Solved: Re: Cisco 1240AG: Some Devices Cant Connect to AP

t1munl4ut · ‎09-09-2020

ood day,

Received some new/old devices (OS Android 4.4.4 & windows CE). Try to setup & connect to AP but failed. All this devices are having the same setting/configuration only different in IP address (Static IP).

No issue with my notebook (can connect to AP).
Founded that the AP configuration got some MAC filtering enable. Already updated the MAC address list in filtering but still unable to connect to the AP.
Don't know why my notebook no need to define the MAC Address & can direct connect to the AP.

Please help/advise. Thanks.

This is what i added to the MAC Address filters, only this devices cant connect to the AP. The other devices can connect without any problem.

access-list 705 permit 0023.68d5.XXXX 0000.0000.0000
access-list 705 permit 0023.68f4.XXXX 0000.0000.0000
access-list 705 permit 94fb.2944.XXXX 0000.0000.0000
access-list 705 permit 94fb.2982.XXXX 0000.0000.0000

The log:

Spoiler

AP config

Spoiler

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname APX
!
enable secret 5 $1$03k/$G1dAnQd4mJpB9Zxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid XXXX@BaXXXXe
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 114A2A465C2E291616300A25101F2D293B4xxxxxx4E
!
!
!
username CXXXo password X xxxxxx
username 00XXXXXXX02 password 7 13554743590A547AXXXXXX
username 00XXXXXXX02 autocommand exit
username 00XXXXXXXd4 password 7 15425B5E577C73207XXXXX
username 00XXXXXXXd4 autocommand exit
username 94XXXXXXX87 password 7 04025F000D73151AXXXXXX
username 94XXXXXXX87 autocommand exit
username 94XXXXXXXd0 password 7 005D470006095XXXXXXXXX
username 94XXXXXXXd0 autocommand exit
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid XXXX@BaXXXXe
!
channel 2422
station-role root
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption mode ciphers aes-ccm tkip
!
ssid XXXX@BaXXXXe
!
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 90.X.5.XX 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz...config/help/eag
ip radius source-interface BVI1
access-list 700 deny 0000.0000.0000 0000.0000.0000
access-list 700 permit 0013.e877.XXXX 0000.0000.0000
access-list 700 permit 0012.0e6d.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2307.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2310.XXXX 0000.0000.0000
access-list 700 permit 0017.2307.XXXX 0000.0000.0000
access-list 700 permit 183d.a219.XXXX 0000.0000.0000
access-list 700 permit 0026.bb05.XXXX 0000.0000.0000
access-list 700 permit 001b.7737.XXXX 0000.0000.0000
access-list 700 permit e0cb.4e89.XXXX 0000.0000.0000
access-list 700 permit 0025.d3d4.XXXX 0000.0000.0000
access-list 700 permit f4ec.388c.XXXX 0000.0000.0000
access-list 700 permit 0023.68e6.XXXX 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 700 permit 0023.68e9.XXXX 0000.0000.0000
access-list 700 permit 0023.68e7.XXXX 0000.0000.0000
access-list 700 permit 0023.68e8.XXXX 0000.0000.0000
access-list 700 permit 0023.68ed.XXXX 0000.0000.0000
access-list 701 permit 0000.0000.0000 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
access-list 705 permit 0023.68d5.XXXX 0000.0000.0000
access-list 705 permit 0023.68f4.XXXX 0000.0000.0000
access-list 705 permit 94fb.2944.XXXX 0000.0000.0000
access-list 705 permit 94fb.2982.XXXX 0000.0000.0000
access-list 705 permit 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!

AP config !version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname APX!enable secret 5 $1$03k/$G1dAnQd4mJpB9Zxxxxxxxx!aaa new-model!!aaa group server radius rad_eap!aaa group server radius rad_mac!aaa group server radius rad_acct!aaa group server radius rad_admin!aaa group server tacacs+ tac_admin!aaa group server radius rad_pmip!aaa group server radius dummy!aaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authorization exec default localaaa accounting network acct_methods start-stop group rad_acct!aaa session-id common!!dot11 syslog!dot11 ssid XXXX@BaXXXXeauthentication openauthentication key-management wpa version 2guest-modewpa-psk ascii 7 114A2A465C2E291616300A25101F2D293B4xxxxxx4E!!!username CXXXo password X xxxxxxusername 00XXXXXXX02 password 7 13554743590A547AXXXXXXusername 00XXXXXXX02 autocommand exitusername 00XXXXXXXd4 password 7 15425B5E577C73207XXXXXusername 00XXXXXXXd4 autocommand exitusername 94XXXXXXX87 password 7 04025F000D73151AXXXXXXusername 94XXXXXXX87 autocommand exitusername 94XXXXXXXd0 password 7 005D470006095XXXXXXXXXusername 94XXXXXXXd0 autocommand exit!!bridge irb!!interface Dot11Radio0no ip addressno ip route-cache!encryption mode ciphers aes-ccm tkip!ssid XXXX@BaXXXXe!channel 2422station-role rootl2-filter bridge-group-aclbridge-group 1bridge-group 1 subscriber-loop-controlbridge-group 1 block-unknown-sourceno bridge-group 1 source-learningno bridge-group 1 unicast-floodingbridge-group 1 spanning-disabled!interface Dot11Radio1no ip addressno ip route-cacheshutdown!encryption mode ciphers aes-ccm tkip!ssid XXXX@BaXXXXe!speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0station-role rootl2-filter bridge-group-aclbridge-group 1bridge-group 1 subscriber-loop-controlbridge-group 1 block-unknown-sourceno bridge-group 1 source-learningno bridge-group 1 unicast-floodingbridge-group 1 spanning-disabled!interface FastEthernet0no ip addressno ip route-cacheduplex autospeed autobridge-group 1no bridge-group 1 source-learningbridge-group 1 spanning-disabled!interface BVI1ip address 90.X.5.XX 255.255.255.0no ip route-cache!ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz...config/help/eagip radius source-interface BVI1access-list 700 deny 0000.0000.0000 0000.0000.0000access-list 700 permit 0013.e877.XXXX 0000.0000.0000access-list 700 permit 0012.0e6d.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2307.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2310.XXXX 0000.0000.0000access-list 700 permit 0017.2307.XXXX 0000.0000.0000access-list 700 permit 183d.a219.XXXX 0000.0000.0000access-list 700 permit 0026.bb05.XXXX 0000.0000.0000access-list 700 permit 001b.7737.XXXX 0000.0000.0000access-list 700 permit e0cb.4e89.XXXX 0000.0000.0000access-list 700 permit 0025.d3d4.XXXX 0000.0000.0000access-list 700 permit f4ec.388c.XXXX 0000.0000.0000access-list 700 permit 0023.68e6.XXXX 0000.0000.0000access-list 700 deny 0000.0000.0000 ffff.ffff.ffffaccess-list 700 permit 0023.68e9.XXXX 0000.0000.0000access-list 700 permit 0023.68e7.XXXX 0000.0000.0000access-list 700 permit 0023.68e8.XXXX 0000.0000.0000access-list 700 permit 0023.68ed.XXXX 0000.0000.0000access-list 701 permit 0000.0000.0000 0000.0000.0000access-list 701 permit 0000.0000.0000 ffff.ffff.ffffaccess-list 705 permit 0023.68d5.XXXX 0000.0000.0000access-list 705 permit 0023.68f4.XXXX 0000.0000.0000access-list 705 permit 94fb.2944.XXXX 0000.0000.0000access-list 705 permit 94fb.2982.XXXX 0000.0000.0000access-list 705 permit 0000.0000.0000 ffff.ffff.ffffradius-server attribute 32 include-in-access-req format %hradius-server vsa send accountingbridge 1 route ip!!!line con 0line vty 0 4!

t1munl4ut · ‎09-30-2020

Good day,

I've found the solution. Just change the SSID password. Other devices connection will reset & need to reconnect to the SSID with new password.

Glad i dont reset the APs.

Peace.

View solution in original post

patoberli · ‎09-09-2020

Wow, this post read as if it's 2010, but it's 2020.

Anyway, first please remove all username entries in the configs, unless you like everybody to know the passwords (Type 7 strings can easily be decoded to cleartext).

By reading twice through the configuration, I think the different ACLs never get applied anywhere, which is probably why it's working with your laptop. Based on the guide here: https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3/cg15-3-3-chap16-filters.html you are lacking the input-address-list or output-adress-list command. Please note, I haven't fully read it, just quickly skimmed through it.

Now to the question why the clients don't connect, have you deleted the profile and recreated it on the clients for testing?

Do you see anything in the log (show logging) when one of those clients tries to connect?

t1munl4ut · ‎09-09-2020

Thanks for replying,

Already deleted & recreate the profile few times already. Still unable to connect.

(view in My Videos)

t1munl4ut · ‎09-30-2020

Good day,

I've found the solution. Just change the SSID password. Other devices connection will reset & need to reconnect to the SSID with new password.

Glad i dont reset the APs.

Peace.