Solved: Re: 2504 WLC will not authenticate http and SSH

clyde.a.huffman.ctr@mail.mil · ‎08-12-2019

Authentication does not work for http GUI and SSH. Ping and http responds and console authentication works. This is for local auth-only. I have not TACACS....

-----------------> HERE IS THE CONFIGURATION
Cisco 2504 Wireless LAN Controller - initial configuration top access GUI
(PC 192.168.170.71 connect to port 1 http://

Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup

Would you like to terminate autoinstall? [yes]:

System Name [Cisco_43:5c:04] (31 characters max): CORPWLC
Enter Administrative User Name (24 characters max): root
Enter Administrative Password (3 to 24 characters): PASSWORD
Re-enter Administrative Password : PASSWORD

Enable Link Aggregation (LAG) [yes][NO]: no

Management Interface IP Address: 192.168.170.70
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 192.168.170.1
Cleaning up Provisioning SSID
Management Interface VLAN Identifier (0 = untagged):
Management Interface Port Num [1 to 4]: 1

Management Interface DHCP Server IP Address: 192.168.170.1

Virtual Gateway IP Address: 1.1.1.1

Multicast IP Address: 239.255.1.60

Mobility/RF Group Name: CORP

Network Name (SSID): Employee

Configure DHCP Bridging Mode [yes][NO]: yes
Warning! Enabling Bridging mode will disable Internal DHCP server and DHCP Proxy feature.
May require DHCP helper functionality on external switches.

Allow Static IP Addresses [YES][no]: yes

Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]: yes
Enable 802.11a Network [YES][no]: yes
Enable 802.11g Network [YES][no]: yes
Enable Auto-RF [YES][no]: yes

Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: yes

Enter the date in MM/DD/YY format: 07/29/15
Enter the time in HH:MM:SS format: 16:49:00

Would you like to configure IPv6 parameters[YES][no]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Cleaning up Provisioning SSID

Configuration saved!
Resetting system with new configuration...

-----------------> HERE IS PING FROM LAPTOP ON VLAN 111 AND HTTP://192.168.170.70

-----------------> HERE IS - SH MGMTUSER - SH NETUSER - SH SYSINFO - SH INT DET MANAGE

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >show mgmtuser

User Name Permissions Description Password Strength
----------------------- ------------ --------------------- ------------------
root read-write Strong

(Cisco Controller) >show netuser summary

Maximum logins allowed for a given user name..... Unlimited

User Name WLAN Id User Type Lifetime Description
------------------------ -------- --------- ------------------------------ --------------------------------
netuser Any Permanent N/A netuser

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.220.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0

Build Type....................................... DATA + WPS

System Name...................................... Cisco_da:4d:04
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 192.168.170.70
Last Reset....................................... Software reset
System Up Time................................... 0 days 0 hrs 28 mins 26 secs
System Timezone Location.........................
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base

--More-- or (q)uit
Next Boot License Type........................... Permanent

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +32 C
External Temperature............................. +36 C
Fan Status....................................... 4300 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

Burned-in MAC Address............................ 64:D8:14:DA:4D:00
Maximum number of APs supported.................. 5

(Cisco Controller) >
(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 64:d8:14:da:4d:00
IP Address....................................... 192.168.170.70
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.170.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 111
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 192.168.170.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >

Rasika Nayanajith · ‎08-12-2019

Pls check SSH & HTTPS is enabled on WLC.

Also note that management access via wirelessly is disabled by default. So if you test PC is on wireless, test it with wired first.

(WLC) >grep include ssh "show network summary"
Press any key to continue..
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Disable

There are 2 lines matching the pattern ssh

(WLC) >grep include 'Secure Web Mode' "show network summary"
Press any key to continue..
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode SSL Protocol................ Disable

There are 3 lines matching the pattern Secure Web Mode

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎08-12-2019

Pls check SSH & HTTPS is enabled on WLC.

Also note that management access via wirelessly is disabled by default. So if you test PC is on wireless, test it with wired first.

(WLC) >grep include ssh "show network summary"
Press any key to continue..
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Disable

There are 2 lines matching the pattern ssh

(WLC) >grep include 'Secure Web Mode' "show network summary"
Press any key to continue..
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode SSL Protocol................ Disable

There are 3 lines matching the pattern Secure Web Mode

HTH

Rasika

*** Pls rate all useful responses ***

clyde.a.huffman.ctr@mail.mil · ‎08-13-2019

Rasika, thank you for answering my question. I don 't know what happened I just lost comms with the WLC. I was re-entering stuff like "conf network webmode enable" it won't ping anymore?

-----------==================WLC 192.168.170.70=================------------------

(Cisco Controller) >show cdp neighbors detail

-------------------------
Device ID: BACKUPSW.mydomain
Entry address(es): 192.168.170.72
Platform: cisco WS-C2960-8TC-L, Capabilities: Switch IGMP
Interface: GigabitEthernet0/0/1, Port ID (outgoing port): FastEthernet0/8
Holdtime : 143 sec

Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Mon 03-Mar-14 22:53 by prod_rel_team

Advertisement version: 2
Duplex: Full

(Cisco Controller) >ping 192.168.170.72

*osapi_ping_rx: Jan 01 21:03:27.610: %OSAPI-3-TASK_SET_TICKLE: osapi_task.c:3913 Task osapi_ping_rx requesting 1 second timer. Minimum is 20.Setting to 20.
Send count=3, Receive count=0 from 192.168.170.72

(Cisco Controller) >

*osapiReaper: Jan 01 21:03:37.153: %OSAPI-5-CLEAN_TASK: osapi_task.c:3290 Reaper cleaning up exited task 'osapi_ping_rx' (0x14aaa1f0)
(Cisco Controller) >

-------------------------

(Cisco Controller) >show network summary

RF-Network Name............................. 239.255.1.60
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Enable
Secure Web Mode Cipher-Option SSLv2......... Enable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Enable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Multicast Address : 0.0.0.0
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Enable

--More-- or (q)uit
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Fast SSID Change ........................... Disabled
IP/MAC Addr Binding Check .................. Enabled

(Cisco Controller) >
(Cisco Controller) >

------------=====================SWITCH with WLC/laptops===========-----------------

BACKUPSW#
BACKUPSW#sh cdp nei detail | b Cisco_da:4d:04
Device ID: Cisco_da:4d:04
Entry address(es):
IP address: 192.168.170.70
Platform: AIR-CT2504-K9, Capabilities: Host
Interface: FastEthernet0/8, Port ID (outgoing port): GigabitEthernet0/0/1
Holdtime : 121 sec

Version : Manufacturer's Name: Cisco Systems Inc. Product Name: Cisco Controller Product Version: 7.0.220.0 RTOS Version: Erro Bootloader Version: 1.0.16 Build Type: DATA + WPS
advertisement version: 2
Duplex: full
Management address(es):

BACKUPSW#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.170.70 0 64d8.14da.4d00 ARPA Vlan111
Internet 192.168.170.72 - 0023.34ae.cf41 ARPA Vlan111
Internet 192.168.170.1 0 f0f7.554f.d201 ARPA Vlan111
Internet 192.168.170.18 14 18db.f22c.5d2b ARPA Vlan111
Internet 192.168.170.59 4 a4ba.db9e.9bdc ARPA Vlan111
BACKUPSW# ping 192.168.170.70

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.170.70, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
BACKUPSW# ping 192.168.170.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.170.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
BACKUPSW#

clyde.a.huffman.ctr@mail.mil · ‎08-13-2019

(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 64:d8:14:da:4d:00
IP Address....................................... 192.168.170.70
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.170.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 111
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 192.168.170.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.220.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0

Build Type....................................... DATA + WPS

System Name...................................... Cisco_da:4d:04
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 192.168.170.70
Last Reset....................................... Software reset
System Up Time................................... 0 days 0 hrs 42 mins 45 secs
System Timezone Location.........................
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base

--More-- or (q)uit
Next Boot License Type........................... Permanent

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +33 C
External Temperature............................. +36 C
Fan Status....................................... 4300 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

Burned-in MAC Address............................ 64:D8:14:DA:4D:00
Maximum number of APs supported.................. 5

(Cisco Controller) >

clyde.a.huffman.ctr@mail.mil · ‎08-13-2019

I've never seen such an inconsistent Cisco device. I've only been able to get the http://192.168.1.1 GUI to work two times - even after resetting with "recover-config." And now it won't even ping. I've enabled information logging but I don't see anything good in the logs....

clyde.a.huffman.ctr@mail.mil · ‎08-14-2019

There are 2 mac addresses coming from WLC Port 1 management interface. I even had a port-security violation before putting the port-security max to 100!!! How is Ethernet going to associate an ip address to the WLC and what is the other mac address?

---------------------============================------------------------

*Mar 1 20:32:55.633: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/8, putting Fa0/8 in err-disable state
*Mar 1 20:32:55.650: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f078.1670.1244 on port FastEthernet0/8.
*Mar 1 20:32:55.650: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/8 due to MAC address f078.1670.1244 on VLAN 111
*Mar 1 20:32:56.648: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
*Mar 1 20:32:57.655: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down

-------------------======================------------------

BACKUPSW#sh run int fa0/8
interface FastEthernet0/8
switchport trunk native vlan 111
switchport trunk allowed vlan 1,111,200
switchport mode trunk
switchport port-security maximum 100
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky f078.1670.1240
switchport port-security mac-address sticky f078.1670.1244
end
BACKUPSW#

-----------------------=====================-------------------------

(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... f0:78:16:70:12:40
IP Address....................................... 192.168.170.70
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.170.1
Link Local IPv6 Address.......................... fe80::f278:16ff:fe70:1240/64
Primary IPv6 Address............................. ::/128
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
VLAN............................................. 111

clyde.a.huffman.ctr@mail.mil · ‎08-14-2019

Connected the 2nd 2504 with the "identical config" and looked at the switch - it also shows 2 mac address on mgmt port 1. Why does "sh cdp nei" work but traceroute fails?

BACKUPSW#sh run int fa0/8
interface FastEthernet0/8
switchport trunk native vlan 111
switchport trunk allowed vlan 1,111,200
switchport mode trunk
switchport port-security maximum 100
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 64d8.14da.4d00
switchport port-security mac-address sticky 64d8.14da.4d04
switchport port-security mac-address sticky f078.1670.1240
switchport port-security mac-address sticky f078.1670.1244
end
BACKUPSW#
BACKUPSW#traceroute ip 192.168.170.1
Tracing the route to 192.168.170.1
1 192.168.170.1 0 msec 0 msec *
BACKUPSW#traceroute ip 192.168.170.41
Tracing the route to 192.168.170.41
1 192.168.170.41 0 msec 0 msec 0 msec
BACKUPSW#traceroute ip 192.168.170.70
Tracing the route to 192.168.170.70
1 * * *
2 * * *
3 * * *
BACKUPSW#
BACKUPSW#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.170.70 0 64d8.14da.4d00 ARPA Vlan111
Internet 192.168.170.71 118 5897.1e3c.8841 ARPA Vlan111
Internet 192.168.170.72 - 0023.34ae.cf41 ARPA Vlan111
Internet 192.168.170.1 0 f0f7.554f.d201 ARPA Vlan111
Internet 192.168.170.18 117 18db.f22c.5d2b ARPA Vlan111
Internet 192.168.170.41 2 a4ba.db9e.9bdc ARPA Vlan111
BACKUPSW#

clyde.a.huffman.ctr@mail.mil · ‎08-14-2019

I finally gave up on connecting to the management port on vlan 111 and configured management on vlan 0. Had to put a static ip address 192.168.170.254 and I'm in.