Solved: Unable to join AIR-CAP1532E Access point to 3504 Wireless Controller

Ahmed Amro · ‎06-11-2020

Hi

I've been trying to join a AIR-CAP1532E access point to a 3504 Wireless Controller but my efforts have been unsuccessful.

The 3504 controller can see the access point but it does not allow it to join. The errors bellow keep appearing every time the access point attempt to associate:

1- AAA Authentication Failure for Client MAC: 68:2c:7b:11:94:80 UserName:b4de311b34fc User Type: WLAN USER Reason: unknown error

2- Failed to authorize AP Name with Base Radio MAC Authorization entry does not exist in AAA server. CAP1532E

Setup

I have both the controller and access point connected to a load balancing router (RV042G) LAN ports and no issues have been observed with LAN connectivity.

Attempted solutions

- I have attempted to add the access point mac address to the authorization list in the (Security > AAA > AP Policies) tab with MIC certificate type and checked the option to accept Manufacturer Installed Certificate, but it didn't solve the problem

Clarification

I realize the AIR-CAP1532E is end-of-sale and old but we use it for training purposes. Also, checked if it is supported by the 3504 controller and yes it should.

Solution

===========================

I was confusedly using the MAC address discovered by the WLC controller and adding it to the AAA AP policies. When I used the MAC address printed on the access point, it joined immediately.

Thanks for @Sandeep Choudhary and everyone who tried to help.

Sandeep Choudhary · ‎06-29-2020

Make sure that you add the correct AP MAC address(not radio mac address) in cisco WLC.

View solution in original post

Leo Laohoo · ‎06-11-2020

Post the complete output to the following WLC commands:

sh sysinfo
sh time 
sh ap max
sh ap join details <AP MAC ADDRESS>

Post the complete output to the following AP commands:

sh version
sh ip interface brief
sh inventory

Ahmed Amro · ‎06-12-2020

Thanks for your reply.

Below are the outputs of the requested commands

WLC commands

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Info....................................... Engineering Special
Product Version.................................. 8.5.140.0
RTOS Version..................................... 8.5.140.0
Bootloader Version............................... 8.5.103.0
Emergency Image Version.......................... 8.5.103.0

OUI File Last Update Time........................ N/A
Build Type....................................... DATA + WPS

System Name...................................... WLCAFTestbed
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.9.1.2427
Redundancy Mode.................................. Disabled
IP Address....................................... 192.168.1.249
IPv6 Address..................................... ::
Last Reset....................................... Cold reset due to PLL_DC_OK 
System Up Time................................... 0 days 0 hrs 4 mins 14 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... NO  - Norway
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... -10 to 80 C
Internal Temperature............................. +40 C
Mgig Temp Alarm Limits........................... -10 to 78 C
Mgig Temperature................................. +31 C
External Temp Alarm Limits....................... -10 to 71 C
External Temperature............................. +27 C
Fan Status....................................... OK
Fan Speed Mode................................... Disable

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0


OUI Classification Failure Count................. 0


Memory Current Usage............................. 34
Memory Average Usage............................. 34

--More-- or (q)uit
CPU Current Usage................................ 0
CPU Average Usage................................ 0

Flash Type....................................... Compact Flash Card

Flash Size....................................... 1073741824

Burned-in MAC Address............................ 30:8B:B2:89:54:02
Maximum number of APs supported.................. 150
System Nas-Id.................................... 
WLC MIC Certificate Types........................ SHA1/SHA2
Licensing Type................................... RTU

(Cisco Controller) >show time 

Time............................................. Fri Jun 12 08:56:29 2020

Timezone delta................................... 0:0
Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

NTP Servers
    NTP Version..................................     3
    NTP Polling Interval.........................     86400

     Index     NTP Key Index                  NTP Server                Status          NTP Msg Auth Status
    -------  ---------------------------------------------------------------------


(Cisco Controller) >show ap max

Max APs Supported................................ 150
Max AP Groups Supported.......................... 150
Max AP join limit................................ 3



(Cisco Controller) >show ap join stats detailed sh ap join details 68:2c:7b:11:94:80
No join information found for AP: 68:2c:7b:11:94:80

AP commands:

APb4de.311b.34fc>sh version
Cisco IOS Software, C1530 Software (ap1g3-K9W8-M), Version 15.3(3)JD16, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 05-Jun-18 01:19 by prod_rel_team

ROM: Bootstrap program is C1530 boot loader
BOOTLDR: C1530 Boot Loader (ap1g3-BOOT-M) Version 15.2(4)JB3b, RELEASE SOFTWARE (fc1)

APb4de.311b.34fc uptime is 6 minutes
System returned to ROM by power-on
System image file is "flash:/ap1g3-k9w8-mx.153-3.JD16/ap1g3-k9w8-mx.153-3.JD16"
Last reload reason: Reload



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP1532E-E-K9 (MIPS74k) processor (revision 37) with 204800K/57344K bytes of memory.
Processor bo
*Jan  1 00:19:07.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
ard ID FCZ2248Z0FU
MIPS74k CPU at 700Mhz, revision number 0x0000
Last reset from power-on
LWAPP image version 8.3.143.0
2 Gigabit Ethernet interfaces
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: B4:DE:31:1B:34:FC
Part Number                          : 74-11941-04
PCB Serial Number                    : FOC224224CQ
Top Assembly Part Number             : 074-11941-04
 --More--
*Jan  1 00:19:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.1 peer_port: 5246
*Jan  1 00:19:05.295: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.1
*Jan  1 00:19:05.295: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.16Top Assembly Serial Number           : FCZ2248Z0FU
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1532E-E-K9



Configuration register is 0xF


APb4de.311b.34fc>sh ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.1.3     YES DHCP   up                    up
Dot11Radio0                unassigned      NO  unset  reset                 down
Dot11Radio1                unassigned      NO  unset  reset                 down
GigabitEthernet0           unassigned      NO  unset  up                    up
GigabitEthernet1           unassigned      NO  unset  up                    down
Virtual-WLAN0              unassigned      NO  unset  up                    up
Virtual-WLAN0.1            unassigned      NO  unset  up                    up
Virtual-WLAN0.2            unassigned      NO  unset  up                    up
Virtual-WLAN0.3            unassigned      NO  unset  up                    up
Virtual-WLAN0.4            unassigned      NO  unset  up                    up
Virtual-WLAN0.5            unassigned      NO  unset  up                    up
Virtual-WLAN0.6            unassigned      NO  unset  up                    up
Virtual-WLAN0.7            unassigned      NO  unset  up                    up
Virtual-WLAN0.8            unassigned      NO  unset  up                    up
Virtual-WLAN0.9            unassigned      NO  unset  up                    up
Virtual-WLAN0.10           unassigned      NO  unset  up                    up
Virtual-WLAN0.11           unassigned      NO  unset  up                    up
Virtual-WLAN0.12           unassigned      NO  unset  up                    up
Virtual-WLAN0.13           unassigned      NO  unset  up                    up
Virtual-WLAN0.14           unassigned      NO  unset  up                    up
Virtual-WLAN0.15           unassigned      NO  unset  up                    up
Virtual-WLAN0.16           unassigned      NO  unset  up                    up


APb4de.311b.34fc>sh inventory
NAME: "AP1530", DESCR: "Cisco Aironet 1530 Series (IEEE 802.11n) Access Point"
PID: AIR-CAP1532E-E-K9 , VID: V04, SN: FCZ2248Z0FU

Hope this can be useful.

Thanks

Leo Laohoo · ‎06-12-2020

@Ahmed Amro wrote:
*Jan  1 00:19:05.295: 

Look at the time and date of the AP -- it is wrong.
The output of the WLC command "sh time" confirms the NTP is not configured on the WLC.

Time and date on the controller must be correct otherwise the WLC will not "trust" the AP's MIC.

Ahmed Amro · ‎06-15-2020

I have configured the WLC to sync with an NTP server but the issue remains.

(Cisco Controller) >show time

Time............................................. Mon Jun 15 13:32:36 2020

Timezone delta................................... 0:0
Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

NTP Servers
    NTP Version..................................     3
    NTP Polling Interval.........................     60

     Index     NTP Key Index                  NTP Server                Status          NTP Msg Auth Status
    -------  ---------------------------------------------------------------------
       1              0                             129.241.160.120     In Sync              AUTH DISABLED

I even attempted to change the time at the Access point but it keeps changing back to the old time. Any suggestion?

Leo Laohoo · ‎06-15-2020

Ok, console into the AP and reboot.
Post the entire boot-up process.

patoberli · ‎06-15-2020

Have you enabled/accepted the license on the WLC?

Ahmed Amro · ‎06-29-2020

I will add the logs from the console soon, I'm waiting for a new console cable (sorry for the delay).

@patoberli, thank you for replying, I have the license pre-installed. I don't know if I need to do anything else.

Sandeep Choudhary · ‎06-29-2020

Make sure that you add the correct AP MAC address(not radio mac address) in cisco WLC.

Ahmed Amro · ‎07-07-2020

Hi

Attached is the log for approximately 2 hours during which I attempted to change few configs. I aligned the time on both down to the minute, made sure the Ethernet address is the right one registered on the WLC and made sure the licence is accepted. Still nothing changed.

However, I think that I have identified the logs showing the main issue. See below:

*Jul  7 14:44:57.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.249 peer_port: 5246
*Jul  7 14:44:57.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:224 Connection 0x6835C600 is already there for this server port 5246, Deleting it. Number of connections: 1
*Jul  7 14:44:57.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.249:5246
*Jul  7 14:44:57.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.249:5246
*Jul  7 14:45:31.099: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired
*Jul  7 14:45:31.099: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join failed expired
*Jul  7 14:45:31.099:  Mesh setting the ethernet port 0 state to 0
*Jul  7 14:45:31.099: %MESH-6-LINK_UPDOWN: Mesh station b4de.311b.3854 link Down
*Jul  7 14:46:01.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

These lines kept repeating every time the lights on the access point were reflecting association attempt (repeating green-red-yellow)

Leo Laohoo · ‎07-07-2020

Post the complete output to the AP command

show capwap client rcb

Ahmed Amro · ‎07-08-2020

Here you go

APb4de.311b.3854>show capwap client rcb
AdminState                  :  ADMIN_ENABLED
SwVer                       :  8.3.143.0
NumFilledSlots              :  2
Name                        :  APb4de.311b.3854
Location                    :  default location
MwarName                    :  WLCAFTestbed
MwarApMgrIp                 :  192.168.1.249
MwarHwVer                   :  0.0.0.0
ApMode                      :  Bridge
ApSubMode                   :  Not Configured
OperationState              :  DTLS SETUP
CAPWAP Path MTU             :  576
Link-Encryption (AP)        :  Disabled
Link-Encryption (MWAR)      :  Disabled
Prefer-mode                 :  Un-configured
LinkAuditing                :  disabled
ApRole                      :  MeshAP
ApBackhaul                  :  802.11a
ApBackhaulChannel           :  0
ApBackhaulSlot              :  3
ApBackhaul11gEnabled        :  0
ApBackhaulTxRate            :  0
Ethernet Bridging State     :  0
Daisy Chaining State        :  Disabled
Public Safety State         :  disabled
AP Rogue Detection Mode     :  Enabled
AP Tcp MSS Adjust           :  Disabled
Predownload Status          :  None
Auto Immune Status          :  Disabled
RA Guard Status             :  Disabled
Efficient Upgrade State     :  Disabled
Efficient Upgrade Role      :  None
TFTP Server                 :  Disabled
Antenna Band Mode           :  Dual Band
Universal AP Priming mode   :  Unprimed
802.11bg(0) Radio
ADMIN  State =  ENABLE [1]
OPER   State =    DOWN [1]
CONFIG State =      UP [2]
HW     State =      UP [4]
  Radio Mode                : Bridge
  GPR Period                : 0
  Beacon Period             : 0
  DTIM Period               : 0
  World Mode                : 1
  VoceraFix                 : 0
  Dfs peakdetect            : 1
  Fragmentation Threshold   : 2346
  Current Tx Power Level    : 0
  Current Channel           : 13
  Current Bandwidth         : 20
802.11a(1) Radio
ADMIN  State =  ENABLE [1]
OPER   State =    DOWN [1]
CONFIG State =      UP [2]
HW     State =      UP [4]
  Radio Mode                : Bridge
  GPR Period                : 0
  Beacon Period             : 0
  DTIM Period               : 0
  World Mode                : 1
  VoceraFix                 : 0
  Dfs peakdetect            : 1
  Fragmentation Threshold   : 2346
  Current Tx Power Level    : 1
  Current Channel           : 140
  Current Bandwidth         : 20

Leo Laohoo · ‎07-08-2020

@Ahmed Amro wrote:
ApMode                      :  Bridge

This is the reason why.

patoberli · ‎07-08-2020

I think this should help:
https://community.cisco.com/t5/wireless-and-mobility/ap-bridge-mode-not-joining-wlc/m-p/3374913/highlight/true#M98824

Leo Laohoo · ‎07-09-2020

Console into the AP and enter the following command:

capwap ap mode local

The command should turn the AP into local mode.