04-15-2013 06:41 AM - edited 07-03-2021 11:55 PM
I have two Cisco 1200AP.
I have it configured with two SSIDs, one corporate (802.1x) one using WPA2 Personal.
I have no issues on the corporate, but I have found that Apple devices appear to detect it as a WPA2 Enterprise, and request a username and password.
If I enter the network manualy as WPA2Personal the devices joins the network ok.
Then ocasionaly the device looses its link to the network and fails to pass traffic.
Building configuration...
Current configuration : 5134 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BCB-WIFI-ENG
!
enable secret 5 <removed>
!
username Cisco password 7 <removed>
username spectra privilege 15 secret 5 <removed>
username CiscoCA privilege 15 secret 5 <removed>
ip subnet-zero
ip domain name spectra.local
ip name-server 10.0.1.2
ip name-server 10.0.2.2
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.1.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 network-map
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 5 mode ciphers tkip
!
encryption vlan 1001 mode ciphers tkip
!
ssid S-Guest-Wifi
vlan 5
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 062702245E470A180B361E180D10232A2A7A67657041574751
!
ssid s
vlan 1001
authentication open eap eap_methods
authentication key-management wpa
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
no cdp enable
bridge-group 5
bridge-group 5 subscriber-loop-control
bridge-group 5 block-unknown-source
no bridge-group 5 source-learning
no bridge-group 5 unicast-flooding
bridge-group 5 spanning-disabled
!
interface Dot11Radio0.1001
encapsulation dot1Q 1001 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 5 mode ciphers tkip
!
encryption vlan 1001 mode ciphers tkip
!
ssid S-Guest-Wifi
vlan 5
authentication open
authentication key-management wpa
wpa-psk ascii 7 047A06031D284F4F07380904131F0505247970786167724255
!
ssid s
vlan 1001
authentication open eap eap_methods
authentication key-management wpa
!
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio1.5
encapsulation dot1Q 5
no ip route-cache
no cdp enable
bridge-group 5
bridge-group 5 subscriber-loop-control
bridge-group 5 block-unknown-source
no bridge-group 5 source-learning
no bridge-group 5 unicast-flooding
bridge-group 5 spanning-disabled
!
interface Dot11Radio1.1001
encapsulation dot1Q 1001 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
!
interface FastEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
!
interface FastEthernet0.1001
encapsulation dot1Q 1001 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.1.203 255.255.255.0
no ip route-cache
!
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip http authentication local
ip radius source-interface BVI1
logging trap notifications
access-list 22 remark SNMP Access List
access-list 22 permit 10.0.1.3 log
access-list 22 deny any log
snmp-server community <removed> RO 22
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps aaa_server
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server host 10.0.1.3 <removed>
radius-server host 10.0.1.5 auth-port 1645 acct-port 1646 key 7 <removed>
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
line con 0
line vty 5 15
!
ntp server 91.208.177.20
end
04-15-2013 07:10 AM
What are you actually seeing... if they are trying to connect using 802.1x, the apple devices will ask for a username and password. If the Apple devices detect the SSID as a preshared key, then it will just ask for a password.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
04-15-2013 07:19 AM
When discovering "S-Guest-Wifi" and then connecting, the device prompts for username and password. There is no username and password that is authorised.
If I enter the network manual I set it to personal and enter the correct password. It connect ok.
I just want to simplifiy the join process for the user.
I don't even mind if I have to get users to have a username and password for guest access. That would stop me having to rotate my Guest PSK.
04-15-2013 09:19 AM
Can you try to change the Guest SSID to: Guest-Wifi
See if this helps... might be the S causing issues, but want to make sure.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
04-15-2013 06:47 PM
I would first hghly recommend upgrading the IOS image on the 1200 Access Points. The current image installed 12.2 is no longer even available for download from Cisco. The latest 12.3 image available for the 1200 is c1200-k9w7-tar.123-8.JEE.tar with a release date of 10-DEC-2010. The first non-deferred release available is c1200-k9w7-tar.123-4.JA2.tar with a release date of 06-APR-2006. The 12.3 IOS image will allow you to define each SSID globally instead of on each radio interface which will allow you to define guest-mode on both radios.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: