Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3545
Views
0
Helpful
3
Replies

Can't authenticate with Access point, asking for username/password

cshannahan
Level 1
Level 1

‎11-07-2013 01:25 PM - edited ‎03-07-2019 04:29 PM

Hey all, I've configured quite a few access points before.  Mostly 1142's.  We have these other ones, 1200 access points.  I didn't configure them but I'm here troubleshooting why I can't connect to a WPA (tkip) network.  See the config below.  The config is pretty much the exact same as the 1142s but when I try to connect to the Secure-WLAN it asks for a username/password before the network key?  I have no idea why, I've looked through my config everywhere and it's the same as my 1142s.  The code on these are a lot newer but I'm not sure if that is it.  Please have a look!

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CNPB01

!

logging rate-limit console 9

enable secret 5 $1$VRwm$umrusCyYKsgQX87TjwWDW/

!

no aaa new-model

no ip routing

ip domain name heavy.local

!

!

dot11 syslog

!

dot11 ssid CN-Guest

   vlan 853

   authentication open

   mbssid guest-mode

!

dot11 ssid Secure-WLAN

   vlan 811

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 121A0A051E0E08557878

!

dot11 arp-cache optional

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2948609350

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2948609350

revocation-check none

rsakeypair TP-self-signed-2948609350

!

!

crypto pki certificate chain TP-self-signed-2948609350

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32393438 36303933 3530301E 170D3933 30333031 30303030

  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39343836

  30393335 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  81009904 5BB89D80 69F26EA2 F4A11BA5 4D93FC3D A9A99924 1AC9B2CC FA222791

  67E3BB85 2857F096 972BB98E 8B238C1E D63B5399 0B629D3B 68CA8012 BCDD554F

  48A347D8 30104959 29EA1348 FC7F1414 E25E9A96 5EC0E8D3 DB74C6B4 2BF36794

  3B9A585D 32BF1A73 04683F40 C5EF75D3 D1722CEB B2EB2648 DCEF43FC B54330E4

  EA750203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 145EA774 02B0EE1F 8E603C3B 57E8065E ED0263A3 47301D06

  03551D0E 04160414 5EA77402 B0EE1F8E 603C3B57 E8065EED 0263A347 300D0609

  2A864886 F70D0101 05050003 81810085 9EE1EBB7 6AE73F4F CA06C892 516C8F22

  0243812F B3FE0F01 35FC12F3 C099423E 2FCFC693 E72CEC2F 33F95D18 C705BCC9

  14B16C02 16C2D7AA F824CB77 1C362992 F0FAC363 6D9C7525 DF949985 B809CB7A

  320CE4D9 B66274B8 646F748C D632E283 09E0B76A 7FDB9766 317504B4 F1CB442F

  008E1BCB 5E570B96 BB84EB6F CC6585

        quit

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 811 mode ciphers tkip

!

ssid CN-Guest

!

ssid Secure-WLAN

!

antenna gain 0

stbc

mbssid

channel 2432

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.811

encapsulation dot1Q 811

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 spanning-disabled

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

!

interface Dot11Radio0.853

encapsulation dot1Q 853

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 spanning-disabled

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 811 mode ciphers tkip

!

ssid CN-Guest

!

ssid Secure-WLAN

!

antenna gain 0

dfs band 3 block

stbc

mbssid

channel 5745

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1.811

encapsulation dot1Q 811

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 spanning-disabled

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

!

interface Dot11Radio1.853

encapsulation dot1Q 853

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 spanning-disabled

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface GigabitEthernet0.811

encapsulation dot1Q 811

no ip route-cache

bridge-group 254

bridge-group 254 spanning-disabled

no bridge-group 254 source-learning

!

interface GigabitEthernet0.853

encapsulation dot1Q 853

no ip route-cache

bridge-group 255

bridge-group 255 spanning-disabled

no bridge-group 255 source-learning

!

interface BVI1

ip address x.x.x.x 255.255.254.0

no ip route-cache

!

ip default-gateway 172.16.206.1

ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

snmp-server community public RO

bridge 1 route ip

!

!

!

line con 0

login local

line vty 0 4

login local

transport input ssh

!

end

Labels:
0 Helpful
3 Replies 3

cshannahan
Level 1
Level 1

‎11-07-2013 01:36 PM

Just a little update.  On my Windows 8 laptop I get the username/password prompt.  I can enter anything in there and then move to the next step, I then enter the network key for the SSID and I'm on the network.

When I go to someone who has a Windows XP (I believe) PC it just gets stuck on validating identity. No prompts and they can't connect.

We shouldn't get anything but a network key prompt, so I'm a little stumped.

0 Helpful

cshannahan
Level 1
Level 1
In response to cshannahan

‎11-07-2013 02:54 PM

I read this in the release notes.

When Cipher Is TKIP Only, Key Management Must Be Enabled

When you configure TKIP-only cipher encryption (not TKIP + WEP 128 or TKIP + WEP 40) on any radio interface or VLAN, every SSID on that radio or VLAN must be set to use WPA or CCKM key management. If you configure TKIP on a radio or VLAN but you do not configure key management on the SSIDs, client authentication fails on the SSIDs.

So I changed the encryption to WPA CCKM and WPA2 but I'm getting the same thing.  It's asking me for a username and password before the network key, same happened to another user with a MAC.  I took the encryption off and everything worked great.  This is frustrating.

0 Helpful

cshannahan
Level 1
Level 1
In response to cshannahan

‎11-08-2013 01:36 PM

This has to be buggy software.  Any help? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card