1142 in HREAP Mode

michael.lussier · ‎05-20-2011

My setup is in the lab. I'm testing this to move out to multiple remote locations.

I'm running 7.98.209 code on the WiSM.

I have configured a single 1142 on a state office location mockup wan cuircuit. The AP is sitting on a trunk port. vlan 1 is native and vlan 100 is for the wireless users. The AP is static to the local subnet of the office and The wireless users get thier DHCP from the office router and that is a block of private IP space. I'm using nat for the wireless users to come back to the home office.

In the home office I have WiSM configured. I can see the remote location over the simulated wan link. The AP is reachable with round trip pings of less than 60msec.

HREAP was setup to keep the users local in thier office but authenticate to the home office. The setup is WPA2/AES using MS-PEAP. I have 2 WiSM modules that this AP is homed to. Pri & Backup. The configs are identical. The fail between them hasn't been tested yet. I have included the IP addresses of the two home office ACS servers into the HREAP as well as I placed the username and passwords into WCS to go to the AP.

The problem.

If I put in place my blocking ACL on the office router to simulate the drop off of the WAN link then the end user connected wireless to the office setup also drops after about 5 minutes. I expected the wireless client to stay connected and authenticate via the AP. Is this a problem with using PEAP ?

Surendra BG · ‎05-20-2011

Hi,

We are uisng Central Authentication and local switching.. and when the WAN link fails the state is called "auth Down, Local switching" , here the already connected clients should remain connected till the WAN link comes up but no new connections will be initiated.. This works only in standalone mode..

if you say that the clients are getting disconnected every 5 minutes.. then thats strange!!

the below link may help you in better explaining the same..

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml#cl

To troubleshoot, i want you to configure

1> IDLE Timeout and ARP Timeout to MAX or 0 (WLC GUI >> CONTROLLER >> GENERAL) default value is 300

2>> On the WLAN to which we are getting connected to..Disable Session timeout or configure it for 0 seconds..

WLAN >> WLAN EDIT >> ADVANCED >> SESSION TIMEOUT >> 0 or Disable.

Monitor the issue and feel free to update the post if that resolves the issue!!

Regards

Surendra

Regards
Surendra BG

michael.lussier · ‎05-20-2011

I am currently using Central Authentication and local switching. I''m concerned that when I loose my wan connection I loose everything. I drop my DHCP and I am dropped.

Since I have a lack of resources in the lab. I setup an ACL to block access to the WiSM controllers only and let me access internal resources.

Extended IP access list Block_Controllers
10 deny ip any 10.0.0.0 0.255.255.255 (933 matches)
20 permit ip any any (1831 matches)

on the AP this is my output

*May 20 18:10:05.472: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*May 20 18:10:10.538: %DOT11-7-AUTH_FAILED: Station 000b.cd5a.50b2 Authentication failed
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (156.33.250.10)

The username and password that were entered on the WCS was check and verified to be correct.

WCS >>Wireless >>Hreap Groups >> Local Auth >> Local Users>>

>> Wireless >> HREAP Groups >> General >> The Hreap AP in question is listed right there.

I have both radius servers assigned and Local Authentication Enabled

I think this is an issue that HREAP doesn't like WPA2/AES and PEAP ? atleast in ver 7.0.98.209 ?

michael.lussier · ‎05-20-2011

I did make the adjustments you asked for.

I do need to add back the re authentication time of 1800. the concern is that the AP is failling to authenticate me.

With the values knocked out per your instructions I do stay connected.