webster
ip inspect name IPFW dns
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
!
file prompt quiet
username admin password n
username laneadmin password n
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.232
crypto isakmp key 5122662533fedcbabcdef address 12.97.224.120
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.152
crypto isakmp key 5122662533fedcbabcdef address 12.97.230.154
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.226
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA-LZO esp-aes 256 esp-sha-hmac comp-lzs
crypto ipsec df-bit clear
!
crypto ipsec profile SITE-to-SITE-DMVPN-Profile
set transform-set ESP-AES256-SHA
!
!
crypto ipsec client ezvpn ezvpn-client
connect auto
mode client
xauth userid mode interactive
!
!
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path scp://cisco:wrs-.o#d8Au8M@fs00/$h-$t
write-memory
!
!
ip ssh version 2
bridge irb
!
!
!
interface Loopback0
ip address 1.1.1.5 255.255.255.252
!
interface Tunnel0
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
ip nhrp map xxx.xxx.xxx.xxx 12.97.230.154
ip nhrp map multicast 12.97.230.154
ip nhrp map xxx.xxx.xxx.xxx 12.97.225.226
ip nhrp map multicast 12.97.225.226
ip nhrp network-id 1
ip nhrp nhs xxx.xxx.xxx.xxx
ip nhrp nhs xxx.xxx.xxx.xxx
tunnel source 12.97.225.234
tunnel mode gre multipoint
tunnel protection ipsec profile SITE-to-SITE-DMVPN-Profile
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 44 mode ciphers tkip
!
encryption vlan 144 mode ciphers tkip
!
ssid XXXX
!
ssid XXX-guest
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no cdp enable
!
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
!
interface Dot11Radio0.144
encapsulation dot1Q 144
bridge-group 144
bridge-group 144 subscriber-loop-control
bridge-group 144 spanning-disabled
bridge-group 144 block-unknown-source
no bridge-group 144 source-learning
no bridge-group 144 unicast-flooding
!
interface Dot11Radio1
no ip address
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description 604 AT&T static IP
ip address 12.97.225.234 255.255.255.248
ip access-group IPFW-ACL-outside-A in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect IPFW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet3
description phone system
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet4
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet5
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet6
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet7
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet8
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet9
description switchport uplink
switchport access vlan 4
!
interface Vlan1
no ip address
!
interface Vlan4
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
ip policy route-map NONAT-LAN
!
interface Vlan5
no ip address
!
interface Vlan10
no ip address
!
interface Vlan44
description nnn private WLAN
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
bridge-group 44
bridge-group 44 spanning-disabled
!
interface Vlan144
description nnn Guest WLAN
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
bridge-group 144
bridge-group 144 spanning-disabled
!
interface Async1
no ip address
encapsulation slip
!
interface BVI44
description Bridge to nnn private WLAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI144
description Bridge to nnn Guest WLAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router eigrp 1
network xxx.xxx.xxx.xxx
network xxx.xxx.xxx.xxx
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.97.225.233
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-ACL interface FastEthernet0 overload
ip nat inside source static tcp xxx.xxx.xxx.xxx 22 interface FastEthernet0 22222
ip nat inside source route-map NO-NAT interface FastEthernet0 overload
!
ip access-list standard VTY-ACL
permit 192.168.0.0 0.0.63.255
!
ip access-list extended IPFW-ACL-outside
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit tcp any host 12.97.225.234 eq 23232
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
deny ip any any
ip access-list extended IPFW-ACL-outside-A
permit tcp any host 12.97.225.234 eq 22222
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit tcp any host 12.97.225.234 eq 23232
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
deny ip any any
ip access-list extended NAT-ACL
deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any
deny ip 192.168.44.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 any
deny ip 192.168.144.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 any
ip access-list extended NONAT-LAN-RETURNING-ACL
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended VTY-ACL-A
deny ip 192.168.160.0 0.0.0.255 any
permit ip 192.168.44.0 0.0.0.255 any
permit ip 192.168.144.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit tcp any any eq 22
deny ip any any
!
logging trap notifications
logging source-interface Vlan5
logging 192.168.0.225
!
!
!
!
route-map NONAT-LAN permit 10
match ip address NONAT-LAN-RETURNING-ACL
set interface Loopback0
!
route-map NO-NAT permit 10
match ip address NAT-ACL
!
!
snmp-server community XXXsnmppub RO
!
control-plane
!
bridge 44 route ip
bridge 144 route ip
banner login ^C
Unauthorized access is prohibited and will be monitored and prosecuted.
If you are not explicitly authorized to access this device, you must
disconnect now.
^C
banner motd ^C
Unauthorized access is prohibited and will be monitored and prosecuted.
If you are not explicitly authorized to access this device, you must
disconnect now.
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class VTY-ACL-A in
password 7 nnn
transport input ssh
line vty 5 15
!
!
webvpn gateway webgateway
ssl trustpoint TP-self-signed-1083484987
no inservice
!
webvpn gateway sslvpn.xxx
hostname www.nnn
ssl trustpoint TP-self-signed-1083484987
inservice
end
router#
11-09-2011 10:09 AM
Hmmm. Could there be a problem with the self-signed certifcate on the 1811W having expired?
Another tack to try is since the problem is specific to domain-based clients, I would say possibly a GPO that was recently deployed affects their authentication. Again, certificates (or trusted root CA list specifically) is a possible area of investigation.
In what way does the connection fail? Can you connect with a non-domain laptop and examine the characteristics or a successful connection for comparison?
11-10-2011 06:57 AM
It was a two fold problem. There is another stronger Wi-Fi signal that exists at the facility from another entity on a different domain that the two laptops were trying to associate to in lieu of the network signal from our 1811. This could only be seen while watching the Intel wireless Proset app NOT the Windows wireless management app. Then by deleting all other old Wi-Fi networks listed in the Intel Proset app except ours it connected. Also set devices to never connect to the other signal. This was not an issue when I brought the laptop to another faciIity without a competing Wi-Fi signal becuase they would connect using the strongest and ONLY Wi-Fi network signal which was ours.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide