Issue with Cisco 3502i - Running Autonomous

aravinda099 · ‎06-04-2013

Wonder if anyone can help me. Trying to get a 3503i AP working with the newly relased Autonomous image. First I had issues with reaching it after installing. Could not ping from different subnets. After reading a blogposet here related 1200 series I ran NO IP ROUTING. It started working and I was able to connect via SSH , Web GUI of the AP.

Now I am faced with connecting clients to it. Clients receive IP s from central DHCP server. But they hang , it looks like they are trying to authenticate.

Below is showing up on AP

*Mar 1 00:29:17.426: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Mar 1 00:29:40.944: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 40a6.d98b.0a58 Associated KEY_MGMT[WPAv2 PSK]

Greatly appreciate if someone can help. Could it be another bug in the image ?

Config of the AP

Current configuration : 2923 bytes

!

! Last configuration change at 00:29:14 UTC Mon Mar 1 1993

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

logging rate-limit console 9

enable secret 5 $1$Rc9t$71qkC47romYdEyI8ECvxz.

!

no aaa new-model

no ip routing

no ip cef

ip name-server 10.0.0.2

!

dot11 syslog

!

dot11 ssid CGAF

vlan 325

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii 7 06040237455D000D0A051C0E1810

!

crypto pki token default removal timeout 0

!

username Cisco password 7 13261E010803

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 325 mode ciphers aes-ccm tkip

!

ssid CGAF

!

antenna gain 0

mbssid

station-role root

!

interface Dot11Radio0.300

encapsulation dot1Q 300 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.325

encapsulation dot1Q 325

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 spanning-disabled

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 325 mode ciphers aes-ccm tkip

!

ssid CGAF

!

antenna gain 0

no dfs band block

mbssid

channel dfs

station-role root

!

interface Dot11Radio1.300

encapsulation dot1Q 300 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1.325

encapsulation dot1Q 325

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 spanning-disabled

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.300

encapsulation dot1Q 300 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface GigabitEthernet0.325

encapsulation dot1Q 325

no ip route-cache

bridge-group 255

bridge-group 255 spanning-disabled

no bridge-group 255 source-learning

!

interface BVI1

ip address 10.2.8.60 255.255.255.0

no ip route-cache

!

ip default-gateway 10.2.8.254

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

bridge 1 route ip

!

line con 0

line vty 0 4

login local

transport input all

!

end

Leo Laohoo · ‎06-04-2013

*Mar  1 00:29:40.944: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   40a6.d98b.0a58 Associated KEY_MGMT[WPAv2 PSK]

This means that the client has successfully associated.

Can you post the output to the command "sh dot11 assoc client 40a6.d98b.0a58 "?

aravinda099 · ‎06-04-2013

This was seen after few minutes of that association

*Mar 1 03:34:29.266: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 40a6.d98b.0a58 Reason: Sending station has left the BSS

Also when ran the show command it wouldn't take the command with the MAC address , instead worked with interface

below is the output.

ap#sh dot11 assoc client interface dot11Radio 0

802.11 Client Stations on Dot11Radio0:

SSID [CGAF] :

MAC Address IP address Device Name Parent State

40a6.d98b.0a58 0.0.0.0 unknown - self Assoc

aravinda099 · ‎06-04-2013

It doenst look like it's picking up IP s anymore.

Is the config done right ?

Leo Laohoo · ‎06-05-2013

The link between your AP and the switch is a Dot1Q trunk with VLANs 300 & 325 allowed?

aravinda099 · ‎06-05-2013

Yes , the switch is HP Procurve range.

I have port Untagged for VLAN 300 and tagged for VLAN 325. VLAN 300 is the native VLAN

kcnajaf · ‎06-04-2013

Hi Aravind,

From the configuration perspective it is not a standard to use WPA2 and TKIP at the same time.

This should have been either WPA/TKIP or WPA2/AES combintation.

Try modifying your configuration as below.

config terminal

int dot11 radio 0

no encryption vlan 325 mode ciphers aes-ccm tkip

encryption vlan 325 mode ciphers aes-ccm

int dot11 radio 1

no encryption vlan 325 mode ciphers aes-ccm tkip

encryption vlan 325 mode ciphers aes-ccm

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

aravinda099 · ‎06-05-2013

Thanks Najaf . Let me try. But I have other AP s 1131 model running autonomous has encryption set to AES CCMP + TKIP, working fine.

Config is same as this one , excpet this one is differnt AP model and newer image , plus the subnet and IP address of the AP device.

kcnajaf · ‎06-05-2013

Hi Aravind,

This may or may not work for some clients :-)

You can find more details with below post.

https://supportforums.cisco.com/message/3669929#3669929

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

aravinda099 · ‎06-05-2013

Thanks Najaf. I have seen this before. However I tried Just AES but no luck, still the same.

kcnajaf · ‎06-05-2013

Hi Aravind,

Could you try a new SSID with out any wpa keys for testing purpose and verify if that works?

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!

aravinda099 · ‎06-05-2013

Najaf,

I have tried this already. Had tried with no authentication and no encryption. Still doing the same thing.

aravinda099 · ‎06-17-2013

All,

Issue is fixed. Bug in IOS , by default IP ROUTING is enabled. Also had to re-do the DHCP scopes in MS DHCP server , which helped clients to associate. Guess there was a some sort of a bug in that too.