cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1323
Views
10
Helpful
17
Replies

Encryption match

Chieu Dinh
Level 1
Level 1

I am trying to connect two bridges Root bridge to non root bridge. The SSID and the encryption must be match on both bridges to get the association and authentication. The encryption can be different when you input from the console or web base. Is there any tool to check for the encryption for matching? Any helps? Thanks

1 Accepted Solution

Accepted Solutions

We need to rip the config down further. You see that line mobility network id command ? You arent doing a WDS and you dint have a WLSE correct ?

Read this ...

Q. What is the use of the mobility network-id command on an AP?



A. You use the mobility network-id command in order to configure Layer 3 mobility in a wireless network. You use the mobility network-id ssidcommand in order to associate a service set identifier (SSID) to a Layer 3 mobility network ID. With Layer 3 ...

You must use a wireless LAN (WLAN) services module (WLSM) as your wireless domain services (WDS) device in order to properly configure Layer 3 mobility. Layer 3 mobility is not supported when you use an AP as your WDS device. For more information on ...Understanding Layer 3 Mobility section of Configuring WDS, Fast Secure Roaming, and Radio Management.

The command is meant to be used when the AP participates in a WDS infrastructure with a WLSM module (that acts as the WDS device) where there is Layer 3 mobility. If you use this command incorrectly, connectivity problems in the WLAN network result, such as these:

  • Clients do not get IP addresses from the DHCP.
  • In some cases, the clients cannot associate with the AP.
  • Wireless clients cannot associate with the AP.
  • Extensible Authentication Protocol (EAP) authentication does not happen. With the mobility network-id command configured, the AP tries to build a generic routing encapsulation (GRE) tunnel for the forwarding of the EAP packets. If no tunnel is established, the packets cannot go anywhere.
  • The AP that is configured as a WDS device does not function as expected, and the WDS configuration does not work.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

17 Replies 17

George Stefanick
VIP Alumni
VIP Alumni

Not sure I follow:

The encryption can be different when you input from the console or web base. Is there any tool to check for the encryption for matching?

The connectivity between the bridges need to have the identical encryption. Do you mean access to the bridge itself ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Thank you for response. I mean how do I know that both encryptions are identical? They are look the same in the console but it does not match. Is there a way we can find the match?

Thanks

One way is to see if you can pass traffic across the bridges. Also look at the associations, see if  you see the other bridge. I suppose you have your bridges set up and they arent working ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Thank you for response. You are right. I am setup  the bridge for association but it does not work. I checked the SSID matched. The encryption is not working properly. I can see the non root bridge try to contact the root bridge but it is not associated. The log in the non root bridge shown "interface Dot11Radio0, cannot associate: Rcvd response from 00000.0000.00000 channel 9 2809.

I think the WEP128 is having problem so I want to check the traffic and the encryption. However, I can cut and pasted the same 4 keys from the root bridge to the non root bridge but it is not match.

Thanks

lets get back to basics. turn off all security and see if the bridges connect

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

You mean the bridge only connect when the SSID match when no encryption? does the open authentication need the WEP?

correct ... we think there is an issue with he security side of things .. to confirm this take all security off, if it works then we start to apply the layers back on ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Back to the basic, what do we set on the AP for association with open authentication, no encryption, beside SSID matching?

yup open, no security .. feel free to post the config and I can take a peek ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Here is the root bridge configure

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TimmyTown1

!

enable secret 5 $1$/olK$pm4f3SRp8Wmb/bpEC5TpD0

!

ip subnet-zero

!

!

no aaa new-model

dot11 vlan-name Management vlan 253

dot11 vlan-name User vlan 31

!

dot11 ssid TimmyTown

   vlan 31

   authentication open

   infrastructure-ssid

   mobility network-id 10

!

!

!

username Cisco password 7 106D000A0618

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid TimmyTown

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root bridge

!

interface Dot11Radio0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

hold-queue 80 in

!

interface FastEthernet0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface BVI1

ip address 131.50.31.81 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

snmp-server community Testing RW

snmp-server location Timmy Town

snmp-server chassis-id TimmyTown1

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps entity

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps cpu threshold

snmp-server enable traps aaa_server

snmp-server enable traps envmon

snmp-server host 131.50.31.250 Testing

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

**********************************************

and non root bridge configuration:

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TimmyTown2

!

enable secret 5 $1$SIed$R3SIojfAkJ.OlN3vypnlt0

!

no aaa new-model

!

!

dot11 vlan-name Management vlan 253

dot11 vlan-name User vlan 31

!

dot11 ssid TimmyTown

   vlan 31

   authentication open

   infrastructure-ssid

   mobility network-id 10

!

!

!

username Cisco password 7 047802150C2E

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid TimmyTown

!

parent timeout 10

speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role non-root bridge

!

interface Dot11Radio0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface BVI1

ip address 131.50.31.61 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

snmp-server community Testing RW

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

******************************

It does not have any encryption and open authentication.

Thanks

Did you ever set a channel on the bridges? Both bridges need to be on the same channel .. I dont see this in your config ...

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Here another version with channel:

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TimmyTown1

!

enable secret 5 $1$/olK$pm4f3SRp8Wmb/bpEC5TpD0

!

ip subnet-zero

!

!

no aaa new-model

dot11 vlan-name Management vlan 253

dot11 vlan-name User vlan 31

!

dot11 ssid TimmyTown

   vlan 31

   authentication open

   infrastructure-ssid

   mobility network-id 10

!

!

!

username Cisco password 7 106D000A0618

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid TimmyTown

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2452

station-role root bridge

!

interface Dot11Radio0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

hold-queue 80 in

!

interface FastEthernet0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface BVI1

ip address 131.50.31.81 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

snmp-server community Testing RW

snmp-server location Timmy Town

snmp-server chassis-id TimmyTown1

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps entity

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps cpu threshold

snmp-server enable traps aaa_server

snmp-server enable traps envmon

snmp-server host 131.50.31.250 Testing

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

************************************

Non root bridge

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TimmyTown2

!

enable secret 5 $1$SIed$R3SIojfAkJ.OlN3vypnlt0

!

no aaa new-model

!

!

dot11 vlan-name Management vlan 253

dot11 vlan-name User vlan 31

!

dot11 ssid TimmyTown

   vlan 31

   authentication open

   infrastructure-ssid

   mobility network-id 10

!

!

!

username Cisco password 7 047802150C2E

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid TimmyTown

!

parent timeout 10

speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role non-root bridge

mobile station scan 2452

!

interface Dot11Radio0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface FastEthernet0.31

encapsulation dot1Q 31 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0.253

encapsulation dot1Q 253

no ip route-cache

bridge-group 253

bridge-group 253 spanning-disabled

!

interface BVI1

ip address 131.50.31.61 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

snmp-server community Testing RW

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

I have  no luck for this basic configuration.

I ran two commands

debug dot11 dot0 trace print mgmt
debug dot11 station connection failure

on both devices. I can see the non root bridge is trying to make connection but I can't see the association. Any ideas?

*Mar  1 00:41:19.514: Client 003a.9a93.b970 failed: WDS Down but association att

empted with network id configured

*Mar  1 00:41:19.514: 2E61212D r  1 25 52- 0000 13A 003A9A869350 003A9A93B970 00

3A9A869350 5080 assreq l 84

        cap 421 infra shorthdr

        listen interval 200

        ssid TimmyTown

        rates 82 4 B C 12 16 18 24

        extrates 30 48 60 6C

        aironet TimmyTown2 load 0 clients 0 hops 0 device 4D-2500

                refresh 15 CW 0-0 flags 1 distance 0

        IP 131.50.31.61 1

        221 - 0 50 F2 2 0 1 0

*Mar  1 00:41:19.515: 2E6128D8 t 1  - 1000 13A 003A9A93B970 003A9A869350 003A9A8

69350 E5D0 assrsp l 6

        cap 0

        status 25

        aid C000

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: