Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2239
Views
0
Helpful
3
Replies

3602i Autonomous AP configuration for WGB PEAP to lightweight AP - Association issues

Go to solution
joshua Slaney
Level 1
Level 1

‎03-27-2015 01:14 PM - edited ‎07-05-2021 02:48 AM

I'm having issues getting a WGB bridge (autonomous) connected to an SSID.  The SSID is broadcast from a centralized WLC with lightweight access points.  It supports WPA/TKIP or WPA2/AES with 802.1x/cckm for authentication key management.   PEAP(MS-Chapv2) is used for the authentication.  I've referenced the document http://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/115736-wgb-peap-00.html for a base config.

The goal is to have a single client connect to the ethernet on the bridge and be on the SSID subnet. I want the bridge to connect with WPA2/AES and use CCKM for key management.  I keep getting the following error:

"Mar 27 19:50:07.831: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No WPAIE exist for the ssid SSID"

I suspect that my layer 2 settings are incorrect on the WGB, but am not really sure what commands I should be using to set the WGB to use WPA2/AES with CCKM.  I have also confirmed that the user account works on another device. I've pasted the config below.  I suspect I may need to change the dot11 ssid key-management and/or the encryption cipher on the radio.  Any feedback would be welcome.  Thanks

 

logging rate-limit console 9
enable secret 5 $1$sO03$.ZrpsOQ2EBjUvDUsUmHF6.
!
no aaa new-model
no ip routing
!
!
dot11 syslog
!
dot11 ssid SSID
   authentication open eap PEAP 
   authentication network-eap PEAP 
   authentication key-management wpa
   dot1x credentials PEAP
   dot1x eap profile PEAP
   infrastructure-ssid
!
eap profile PEAP
 method peap
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint CA
 enrollment terminal
 subject-name CN=CA
 revocation-check none
 rsakeypair CA 2048
!
!
crypto pki certificate chain CA
 certificate ca 3057DA5426DF3EA048350C6DD769B056
  308203ED 308202D5 A0030201 02021030 57DA5426 DF3EA048 350C6DD7 69B05630 
  0D06092A 864886F7 0D010105 05003068 31133011 060A0992 268993F2 2C640119 
  16036564 75311430 12060A09 92268993 F22C6401 19160477 69736331 14301206 
  0A099226 8993F22C 64011916 04686F73 70311530 13060A09 92268993 F22C6401 
  19160575 77686973 310E300C 06035504 03130555 57484341 301E170D 30393037 
  32393230 33383532 5A170D31 38303430 35313632 3634305A 30683113 3011060A 
  09922689 93F22C64 01191603 65647531 14301206 0A099226 8993F22C 64011916 
  04776973 63311430 12060A09 92268993 F22C6401 19160468 6F737031 15301306 
  0A099226 8993F22C 64011916 05757768 6973310E 300C0603 55040313 05555748 
  43413082 0122300D 06092A86 4886F70D 01010105 00038201 0F003082 010A0282 
  010100AA 62C0456A 53563DCA 84D40A81 219D7E16 00945048 DA95453D 3C5F0EB1 
  9B2E11D5 D6DA87DD C980D91B C7FDF2AB A4701370 370D4A0C C7BAD7D8 E2B615EC 
  09F287E8 43ED8C1F 12F8DBC1 4A7B802E 186AB39A 848B7C15 BFBF9438 4579C418 
  71A26135 C1B38FEA BABD7BBA 4ECF3DEB 9250F794 51012EFD E5017D38 5B12BDD5 
  3E90D5E3 A476767C B1E4A80E C450B340 2C98F487 7CB18B12 F3577114 8B1CFCDF 
  73F2AD89 FFBE5B5B 6D380E39 A3B4D2F2 FCC1681E 5FB56CCC D39C721A C67236F3 
  28856880 638A5295 5E93899B 8F703488 382635E1 32789BEA C07E7A6A E9ACA279 
  2C2FD1D6 6F09BA3D 329F9178 44BE984E 01CA8357 070C29A4 99F79038 F9F40B98 
  C2F12502 03010001 A3819230 818F3013 06092B06 01040182 37140204 061E0400 
  43004130 0E060355 1D0F0101 FF040403 02018630 12060355 1D130101 FF040830 
  060101FF 02010030 1D060355 1D0E0416 0414B170 6D220DAC 07D152FE 9ED44681 
  BAD0A4D5 B70E3010 06092B06 01040182 37150104 03020101 30230609 2B060104 
  01823715 02041604 14B20FE4 68E0AB5A 65D85C8F 7E3E1AA1 E876B64F 68300D06 
  092A8648 86F70D01 01050500 03820101 00207415 CA958BA5 C4CD4B7A 39393A3C 
  00E398FB EF9AA2FA DE2FB90A 82C624D8 7BCBCA9A 9E6117B7 C46489DB 9B2522C2 
  3A58E0D5 8EA62948 0B22C18F 7ED32F90 0FEC1C96 DC12080D 92EB9377 6B6E6FD6 
  7C9079ED 9D8A6E9F FFC740CF CFAF4172 E75A0A11 6EA42B13 230A9971 E9CC8430 
  0BB4AD0B E5312EB7 1E39AFE0 774F2282 5A903D89 CC0AA514 7F7E070E BECF4594 
  041ED411 6A71F7E8 D65D6926 FBC4D8FE EC32A6B1 5A3EA69E CB740E68 A29EB347 
  B2BA5B5B BC44BABF BF3C456F 6D9CC62C 52C45981 A7ECD182 58246227 45D5980F 
  E3AC8F56 FC102AB8 FC9F7865 1084C7B1 9D696116 16BAF6A8 68F68D1A 306A0274 
  E53CF52B 1B1738DD 4A18AFAA 0E181E3F F1
        quit
dot1x credentials PEAP
 username ****\*******
 password 7 ******
 pki-trustpoint CA
!
username Cisco password 7 123A0C041104
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !         
 !
 ssid SSID
 !
 antenna gain 0
 stbc
 station-role workgroup-bridge
 bridge-group 1
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
 transport input all

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP
In response to joshua Slaney

‎03-27-2015 07:35 PM

Hi Josh,

Yes, create a test SSID with WPA2/AES only for this WGB setup & test it.

HTH

Rasika 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rasika Nayanajith
VIP
VIP

‎03-27-2015 01:43 PM

In WLAN security setting, untick WPA/TKIP options & leave only WPA2/AES.

Test it with that & let us know

If no success, try to change WGB SSID config as shown below & see if that make any difference.

authentication key-management wpa version 2

HTH

Rasika

****Pls rate all useful responses ****

0 Helpful

Go to solution
joshua Slaney
Level 1
Level 1
In response to Rasika Nayanajith

‎03-27-2015 01:54 PM

I'm unable to disable TKIP because its a production SSID that has some handhelds that are manually configured for TKIP.  I'm working on getting those clients updated or removed.  I've tried the command you recommended "authentication key-management wpa version 2" and I'm still getting the same association error.

 

"Mar 27 20:47:27.815: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No WPAIE exist for the ssid SSID"

I could try spinning up a separate test ssid with wpa/tkip disabled if you think that might help.

Thanks,

-Josh

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to joshua Slaney

‎03-27-2015 07:35 PM

Hi Josh,

Yes, create a test SSID with WPA2/AES only for this WGB setup & test it.

HTH

Rasika 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card