cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2354
Views
15
Helpful
17
Replies

2 Cisco Aironet 1401 APs keep kicking users off

j4ckripp3r
Level 1
Level 1

I have two Cisco Aironets 1401 connected to a Cisco Catalyst 3560 Switch. When users log onto the Wifi the APs authenticate with a Freeradius that then authenticates with LDAP.

Recently users have been getting kicked off of the network but I'm not sure why.

Could this be a roaming issue?

If so how do I set these APs to roam with my setupd?

For all I know there could be an issue with the switch I'm just not sure where to start when it comes to troubleshooting this issue.

Much appreciated for the future help!

1 Accepted Solution

Accepted Solutions

Seems you have a certificate trust issue. The rule about PKI is that there must be a trust relationship between all devices in your domain. Hence if a user roams from one AP to the other and reauthentication occurs, the certificate presented should be trusted. Your debug shows 'unknown CA'.

On your client, could you possibly configure it to trust any certificate and not validate it and see what happens

View solution in original post

17 Replies 17

Scott Fella
Hall of Fame
Hall of Fame

Well since your doing 802.1x, when the client roams it will have to do a full re-auth.  In order to have some sort of seamless roaming, you need to implement WDS:

http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15roamg.html

If you were to use preshared key instead of 802.1x, does that help... that can determine if the issue is when the 802.1x client roams or not.  From what you stated, you think its a roaming issue... just want to make sure if it is or not.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Hi Scott,

I can't setup preshared key because I work for a company that has strict HIPPA rules.

Stupid quest but if I setup one of the Aironet as a WDS will it still also funaction as an AP?

Cheers

Yes, it will still be an AP.  The only time you had to worry about that was with the older AP's.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

j4ckripp3r
Level 1
Level 1

I'm reading the article Scott_Fella posted and it says that if an AP is set to be a WDS then it can no longer serve clients.

Also if an AP is set to WDS it will no longer be wired and throughput will be cut in half. That sucks because I need throughput. Is there a better way I can setup roaming without suffering throughput loss?

"A WDS access point that also serves client devices  supports up to 30 participating access points, but a WDS access point  with radios disabled supports up to 60 participating access points."

That has to do with the number of WDS client AP.  If you only have two, it's not a concern.

as for the 'no longer be wired' paste in the reference please.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Ok here's a new update.

I'm not sure if it's a roaming issue now. I have people coming to me telling me that they are still connected to the wifi but they can't get out.

I'm not really experienced with Cisco IOS what should I check/troubleshoot?

The only this I keep seeing repeatidly on the APs is this:

Warning * Packet to client reached max retries, removing the client

You need to actually test and be on site. Asking users is almost useless if you ask me. Update the client drivers, let us know what devices are affected, how many, etc.

Its hard to troubleshoot with many variables.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

All the users are using Macbook Airs and Macbook Pros using Lion and Mountain Lion as the OS.

They all connect to two APs which are the Cisco Aironet 1401. Those APs connect to a Cisco Catalyst 3560. The APs authenticate to a Freeradius server on Ubuntu 12.04 and Freeradius ties into LDAP to authenticate users.

On the APs I get a lot of messages about:

Warning * Packet to client reached max retries, removing the client

I'll get the firmware updates for the updates but what can I troubleshoot on the switch to see if any errors are happening on the ports connected to the APs? I can't get history/logs to enable for those ports.

Is that enough info?

Ahhhhh Apple... Well make sure your encryption is set to either WPA/TKIP or WPA2/AES. Don't mix and match as these devices will fail.

Post you config also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cldap01

!

logging userinfo

logging buffered notifications

logging rate-limit console 9

logging console warnings

enable secret 5

!

aaa new-model

!

aaa group server radius rad_eap

server 10.12.10.4 auth-port 1812 acct-port 1813

!

aaa authentication ppp default group radius

aaa authorization network default group rad_eap

aaa accounting update periodic 60

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

ip domain name company.net

!

dot11 syslog

dot11 vlan-name pwifi vlan 27

dot11 vlan-name wifi vlan 22

!

dot11 ssid WiFi

   vlan 22

   authentication open eap rad_eap

   authentication network-eap eap

   authentication key-management wpa version 2

   guest-mode

!

crypto pki trustpoint TP-self-signed-1212998699

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1212998699

revocation-check none

rsakeypair TP-self-signed-1212998699

!

crypto pki certificate chain TP-self-signed-1212998699

certificate self-signed 01

  quit

!username Cisco privilege 15 password

username admin privilege 15 secret

!username rancid password

!

ip ssh logging events

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 22 mode ciphers aes-ccm

!

encryption vlan 27 mode ciphers aes-ccm

!

broadcast-key vlan 22 change 300

!

broadcast-key vlan 27 change 300

!

!

ssid WiFi

!

antenna gain 100

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

packet retries 100

channel 2412

station-role root access-point

rts retries 100

infrastructure-client

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio0.27

encapsulation dot1Q 27

no ip route-cache

bridge-group 27

bridge-group 27 subscriber-loop-control

bridge-group 27 block-unknown-source

no bridge-group 27 source-learning

no bridge-group 27 unicast-flooding

bridge-group 27 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex full

speed auto

no keepalive

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0.27

encapsulation dot1Q 27

no ip route-cache

bridge-group 27

no bridge-group 27 source-learning

bridge-group 27 spanning-disabled

!

interface BVI1

ip address 10.12.0.10 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.0.2

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 111 permit tcp any any neq telnet

snmp-server community

snmp-server location Solana Beach, California, USA

snmp-server contact OneRecovery NOC - noc@email.com

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server host 10.12.10.3

radius-server attribute 32 include-in-access-req format %i

radius-server attribute list 64

!

!radius-server host 10.12.10.4 auth-port 1812 acct-port 1813 key

!radius-server key

bridge 1 route ip

!

line con 0

access-class 111 in

line vty 0 4

access-class 111 in

!

sntp server 10.12.10.4

end

Scott Fella
Hall of Fame
Hall of Fame

Looks fine... What errors do you see on your radius?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

root@cldops01:/var/log/freeradius# cat radius.log

Sun Dec 30 06:40:16 2012 : Info: HUP - loading modules

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "auth_log"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "attr_filter.access_reject"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "attr_filter.accounting_response"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "detail"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "suffix"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "files"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "radutmp"

Sun Dec 30 06:40:16 2012 : Info:  Module: Reloaded module "pap"

Sun Dec 30 06:40:16 2012 : Info: Loaded virtual server inner-tunnel

Sun Dec 30 06:40:16 2012 : Info: Loaded virtual server

Wed Jan  2 19:18:26 2013 : Error: TLS Alert read:fatal:unknown CA

Wed Jan  2 19:18:26 2013 : Error:     TLS_accept: failed in SSLv3 read client certificate A

Wed Jan  2 19:18:26 2013 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Wed Jan  2 19:18:26 2013 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Wed Jan  2 19:18:29 2013 : Error: TLS Alert read:fatal:unknown CA

Wed Jan  2 19:18:29 2013 : Error:     TLS_accept: failed in SSLv3 read client certificate A

Wed Jan  2 19:18:29 2013 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Wed Jan  2 19:18:29 2013 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Seems you have a certificate trust issue. The rule about PKI is that there must be a trust relationship between all devices in your domain. Hence if a user roams from one AP to the other and reauthentication occurs, the certificate presented should be trusted. Your debug shows 'unknown CA'.

On your client, could you possibly configure it to trust any certificate and not validate it and see what happens

When you say client at you talking about my system or the AP?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: