02-14-2020 03:13 AM - edited 07-05-2021 11:43 AM
Hi all,
I'm having a problem configuring a Cisco Air-SAP1602I-E-K9. I configured everything, I guess, but every time I try to authenticate it it says: Sending station has left the BSS.
How can I solve this issue?
This is the configuration I did:
AP#sh run
Building configuration...
Current configuration : 2869 bytes
!
! Last configuration change at 21:41:59 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP
!
!
logging rate-limit console 9
enable secret 5 $1$WyKF$wUlRyeJ1q85u.N2HQb3aK/
!
no aaa new-model
clock timezone UTC 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip routing
no ip cef
ip domain name client.local
!
!
!
dot11 syslog
dot11 vlan-name Test vlan 600
!
dot11 ssid XPRESS
vlan 600
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 1344301E183323382E232934321D4157445340
!
!
crypto pki token default removal timeout 0
!
!
username admin password 7 062F012743712E0B0010130C0B
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 600 mode ciphers aes-ccm tkip
!
encryption mode wep mandatory
!
ssid XPRESS
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.600
encapsulation dot1Q 600
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 600 mode ciphers aes-ccm tkip
!
encryption mode wep mandatory
!
ssid XPRESS
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.600
encapsulation dot1Q 600
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.600
encapsulation dot1Q 600
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface BVI1
ip address 192.168.250.24 255.255.255.224
no ip route-cache
!
ip default-gateway 192.168.250.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
!
end
Do you have a solution for this issue?
Thank you!
02-14-2020 04:30 AM
Hi
Have you tried more then one device? the message states that the sender has left the BSS and this can be a client problem and not an AP problem.
You also need to provide more info like are you trying to access the network closer enough? Can you run a client debug and share the output?
-If I helped you somehow, please, rate it as useful.-
02-14-2020 06:33 AM
Hi Flavio,
I tried 4 devices, with the same result.
The access point is in laboratory with me, I'm testing it before starting to use it. There are no interferences :/
I don't know how to run a client debug. Can you explain me?
Thank you
02-14-2020 06:59 AM
Console into AP and run "debug dot11 ? "
This must show you debugs option. Try as much as possible.
-If I helped you somehow, please, rate it as useful.-
02-14-2020 07:20 AM
Ok, thanks. I found this:
*Mar 2 01:02:33.819: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 3ccd.5d3a.f837 Associated KEY_MGMT[WPAv2 PSK]
*Mar 2 01:03:09.862: dot11_auth_client_abort: Received abort request for client 3ccd.5d3a.f837
*Mar 2 01:03:09.862: dot11_auth_client_abort: No client entry to abort: 3ccd.5d3a.f837 for application 0x1
*Mar 2 01:03:09.862: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 3ccd.5d3a.f837 Reason: Sending station has left the BSS
There are two logs that may help. Maybe you alredy faced this before.
Thank you
02-14-2020 08:16 AM
Looks like the problem is authentication
dot11 ssid XPRESS
vlan 600
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 1344301E183323382E232934321D4157445340
Try to remove the "mbssid guest-mode" line
-If I helped you somehow, please, rate it as useful.-
02-17-2020 12:35 AM
Hi,
when I removed the mbssid guest-mode command it stopped broadcasting SSID. Then I activated just the guest-ssid command., removing the mbssid also into the dot11 interface. Now it forwards again but the result is the same..
02-20-2020 01:27 PM - edited 02-20-2020 01:31 PM
The client is trying to auth with WPAv2 but you are only using WPAv1 on the SSID. I would do two things here:
1. Remove the "encryption mode wep mandatory" from the radio.
2. On the SSID change "authentication key-management wpa" to "authentication key-management wpa version 2"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide