01-09-2007 11:45 AM - edited 07-03-2021 01:27 PM
Dear Support,
I'm having a nightmare! where I can seem to get either one wlan to work or the other but not both together.
I posted previously and reconfigured as per the suggestion, however the problem I get is that the secure wlan client associates, then de-associates after roughly 30 seconds with both a guest (no security) and secure (eap using ms ias as radius server)
my previous post is;
and the log shows the following, obviously the client is set to connect automatically.
*Mar 1 00:04:35.105: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:04:51.391: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000e.35f8
.5d13 Associated KEY_MGMT[NONE]
*Mar 1 00:04:51.506: %DOT11-4-MAXRETRIES: Packet to client 000e.35f8.5d13 reach
ed max retries, removing the client
*Mar 1 00:04:51.506: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 000e.35f8.5d13 Reason: Previous authentication no longer valid
*Mar 1 00:05:15.176: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:05:32.703: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:05:58.780: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:06:16.141: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:06:40.759: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:06:58.145: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:07:00.560: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:07:18.020: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:07:43.902: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:08:01.254: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:08:16.172: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:08:16.737: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:08:37.397: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:08:54.732: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:08:57.193: %DOT11-4-MAXRETRIES: Packet to client 0013.cefd.48ca reach
ed max retries, removing the client
Thanks in advance for your assistance.
Any prompt reply will be greatfully received. I also rate responses.
Thanks again, regards, Adrian
Solved! Go to Solution.
01-11-2007 01:41 PM
Hi Adrian,
Please try to capture output of the following while attempting to associate to the secure ssid:
debug radius
debug aaa authentication
debug dot11 aaa auth all
Also, if you check your RADIUS failed attempts log, do you see anything?
I don't see anything in the AP configuration that should be causing a problem.
Thanks,
Ben
01-09-2007 11:17 PM
Hi,
Can you repost your current AP configuration and also your switchport configuration?
Thanks,
Ben
01-11-2007 01:07 PM
Hi Ben,
Please find attached AP config, I can access the switch at the moment, but the config is fairly basic, trunk port with two vlans and vlan 1 as the native.
here's the ap config.
AP-CDC#2#sh startup-config
Using 2989 out of 32768 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-CDC#2
!
enable secret 5 $1$LQ1O$NKYZoYAeiahKw0805kLHg0
!
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
ip subnet-zero
ip domain name wlan.internal
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name dmz vlan 2
!
dot11 ssid Secure
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
!
dot11 ssid Guest
vlan 2
authentication open
guest-mode
!
!
!
username Cisco password 7 062506324F41
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode wep mandatory
!
ssid Secure
!
ssid Guest
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
no preamble-short
channel 2412
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address 10.10.10.49 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.253
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.2 auth-port 1645 acct-port 1646 key 7 xyz
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
AP-CDC#2#
Thanks again, regards, Adrian
01-11-2007 01:41 PM
Hi Adrian,
Please try to capture output of the following while attempting to associate to the secure ssid:
debug radius
debug aaa authentication
debug dot11 aaa auth all
Also, if you check your RADIUS failed attempts log, do you see anything?
I don't see anything in the AP configuration that should be causing a problem.
Thanks,
Ben
01-12-2007 09:24 AM
Hi Adrian,
The debugs I suggested may contain information you may not want to post on the forum, so use your discretion. The ACS logs should help identify whether the clients are actually hitting the server.
As long as you have your switch configured as follows, then the AP->switch should be fine:
interface fastethernetx/x
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2
end
Thanks,
Ben
01-16-2007 01:42 PM
Hi Ben,
Many thanks for taking the time to look at my issue, it was appreciated. The information you gave me on the debugs helped, and also the sanity check on my config.
sorry for the delay in getting back it is the time of the year for flu!.
The reason why the problem was occurring was due to the Intel 2915abg embedded wireless card in the IBM ThinkPad?s we are using, there is a setting for the roaming aggressiveness which was on the default value. Which basically meant before the laptop had authenticated it had roamed to another ap !
I am a happy man, have the two aps, m/soft ias, and pushed out all the wlan config to the laptops via group policy! (well i've piloted 5 laptops, 45 more to go!).
Thanks again.
Best regards, Adrian.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide