03-07-2014 04:00 AM - edited 07-05-2021 12:21 AM
Hi guys,
I'm havin problems joining an AP (3602I) to my controller (5508) when authorising MIC's against against my auth-list on the controller.
I have added the AP MAC address to the auth-list but the AP won't successfully join. The controller occasionally says "joined" and I can view it in the AP list, but the AP status is always UNKNOWN, whereby I will reset the AP and try again.
Any ideas?
Thanks.
Solved! Go to Solution.
03-07-2014 05:58 AM
The X.509 certificates are burned into protected flash on both the access point (AP) and WLC at the factory by Cisco. On the AP, factory installed certificates are called manufacturing installed certificates (MIC).
You must select MIC box to connect AP to WLC.
For Auth for APs
you can add the mac address of APs and check the box Autheriz MIC APs againest auth-list or AAA.
Regards
03-07-2014 04:18 AM
If the AP is joined, then there is a weird issue going in. Can you issue a show ap summary and post that and let us know what AP is the issue.
Sent from Cisco Technical Support iPhone App
03-07-2014 05:01 AM
Thanks Scott.
AP summary:
AP78da.6e42.85ca 2 AIR-CAP3602I-E-K9 78:da:6e:42:85:ca default location 10.201.30.203 0
AP join stats summary:
Base Mac AP EthernetMac AP Name IP Address Status
c0:7b:bc:76:49:e0 c0:7b:bc:76:49:e0 AP78da.6e42.85ca 10.201.30.203 Not Joined
AP join stats detailed:
(Cisco Controller) >show ap join stats detailed c0:7b:bc:76:49:e0
Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable
Discovery phase statistics
- Discovery requests received.............................. 183
- Successful discovery responses sent...................... 183
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Mar 07 12:58:56.749
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 60
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
--More-- or (q)uit
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
- Last AP disconnect reason................................ Not applicable
Last join error summary
- Type of error that occurred last......................... None
- Reason for error that occurred last...................... Not applicable
- Time at which the last join error occurred............... Not applicable
AP disconnect details
- Reason for last AP connection failure.................... Not applicable
Ethernet Mac : c0:7b:bc:76:49:e0 Ip Address : 10.201.30.203
Gui is still showing as joined however:
Thanks.
03-07-2014 05:02 AM
Post the WLC show inventory and the AP show ver
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
03-07-2014 05:01 AM
Make sure your running at least v7.2... Prefered code is v7.2.121.0 as v7.2.115.2 is for FIPS, v7.1, v7.3 & v7.5 are deferred.
http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
03-07-2014 05:30 AM
show inv:
Burned-in MAC Address............................ E8:B7:48:A1:CD:A0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100
NAME: "Chassis" , DESCR: "Cisco 5500 Series Wireless LAN Controller"
PID: AIR-CT5508-K9, VID: V01, SN: xxxxxxxxxx
AP sh ver:
AP78da.6e42.85ca#sh ver
Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 30-Jul-13 22:57 by prod_rel_team
ROM: Bootstrap program is C3600 boot loader
BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(23c)JY, RELEASE SOFTWARE (fc1)
AP78da.6e42.85ca uptime is 22 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
cisco AIR-CAP3602I-E-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
Processor board ID FCZ1749J1KS
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.5.102.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 78:DA:6E:42:85:CA
Part Number : 73-14521-02
PCA Assembly Number : 800-37501-02
PCA Revision Number : A0
PCB Serial Number : FOC17444F2D
Top Assembly Part Number : 800-35852-02
Top Assembly Serial Number : FCZ1749J1KS
Top Revision Number : C0
Product/Model Number : AIR-CAP3602I-E-K9
Configuration register is 0x
WLC software version: 7.5.102.0
FUS: 7.0.112.21
Thanks again Scott.
03-07-2014 05:37 AM
Can you paste the output of sh sysinfo from WLC.
This can not be FUS:7.0.112.21
I thing something is wrong here : You must RMA the device.
Regards
03-07-2014 05:43 AM
Apologies, Field Recovery Image Version: 7.0.112.21
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.5.102.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 7.0.112.21
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... SSC-WLC-02
System Location.................................. Swindon DC Row C
System Contact................................... Pete Nixon
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.201.30.129
Last Reset....................................... Software reset
System Up Time................................... 24 days 8 hrs 43 mins 9 secs
System Timezone Location......................... (GMT) London, Lisbon, Dublin, Edinburgh
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... GB - United Kingdom
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
External Temperature............................. +22 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 5
Number of Active Clients......................... 700
Burned-in MAC Address............................ E8:B7:48:A1:CD:A0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100
03-07-2014 05:46 AM
yes it seems ok.
Can you paste the screenshot of the page Security > AP Policies.
Regards
03-07-2014 05:40 AM
Just some further information Scott, the output above was when I successfully joined it to the controller a few moments ago using accept MIC policy.
The summary stats show the correct IP from the scope (10.201.30.203), as does the AP summary screen in the gui but looking at the AP in further detail it has 0.0.0.0 as its address:
I have tried to assign the address as static, but it generates an error message:
03-07-2014 05:43 AM
Screen capture you auth list. You don't need anything checked except for the default. Your ap isn't joining.
Sent from Cisco Technical Support iPhone App
03-07-2014 05:45 AM
03-07-2014 05:49 AM
Auth-list below mate:
At the moment, the AP is pingable on 10.201.30.203, after an attempted join using authorised list, but it's not downloading the image and I can't configure anything using the gui on the controller.
Cheers.
03-07-2014 05:50 AM
Check the Accept Manaufactured installed certifiacte box then AP will connect automatically.
As scott send the screenshot.
Regards
03-07-2014 05:53 AM
Thanks Sandeep.
I can join them using the default no problem. However, it is a requirement that I increase security of what AP's can join the controller, and even without adding the MAC to the AP authorisation list, I can join an AP no problem...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide