cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2452
Views
0
Helpful
19
Replies

Issue with AP Auth List

nix-patheon
Level 1
Level 1

Hi guys,

I'm havin problems joining an AP (3602I) to my controller (5508) when authorising MIC's against against my auth-list on the controller.

I have added the AP MAC address to the auth-list but the AP won't successfully join. The controller occasionally says "joined" and I can view it in the AP list, but the AP status is always UNKNOWN, whereby I will reset the AP and try again.

Any ideas?

Thanks.

1 Accepted Solution

Accepted Solutions

The X.509 certificates are burned into protected flash on both the       access point (AP) and WLC at the factory by Cisco. On the AP, factory installed       certificates are called manufacturing installed certificates (MIC).

You must select MIC box to connect AP to WLC.

For Auth for APs

you can add the mac address of APs and check the box  Autheriz  MIC APs againest auth-list or AAA.

Regards

View solution in original post

19 Replies 19

Scott Fella
Hall of Fame
Hall of Fame

If the AP is joined, then there is a weird issue going in. Can you issue a show ap summary and post that and let us know what AP is the issue.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks Scott.

AP summary:

AP78da.6e42.85ca     2     AIR-CAP3602I-E-K9     78:da:6e:42:85:ca  default location           10.201.30.203    0

AP join stats summary:

Base Mac             AP EthernetMac       AP Name                 IP Address         Status

c0:7b:bc:76:49:e0    c0:7b:bc:76:49:e0    AP78da.6e42.85ca        10.201.30.203      Not Joined

AP join stats detailed:

(Cisco Controller) >show ap join stats detailed c0:7b:bc:76:49:e0

Sync phase statistics

- Time at sync request received............................ Not applicable

- Time at sync completed................................... Not applicable

Discovery phase statistics

- Discovery requests received.............................. 183

- Successful discovery responses sent...................... 183

- Unsuccessful discovery request processing................ 0

- Reason for last unsuccessful discovery attempt........... Not applicable

- Time at last successful discovery attempt................ Mar 07 12:58:56.749

- Time at last unsuccessful discovery attempt.............. Not applicable

Join phase statistics

- Join requests received................................... 60

- Successful join responses sent........................... 0

- Unsuccessful join request processing..................... 0

- Reason for last unsuccessful join attempt................ Not applicable

- Time at last successful join attempt..................... Not applicable

- Time at last unsuccessful join attempt................... Not applicable

Configuration phase statistics

--More-- or (q)uit

- Configuration requests received.......................... 0

- Successful configuration responses sent.................. 0

- Unsuccessful configuration request processing............ 0

- Reason for last unsuccessful configuration attempt....... Not applicable

- Time at last successful configuration attempt............ Not applicable

- Time at last unsuccessful configuration attempt.......... Not applicable

Last AP message decryption failure details

- Reason for last message decryption failure............... Not applicable

Last AP disconnect details

- Reason for last AP connection failure.................... Not applicable

- Last AP disconnect reason................................ Not applicable

Last join error summary

- Type of error that occurred last......................... None

- Reason for error that occurred last...................... Not applicable

- Time at which the last join error occurred............... Not applicable

AP disconnect details

- Reason for last AP connection failure.................... Not applicable

Ethernet Mac : c0:7b:bc:76:49:e0  Ip Address : 10.201.30.203

Gui is still showing as joined however: join-fail.png

Thanks.

Post the WLC show inventory and the AP show ver

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame
Hall of Fame

Make sure your running at least v7.2... Prefered code is v7.2.121.0 as v7.2.115.2 is for FIPS, v7.1, v7.3 & v7.5 are deferred.

http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

show inv:

Burned-in MAC Address............................ E8:B7:48:A1:CD:A0

Power Supply 1................................... Present, OK

Power Supply 2................................... Absent

Maximum number of APs supported.................. 100

NAME: "Chassis"    , DESCR: "Cisco 5500 Series Wireless LAN Controller"

PID: AIR-CT5508-K9,  VID: V01,  SN: xxxxxxxxxx

AP sh ver:

AP78da.6e42.85ca#sh ver

Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Tue 30-Jul-13 22:57 by prod_rel_team

ROM: Bootstrap program is C3600 boot loader

BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(23c)JY, RELEASE SOFTWARE (fc1)

AP78da.6e42.85ca uptime is 22 minutes

System returned to ROM by power-on

System image file is "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1"

Last reload reason:

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-CAP3602I-E-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.

Processor board ID FCZ1749J1KS

PowerPC CPU at 800Mhz, revision number 0x2151

Last reset from power-on

LWAPP image version 7.5.102.0

1 Gigabit Ethernet interface

2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 78:DA:6E:42:85:CA

Part Number                          : 73-14521-02

PCA Assembly Number                  : 800-37501-02

PCA Revision Number                  : A0

PCB Serial Number                    : FOC17444F2D

Top Assembly Part Number             : 800-35852-02

Top Assembly Serial Number           : FCZ1749J1KS

Top Revision Number                  : C0

Product/Model Number                 : AIR-CAP3602I-E-K9

Configuration register is 0x

WLC software version: 7.5.102.0

FUS: 7.0.112.21

Thanks again Scott.

Can you paste the output of sh sysinfo from WLC.

This can not be FUS:7.0.112.21

I thing something is wrong here : You must RMA the device.

Regards

Apologies, Field Recovery Image Version: 7.0.112.21

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.5.102.0

Bootloader Version............................... 1.0.16

Field Recovery Image Version..................... 7.0.112.21

Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2

Build Type....................................... DATA + WPS

System Name...................................... SSC-WLC-02

System Location.................................. Swindon DC Row C

System Contact................................... Pete Nixon

System ObjectID.................................. 1.3.6.1.4.1.9.1.1069

Redundancy Mode.................................. Disabled

IP Address....................................... 10.201.30.129

Last Reset....................................... Software reset

System Up Time................................... 24 days 8 hrs 43 mins 9 secs

System Timezone Location......................... (GMT) London, Lisbon, Dublin, Edinburgh

System Stats Realtime Interval................... 5

System Stats Normal Interval..................... 180

Configured Country............................... GB  - United Kingdom

Operating Environment............................ Commercial (0 to 40 C)

Internal Temp Alarm Limits....................... 0 to 65 C

Internal Temperature............................. +39 C

External Temperature............................. +22 C

Fan Status....................................... OK

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 5

Number of Active Clients......................... 700

Burned-in MAC Address............................ E8:B7:48:A1:CD:A0

Power Supply 1................................... Present, OK

Power Supply 2................................... Absent

Maximum number of APs supported.................. 100

yes it seems ok.

Can you paste the screenshot of the page Security > AP Policies.

Regards

Just some further information Scott, the output above was when I successfully joined it to the controller a few moments ago using accept MIC policy.

The summary stats show the correct IP from the scope (10.201.30.203), as does the AP summary screen in the gui but looking at the AP in further detail it has 0.0.0.0 as its address:

no-ip.png

I have tried to assign the address as static, but it generates an error message:

error.png

Screen capture you auth list. You don't need anything checked except for the default. Your ap isn't joining.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame
Hall of Fame

Should be like this

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Auth-list below mate:

auth-list.png

At the moment, the AP is pingable on 10.201.30.203, after an attempted join using authorised list, but it's not downloading the image and I can't configure anything using the gui on the controller.

Cheers.

Check the Accept  Manaufactured installed certifiacte  box then AP will connect automatically.

As scott send the screenshot.

Regards

Thanks Sandeep.

I can join them using the default no problem. However, it is a requirement that I increase security of what AP's can join the controller, and even without adding the MAC to the AP authorisation list, I can join an AP no problem...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: