Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
2
Replies

Cisco 1811W stopped allowing wireless connection of domain laptops

it-support
Level 1
Level 1

‎11-09-2011 09:40 AM

I have a Cisco 1811W that after several years in service suddenly stopped allowing any wireless connection to laptops on the domain. It allows hard wired connections and devices that are just using the wireless hot spot like iPads and Iphones but not devices on the domain. These same laptops connect wirelessly without issue at our other facilities which use the same hardware.

Here is the config file...

Here is the config file of the router in question...

router#show run

Building configuration...

Current configuration : 11776 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone year

service password-encryption

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

no logging console

enable secret 5 xxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1083484987

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1083484987

revocation-check none

rsakeypair TP-self-signed-xxxx

!

!

dot11 syslog

!

dot11 ssid xxxx

vlan 44

authentication open

authentication key-management wpa

wpa-psk ascii 7

!

dot11 ssid xxxx

vlan 144

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7

!

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address xxx.xxx.xxx.xxx

ip dhcp excluded-address xxx.xxx.xxx.xxx

ip dhcp excluded-address xxx.xxx.xxx.xxx

!

ip dhcp pool xxx-LAN

networkxxx.xxx.xxx.xxx 255.255.255.0

domain-name xxxx

dns-server xxx.xxx.xxx.xxx

default-router xxx.xxx.xxx.xxx

lease 0 2

!

ip dhcp pool VLAN44

network xxx.xxx.xxx.xxx 255.255.255.0

default-router xxx.xxx.xxx.xxx

domain-name xxxx

dns-server xxx.xxx.xxx.xxx

lease 4

!

ip dhcp pool VLAN144

network xxx.xxx.xxx.xxx 255.255.255.0

default-router xxx.xxx.xxx.xxx

domain-name xxxx

dns-server 12.127.16.67 12.127.16.68

lease 4

!

!

ip cef

ip domain name xxxx

ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

ip inspect tcp reassembly queue length 24

ip inspect name IPFW tcp timeout 3600

ip inspect name IPFW udp timeout 15

ip inspect name IPFW ftp

ip inspect name IPFW realaudio

ip inspect name IPFW smtp

ip inspect name IPFW h323

ip inspect name IPFW ftps

ip inspect name IPFW http

ip inspect name IPFW https

ip inspect name IPFW icmp

ip inspect name IPFW imap

ip inspect name IPFW imaps

ip inspect name IPFW irc

ip inspect name IPFW ircs

ip inspect name IPFW ntp

ip inspect name IPFW pop3

ip inspect name IPFW pop3s

ip inspect name IPFW radius

ip inspect name IPFW sip

ip inspect name IPFW sip-tls

ip inspect name IPFW ssh

ip inspect name IPFW telnet

ip inspect name IPFW telnets

ip inspect name IPFW vdolive

ip inspect name IPFW webster

ip inspect name IPFW dns

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

!

file prompt quiet

username admin password n

username laneadmin password n

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key 5122662533fedcbabcdef address 12.97.225.232

crypto isakmp key 5122662533fedcbabcdef address 12.97.224.120

crypto isakmp key 5122662533fedcbabcdef address 12.97.225.152

crypto isakmp key 5122662533fedcbabcdef address 12.97.230.154

crypto isakmp key 5122662533fedcbabcdef address 12.97.225.226

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES256-SHA-LZO esp-aes 256 esp-sha-hmac comp-lzs

crypto ipsec df-bit clear

!

crypto ipsec profile SITE-to-SITE-DMVPN-Profile

set transform-set ESP-AES256-SHA

!

!

crypto ipsec client ezvpn ezvpn-client

connect auto

mode client

xauth userid mode interactive

!

!

archive

log config

logging enable

notify syslog contenttype plaintext

hidekeys

path scp://cisco:wrs-.o#d8Au8M@fs00/$h-$t

write-memory

!

!

ip ssh version 2

bridge irb

!

!

!

interface Loopback0

ip address 1.1.1.5 255.255.255.252

!

interface Tunnel0

ip address xxx.xxx.xxx.xxx 255.255.255.0

no ip redirects

ip nhrp map xxx.xxx.xxx.xxx 12.97.230.154

ip nhrp map multicast 12.97.230.154

ip nhrp map xxx.xxx.xxx.xxx 12.97.225.226

ip nhrp map multicast 12.97.225.226

ip nhrp network-id 1

ip nhrp nhs xxx.xxx.xxx.xxx

ip nhrp nhs xxx.xxx.xxx.xxx

tunnel source 12.97.225.234

tunnel mode gre multipoint

tunnel protection ipsec profile SITE-to-SITE-DMVPN-Profile

!

interface Dot11Radio0

no ip address

no dot11 extension aironet

!

encryption vlan 44 mode ciphers tkip

!

encryption vlan 144 mode ciphers tkip

!

ssid XXXX

!

ssid XXX-guest

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2437

station-role root

no cdp enable

!

interface Dot11Radio0.44

encapsulation dot1Q 44

bridge-group 44

bridge-group 44 subscriber-loop-control

bridge-group 44 spanning-disabled

bridge-group 44 block-unknown-source

no bridge-group 44 source-learning

no bridge-group 44 unicast-flooding

!

