Re: Cisco 1142 AP as WGB

dominikhug · ‎12-19-2011

Hi

I'm trying to connect a full-IOS Cisco 1142 access point as WGB to our WLAN infrastructure.

I have these settings configured on our WLC:

There is a Win2k8 R2 NPS (Network Policy Server) RADIUS server in the background for handling the authentications against the active directory. I can see passed authentication in the event log.

The WGB is configured like this:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

logging rate-limit console 9

enable secret 5 $1$YnK.$37j/OyuZDBr4DSnAEHWFT1

!

no aaa new-model

!

dot11 syslog

!

dot11 ssid InternalSSID

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management cckm

dot1x credentials ADCred

dot1x eap profile EAPProfile

infrastructure-ssid

!

eap profile EAPProfile

method mschapv2

!

dot1x credentials ADCred

username ADUsername

password ADPassword

!

username Cisco password 7 01300F175804

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid InternalSSID

!

antenna gain 0

station-role workgroup-bridge

bridge-group 1

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

line con 0

line vty 0 4

login local

!

end

I'm able to get a association to an AP but I'm not able to authenticate.

ap#sh dot11 associations all-client

Address : 0026.994f.xxxx Name : APName

IP Address : xx.xx.xx.xx. Interface : Dot11Radio 1

Device : LWAPP-Parent Software Version : NONE

CCX Version : 5 Client MFP : On

State : EAP-Assoc Parent : -

SSID : InternalSSID

VLAN : 0

Hops to Infra : 0 Association Id : 1

Tunnel Address : 0.0.0.0

Key Mgmt type : CCKM Encryption : AES-CCMP

Current Rate : m15. Capability : WMM

Supported Rates : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

Voice Rates : disabled Bandwidth : 40 MHz

Signal Strength : -54 dBm Connected for : 0 seconds

Signal to Noise : 45 dB Activity Timeout : 15 seconds

Power-save : Off Last Activity : 0 seconds ago

Apsd DE AC(s) : NONE

Packets Input : 2287 Packets Output : 225

Bytes Input : 553482 Bytes Output : 26055

Duplicates Rcvd : 45 Data Retries : 0

Decrypt Failed : 0 RTS Retries : 0

MIC Failed : 0 MIC Missing : 0

Packets Redirected: 0 Redirect Filtered: 0

Protocol Status Auth Port WGB

Can somebody help me? Do I have to post more information?

Thank you!

Scott Fella · ‎12-20-2011

Have you looked at this doc?

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080905cea.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dominikhug · ‎12-20-2011

Hi Scott

I read different documents including the one you mentioned.

I used this doc for configuring because is uses exactly the same methods I use:

WGB Roaming: Internal details and Configuration

https://supportforums.cisco.com/docs/DOC-14944

Scott Fella · ‎12-20-2011

Well as a WGB, you would connect that to a single SSID and everything should pass right through. So all you need us for the WGB to associate to your WLAN SSID.

Simple sample config

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_lwap.html#wp1895378

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dominikhug · ‎12-20-2011

I've added guest-mode because this is the only difference between the sample config and my config but it still doesn't work.

On console I can see this message:

%DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: Too many retries

And I think the WGB ist flapping between different reachable APs propagating the same SSID. Is it possible to change this behaviour?

Scott Fella · ‎12-20-2011

I believe in the WGB you can define the AP you want to associate to.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎12-20-2011

Make sure you have passive mode enabled on the WLAN SSID. I believe this was supported on the 7.x.

You can run a debug on the wlc also to see if you see anything.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dominikhug · ‎12-20-2011

We're using Cisco WiSMv1. Passive mode is only available on 5500 and 2100 I think.

I was able to tie the WGB to only one AP but it still doesn't work.

I've found a new log-message on WLC:

*dot1xMsgTask: Dec 20 10:16:02.230: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 44:d3:ca:62:91:8e

dominikhug · ‎12-20-2011

I've attached the output of 'debug client 44d3.ca62.918e' from WLC. Maybe you can see something.

Could it be also RADIUS-server related?

Scott Fella · ‎12-20-2011

If its radius related, you would see a failed authentication on the wlc and on the log in the radius you would see the same.

I see you posted on the other forum and tried wpa and that failed. Try to sart from basic and use an open connection an get that to work first. The had part that you will face is the WGB authenticating 802.1x. So start with the basic and get that working first.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎12-20-2011

I recently sent an hour t/s a wgb and my issue was that I didn't have aironet extensions enabled on the wlc/WLAN. Is yours enabled?

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎12-20-2011

So that Mac address is the WGB or a wired client?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dominikhug · ‎12-20-2011

It's from the WBG D1 interface:

ap#sh int d1

Dot11Radio1 is up, line protocol is up

Hardware is 802.11N 5GHz Radio, address is 44d3.ca62.918e (bia 64ae.0c5c.5be0)

MTU 1500 bytes, BW 54000 Kbit/sec, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/1677/3/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/30 (size/max)

5 minute input rate 1000 bits/sec, 1 packets/sec

5 minute output rate 2000 bits/sec, 3 packets/sec

2953 packets input, 540325 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

6319 packets output, 558439 bytes, 0 underruns

144 output errors, 0 collisions, 6 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

ap#

dominikhug · ‎12-23-2011

Hi

I made some additional attempts to get it working but I failed. So i changed the security settings to WPA-PSK to check if using a WGB ist the right way. Now I'm testing.

Thanks for your help and merry christmas.

Dominik