Re: Cisco AP's 3502I thru 3802I - Lose ability to access non secure si

douglas.mckee · ‎05-15-2022

Good Afternoon,

We have 3502I, 3702I and 3802i AP's. We have an issue with some of them only being able to access "secure sites" but once they are reloaded can access both "secure" and non-secure sites. Not sure how long it takes before they revert back to only accessing "secure sites" since this location is used primarily a few times a month. Below is the configuration we use for all the AP ports within our network.

switchport access vlan ###
switchport mode access
switchport block unicast
switchport voice vlan ###
authentication event fail action next-method
authentication event server dead action reinitialize vlan ###
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 100

Thank you,

Doug

ammahend · ‎05-15-2022

This only tells how you are authenticating the port, once the port is authenticated what authorization policy is pushed to the port will determine what’s accessible through the port. Do you know what authorization you have set for the port ?

-hope this helps-

Rich R · ‎05-16-2022

What controller?

What software version?

How is the WLAN configured?

Presume when you say "Cisco AP's 3502I thru 3802I - Lose ability to access non secure sites" you mean users connected to those APs?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

douglas.mckee · ‎05-19-2022

Good Afternoon,

Our ISE server wasn't placing our 3802I AP into the proper VLAN. Also, found the GIG interface between the 9500-16X and our 5508 was defaulting to 100MB on auto negotiate. Went ahead and hard coded the correct VLAN and Speed. More than likely the port just wasn't profiling correctly but will let you know if this doesn't fix the issues.

What controller? 5508

What software version? 8.5.161

How is the WLAN configured? We have only one 5508 WLC connected to our 9500-16X.

Presume when you say "Cisco AP's 3502I thru 3802I - Lose ability to access non secure sites" you mean users connected to those APs? Correct.

Thank you,

Doug