Re: Aironet 1300 - problems with security

mark.mcsherry · ‎10-23-2005

Hi,

I have two Aironets setup as below. They both have the radio configured and up. I suspect the issue is with the security. I am unfamiliar with how it works - if anyone can provide me any pointers, it would be much appreciated!

thanks,

Mark

dot11 vlan-name BRIDGE1 vlan 153

dot11 vlan-name BRIDGE2 vlan 254

dot11 vlan-name BRIDGE3 vlan 154

!

dot11 ssid BRIDGE1

vlan 153

!

dot11 ssid BRIDGE2

vlan 254

authentication open

authentication key-management wpa

infrastructure-ssid

wpa-psk ascii 7 <key here>

!

dot11 ssid BRIDGE3

vlan 154

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 3 size 128bit 7 <key here> transmit-key

encryption mode ciphers wep128

!

encryption vlan 254 mode ciphers tkip

!

ssid BRIDGE1

!

ssid BRIDGE2

!

ssid BRIDGE3

!

speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b

asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

station-role root bridge

cca 75

concatenation

infrastructure-client

!

interface Dot11Radio0.153

encapsulation dot1Q 153

no ip route-cache

bridge-group 153

!

interface Dot11Radio0.154

encapsulation dot1Q 154

no ip route-cache

bridge-group 154

!

interface Dot11Radio0.254

encapsulation dot1Q 254 native

no ip route-cache

bridge-group 1

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.153

encapsulation dot1Q 153

no ip route-cache

bridge-group 153

!

interface FastEthernet0.154

encapsulation dot1Q 154

no ip route-cache

bridge-group 154

!

interface FastEthernet0.254

encapsulation dot1Q 254 native

no ip route-cache

bridge-group 1

!

interface BVI1

ip address 10.0.254.203 255.255.255.0

no ip route-cache

!

mark.mcsherry · ‎10-23-2005

I have captured the debug below. I suspect now that it's actually down to some of the config not matching at both ends - am checking that now..

*Mar 3 14:30:53.088: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Mar 3 14:31:03.148: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response

*Mar 3 14:31:26.147: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Rcvd response from 0013.1949.14f0 channel 8 3254

mark.mcsherry · ‎10-23-2005

I have resolved this issue now - was down to slightly different configs at each end.

vincent.monnier · ‎03-29-2012

Hi Mark,

Can I ask you what were the configuration mismatch that you have tuned ?

Thanks in advance.

Vincent

mark.mcsherry · ‎03-29-2012

Hi Vincent,

It was quite a while ago now!

From memory it was due to authentication.. as I recall it only authenticates on one direction - there were a few configs I found on the net that were incorrect, but from testing I found this to the the case. I'd try it with no auth on to see if you can get them to connect up to each other, then add the authentication back on.

Have you got any error messages?

cheers,

Mark

vincent.monnier · ‎03-29-2012

Hi Mark,

Thanks for your feedback, I haven't take care about the date of your post. Sorry to ask you about a such old entry.

I didn't manage to get any or message other than the DOT11-4-CANT_ASSOC. And the problem is that I don't manage the "root" station.

Thanks again.

Vincent

mark.mcsherry · ‎04-01-2012

Hi Vincent,

Firstly, if you've got a MAC address access list to restrict access, just confirm you've got the right MAC address in there - in my testing it caused exactly the error you've indicated.

The other things to try are:

Remote end is not powered up
Antennas are misaligned
Channels do not match
Radios are switched off
Radio power is set too low
Speed not matched
Authentication failing

Check this link for authentication debugging:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml

These commands may help:

debug dot11 aaa authenticator mac-authen
debug dot11 aaa authenticator all

thanks,

Mark