interface Dot11Radio0.144

encapsulation dot1Q 144

bridge-group 144

bridge-group 144 subscriber-loop-control

bridge-group 144 spanning-disabled

bridge-group 144 block-unknown-source

no bridge-group 144 source-learning

no bridge-group 144 unicast-flooding

!

interface Dot11Radio1

no ip address

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

!

interface FastEthernet0

description 604 AT&T static IP

ip address 12.97.225.234 255.255.255.248

ip access-group IPFW-ACL-outside-A in

no ip redirects

no ip proxy-arp

ip nat outside

ip inspect IPFW out

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet3

description phone system

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet4

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet5

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet6

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet7

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet8

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet9

description switchport uplink

switchport access vlan 4

!

interface Vlan1

no ip address

!

interface Vlan4

ip address xxx.xxx.xxx.xxx 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

ip policy route-map NONAT-LAN

!

interface Vlan5

no ip address

!

interface Vlan10

no ip address

!

interface Vlan44

description nnn private WLAN

no ip address

ip nat inside

ip virtual-reassembly

ip policy route-map NONAT-LAN

bridge-group 44

bridge-group 44 spanning-disabled

!

interface Vlan144

description nnn Guest WLAN

no ip address

ip nat inside

ip virtual-reassembly

ip policy route-map NONAT-LAN

bridge-group 144

bridge-group 144 spanning-disabled

!

interface Async1

no ip address

encapsulation slip

!

interface BVI44

description Bridge to nnn private WLAN

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface BVI144

description Bridge to nnn Guest WLAN

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router eigrp 1

network xxx.xxx.xxx.xxx

network xxx.xxx.xxx.xxx

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 12.97.225.233

no ip http server

no ip http secure-server

!

!

ip nat inside source list NAT-ACL interface FastEthernet0 overload

ip nat inside source static tcp xxx.xxx.xxx.xxx 22 interface FastEthernet0 22222

ip nat inside source route-map NO-NAT interface FastEthernet0 overload

!

ip access-list standard VTY-ACL

permit 192.168.0.0 0.0.63.255

!

ip access-list extended IPFW-ACL-outside

permit udp any any eq isakmp

permit udp any eq isakmp any

permit esp any any

permit tcp any host 12.97.225.234 eq 23232

permit icmp any any administratively-prohibited

permit icmp any any echo-reply

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any traceroute

deny ip any any

ip access-list extended IPFW-ACL-outside-A

permit tcp any host 12.97.225.234 eq 22222

permit udp any any eq isakmp

permit udp any eq isakmp any

permit esp any any

permit tcp any host 12.97.225.234 eq 23232

permit icmp any any administratively-prohibited

permit icmp any any echo-reply

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any traceroute

deny ip any any

ip access-list extended NAT-ACL

deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 any

deny ip 192.168.44.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.44.0 0.0.0.255 any

deny ip 192.168.144.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.144.0 0.0.0.255 any

ip access-list extended NONAT-LAN-RETURNING-ACL

permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255

ip access-list extended VTY-ACL-A

deny ip 192.168.160.0 0.0.0.255 any

permit ip 192.168.44.0 0.0.0.255 any

permit ip 192.168.144.0 0.0.0.255 any

permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.5.0 0.0.0.255 any

permit tcp any any eq 22

deny ip any any

!

logging trap notifications

logging source-interface Vlan5

logging 192.168.0.225

!

!

!

!

route-map NONAT-LAN permit 10

match ip address NONAT-LAN-RETURNING-ACL

set interface Loopback0

!

route-map NO-NAT permit 10

match ip address NAT-ACL

!

!

snmp-server community XXXsnmppub RO

!

control-plane

!

bridge 44 route ip

bridge 144 route ip

banner login ^C

Unauthorized access is prohibited and will be monitored and prosecuted.

If you are not explicitly authorized to access this device, you must

disconnect now.

^C

banner motd ^C

Unauthorized access is prohibited and will be monitored and prosecuted.

If you are not explicitly authorized to access this device, you must

disconnect now.

^C

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class VTY-ACL-A in

password 7 nnn

transport input ssh

line vty 5 15

!

!

webvpn gateway webgateway

ssl trustpoint TP-self-signed-1083484987

no inservice

!

webvpn gateway sslvpn.xxx

hostname www.nnn

ssl trustpoint TP-self-signed-1083484987

inservice

end

router#

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-09-2011 10:09 AM

Hmmm. Could there be a problem with the self-signed certifcate on the 1811W having expired?

Another tack to try is since the problem is specific to domain-based clients, I would say possibly a GPO that was recently deployed affects their authentication. Again, certificates (or trusted root CA list specifically) is a possible area of investigation.

In what way does the connection fail? Can you connect with a non-domain laptop and examine the characteristics or a successful connection for comparison?

0 Helpful

it-support
Level 1
Level 1
In response to Marvin Rhoads

‎11-10-2011 06:57 AM

It was a two fold problem.  There is another stronger Wi-Fi signal that exists at the facility from another entity on a different domain that the two laptops were trying to associate to in lieu of the network signal from our 1811.  This could only be seen while watching the Intel wireless Proset app NOT the Windows wireless management app.  Then by deleting all other old Wi-Fi networks listed in the Intel Proset app except ours it connected.  Also set devices to never connect to the other signal.  This was not an issue when I brought the laptop to another faciIity without a competing Wi-Fi signal becuase they would connect using the strongest and ONLY Wi-Fi network signal which was ours.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card