01-04-2013 09:16 AM - edited 07-03-2021 11:17 PM
I have two Cisco Aironets 1401 connected to a Cisco Catalyst 3560 Switch. When users log onto the Wifi the APs authenticate with a Freeradius that then authenticates with LDAP.
Recently users have been getting kicked off of the network but I'm not sure why.
Could this be a roaming issue?
If so how do I set these APs to roam with my setupd?
For all I know there could be an issue with the switch I'm just not sure where to start when it comes to troubleshooting this issue.
Much appreciated for the future help!
Solved! Go to Solution.
01-04-2013 11:33 AM
Seems you have a certificate trust issue. The rule about PKI is that there must be a trust relationship between all devices in your domain. Hence if a user roams from one AP to the other and reauthentication occurs, the certificate presented should be trusted. Your debug shows 'unknown CA'.
On your client, could you possibly configure it to trust any certificate and not validate it and see what happens
01-04-2013 09:21 AM
Well since your doing 802.1x, when the client roams it will have to do a full re-auth. In order to have some sort of seamless roaming, you need to implement WDS:
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15roamg.html
If you were to use preshared key instead of 802.1x, does that help... that can determine if the issue is when the 802.1x client roams or not. From what you stated, you think its a roaming issue... just want to make sure if it is or not.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-04-2013 09:59 AM
Hi Scott,
I can't setup preshared key because I work for a company that has strict HIPPA rules.
Stupid quest but if I setup one of the Aironet as a WDS will it still also funaction as an AP?
Cheers
01-04-2013 10:00 AM
Yes, it will still be an AP. The only time you had to worry about that was with the older AP's.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
01-04-2013 10:14 AM
I'm reading the article Scott_Fella posted and it says that if an AP is set to be a WDS then it can no longer serve clients.
Also if an AP is set to WDS it will no longer be wired and throughput will be cut in half. That sucks because I need throughput. Is there a better way I can setup roaming without suffering throughput loss?
01-04-2013 10:18 AM
"A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disabled supports up to 60 participating access points."
That has to do with the number of WDS client AP. If you only have two, it's not a concern.
as for the 'no longer be wired' paste in the reference please.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
01-04-2013 10:31 AM
Ok here's a new update.
I'm not sure if it's a roaming issue now. I have people coming to me telling me that they are still connected to the wifi but they can't get out.
I'm not really experienced with Cisco IOS what should I check/troubleshoot?
The only this I keep seeing repeatidly on the APs is this:
Warning * Packet to client
01-04-2013 10:35 AM
You need to actually test and be on site. Asking users is almost useless if you ask me. Update the client drivers, let us know what devices are affected, how many, etc.
Its hard to troubleshoot with many variables.
Sent from Cisco Technical Support iPhone App
01-04-2013 10:50 AM
All the users are using Macbook Airs and Macbook Pros using Lion and Mountain Lion as the OS.
They all connect to two APs which are the Cisco Aironet 1401. Those APs connect to a Cisco Catalyst 3560. The APs authenticate to a Freeradius server on Ubuntu 12.04 and Freeradius ties into LDAP to authenticate users.
On the APs I get a lot of messages about:
Warning * Packet to client
I'll get the firmware updates for the updates but what can I troubleshoot on the switch to see if any errors are happening on the ports connected to the APs? I can't get history/logs to enable for those ports.
Is that enough info?
01-04-2013 10:54 AM
Ahhhhh Apple... Well make sure your encryption is set to either WPA/TKIP or WPA2/AES. Don't mix and match as these devices will fail.
Post you config also.
Sent from Cisco Technical Support iPhone App
01-04-2013 11:05 AM
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cldap01
!
logging userinfo
logging buffered notifications
logging rate-limit console 9
logging console warnings
enable secret 5
!
aaa new-model
!
aaa group server radius rad_eap
server 10.12.10.4 auth-port 1812 acct-port 1813
!
aaa authentication ppp default group radius
aaa authorization network default group rad_eap
aaa accounting update periodic 60
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
ip domain name company.net
!
dot11 syslog
dot11 vlan-name pwifi vlan 27
dot11 vlan-name wifi vlan 22
!
dot11 ssid WiFi
vlan 22
authentication open eap rad_eap
authentication network-eap eap
authentication key-management wpa version 2
guest-mode
!
crypto pki trustpoint TP-self-signed-1212998699
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1212998699
revocation-check none
rsakeypair TP-self-signed-1212998699
!
crypto pki certificate chain TP-self-signed-1212998699
certificate self-signed 01
quit
!username Cisco privilege 15 password
username admin privilege 15 secret
!username rancid password
!
ip ssh logging events
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 22 mode ciphers aes-ccm
!
encryption vlan 27 mode ciphers aes-ccm
!
broadcast-key vlan 22 change 300
!
broadcast-key vlan 27 change 300
!
!
ssid WiFi
!
antenna gain 100
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
packet retries 100
channel 2412
station-role root access-point
rts retries 100
infrastructure-client
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio0.27
encapsulation dot1Q 27
no ip route-cache
bridge-group 27
bridge-group 27 subscriber-loop-control
bridge-group 27 block-unknown-source
no bridge-group 27 source-learning
no bridge-group 27 unicast-flooding
bridge-group 27 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex full
speed auto
no keepalive
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0.27
encapsulation dot1Q 27
no ip route-cache
bridge-group 27
no bridge-group 27 source-learning
bridge-group 27 spanning-disabled
!
interface BVI1
ip address 10.12.0.10 255.255.255.0
no ip route-cache
!
ip default-gateway 10.12.0.2
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community
snmp-server location Solana Beach, California, USA
snmp-server contact OneRecovery NOC - noc@email.com
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server host 10.12.10.3
radius-server attribute 32 include-in-access-req format %i
radius-server attribute list 64
!
!radius-server host 10.12.10.4 auth-port 1812 acct-port 1813 key
!radius-server key
bridge 1 route ip
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
sntp server 10.12.10.4
end
01-04-2013 11:09 AM
Looks fine... What errors do you see on your radius?
Sent from Cisco Technical Support iPhone App
01-04-2013 11:16 AM
root@cldops01:/var/log/freeradius# cat radius.log
Sun Dec 30 06:40:16 2012 : Info: HUP - loading modules
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "auth_log"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "attr_filter.access_reject"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "attr_filter.accounting_response"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "detail"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "suffix"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "files"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "radutmp"
Sun Dec 30 06:40:16 2012 : Info: Module: Reloaded module "pap"
Sun Dec 30 06:40:16 2012 : Info: Loaded virtual server inner-tunnel
Sun Dec 30 06:40:16 2012 : Info: Loaded virtual server
Wed Jan 2 19:18:26 2013 : Error: TLS Alert read:fatal:unknown CA
Wed Jan 2 19:18:26 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A
Wed Jan 2 19:18:26 2013 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Wed Jan 2 19:18:26 2013 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Wed Jan 2 19:18:29 2013 : Error: TLS Alert read:fatal:unknown CA
Wed Jan 2 19:18:29 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A
Wed Jan 2 19:18:29 2013 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Wed Jan 2 19:18:29 2013 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
01-04-2013 11:33 AM
Seems you have a certificate trust issue. The rule about PKI is that there must be a trust relationship between all devices in your domain. Hence if a user roams from one AP to the other and reauthentication occurs, the certificate presented should be trusted. Your debug shows 'unknown CA'.
On your client, could you possibly configure it to trust any certificate and not validate it and see what happens
01-04-2013 11:51 AM
When you say client at you talking about my system or the AP?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: