Solved: can't get secure wlan to work with new guest wlan

aoshea · ‎01-09-2007

Dear Support,

I'm having a nightmare! where I can seem to get either one wlan to work or the other but not both together.

I posted previously and reconfigured as per the suggestion, however the problem I get is that the secure wlan client associates, then de-associates after roughly 30 seconds with both a guest (no security) and secure (eap using ms ias as radius server)

my previous post is;

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcfe12

and the log shows the following, obviously the client is set to connect automatically.

*Mar 1 00:04:35.105: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:04:51.391: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000e.35f8

.5d13 Associated KEY_MGMT[NONE]

*Mar 1 00:04:51.506: %DOT11-4-MAXRETRIES: Packet to client 000e.35f8.5d13 reach

ed max retries, removing the client

*Mar 1 00:04:51.506: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 000e.35f8.5d13 Reason: Previous authentication no longer valid

*Mar 1 00:05:15.176: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:05:32.703: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:05:58.780: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:06:16.141: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:06:40.759: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:06:58.145: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:07:00.560: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:07:18.020: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:07:43.902: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:08:01.254: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:08:16.172: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:08:16.737: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:08:37.397: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00

13.cefd.48ca Associated KEY_MGMT[NONE]

*Mar 1 00:08:54.732: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating

Station 0013.cefd.48ca Reason: Sending station has left the BSS

*Mar 1 00:08:57.193: %DOT11-4-MAXRETRIES: Packet to client 0013.cefd.48ca reach

ed max retries, removing the client

Thanks in advance for your assistance.

Any prompt reply will be greatfully received. I also rate responses.

Thanks again, regards, Adrian

Benjamin Solero · ‎01-11-2007

Hi Adrian,

Please try to capture output of the following while attempting to associate to the secure ssid:

debug radius

debug aaa authentication

debug dot11 aaa auth all

Also, if you check your RADIUS failed attempts log, do you see anything?

I don't see anything in the AP configuration that should be causing a problem.

Thanks,

Ben

View solution in original post

Benjamin Solero · ‎01-09-2007

Hi,

Can you repost your current AP configuration and also your switchport configuration?

Thanks,

Ben

aoshea · ‎01-11-2007

Hi Ben,

Please find attached AP config, I can access the switch at the moment, but the config is fairly basic, trunk port with two vlans and vlan 1 as the native.

here's the ap config.

AP-CDC#2#sh startup-config

Using 2989 out of 32768 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-CDC#2

!

enable secret 5 $1$LQ1O$NKYZoYAeiahKw0805kLHg0

!

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

ip subnet-zero

ip domain name wlan.internal

!

aaa new-model

!

aaa group server radius rad_eap

server 10.10.10.2 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 vlan-name dmz vlan 2

!

dot11 ssid Secure

vlan 1

authentication open eap eap_methods

authentication network-eap eap_methods

!

dot11 ssid Guest

vlan 2

authentication open

guest-mode

!

username Cisco password 7 062506324F41

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode wep mandatory

!

ssid Secure

!

ssid Guest

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

no preamble-short

channel 2412

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

hold-queue 160 in

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 10.10.10.49 255.255.255.0

no ip route-cache

!

ip default-gateway 10.10.10.253

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.10.10.2 auth-port 1645 acct-port 1646 key 7 xyz

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

AP-CDC#2#

Thanks again, regards, Adrian

Benjamin Solero · ‎01-11-2007

Hi Adrian,

Please try to capture output of the following while attempting to associate to the secure ssid:

debug radius

debug aaa authentication

debug dot11 aaa auth all

Also, if you check your RADIUS failed attempts log, do you see anything?

I don't see anything in the AP configuration that should be causing a problem.

Thanks,

Ben

Benjamin Solero · ‎01-12-2007

Hi Adrian,

The debugs I suggested may contain information you may not want to post on the forum, so use your discretion. The ACS logs should help identify whether the clients are actually hitting the server.

As long as you have your switch configured as follows, then the AP->switch should be fine:

interface fastethernetx/x

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport trunk allowed vlan 1,2

end

Thanks,

Ben

aoshea · ‎01-16-2007

Hi Ben,

Many thanks for taking the time to look at my issue, it was appreciated. The information you gave me on the debugs helped, and also the sanity check on my config.

sorry for the delay in getting back it is the time of the year for flu!.

The reason why the problem was occurring was due to the Intel 2915abg embedded wireless card in the IBM ThinkPad?s we are using, there is a setting for the roaming aggressiveness which was on the default value. Which basically meant before the laptop had authenticated it had roamed to another ap !

I am a happy man, have the two aps, m/soft ias, and pushed out all the wlan config to the laptops via group policy! (well i've piloted 5 laptops, 45 more to go!).

Thanks again.

Best regards, Adrian.