Cisco :: 1310 - 802.1x Authentication Fail Through WLC But OK On Autonomous APs
Jun 5, 2013
I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
But on the WLC, supplicants can't auth on Radius server.I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.When clients try to authenticate, I get these messages where xxx is login:
-AAA Authentication Failure for UserName:821 User Type: WLAN USER
-AAA Authentication Failure for UserName:200 User Type: WLAN USER
-AAA Authentication Failure for UserName:209 User Type: WLAN USER
Security info on client page is:
Security Policy CompletedNo ###Policy TypeWPA###Encryption CipherTKIP-MIC###EAP TypePEAPSNMP NAC State Access ###Radius NAC State8021X_REQD .
What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.
View 10 Replies
ADVERTISEMENT
Oct 22, 2012
Customer of mine has 20 AP AIR-BR1310G-E-K9. No controller installed. He use them as Autonomous AP.
Right now ##he wants indroduce a WLC. Due to that every single AP must be converted in LAP AP.
is this action free of charge ? Nedd I SMARTENT COVERAGE ?
View 3 Replies
View Related
Apr 22, 2012
Is it possible to also upgrade the 1310 series cisco ap's from autonomous to lwap without using the upgrade tool, if so what procedure do I follow? The upgrade tool required to have telnet enable on the controller which I can't break the policy
View 1 Replies
View Related
Jan 30, 2011
I keep getting the following error "Could not execute JDBC batch update" when trying to add AP to WCS ... other 1240 APs added without any problems.
View 4 Replies
View Related
Mar 16, 2013
configuration of a 1310 that will be a root access point and connected to wlc 4402. The AP will be implemented as autonomous and not lightweight.
View 3 Replies
View Related
Apr 6, 2013
How do I change 1310 Autonomous AP to a Controller based AP for 5508 WLC?
View 6 Replies
View Related
Mar 2, 2011
I have two 1310 bridges. one configured as root and the other as non-root. Authentication Settings: Open with EAP and Network EAP with no addition. Set up: when non-root bridge tries to associate with root bridge, root bridge checks with radius server if it's ok to associate with the non-root bridge.
I can see communication with the radius server (I'm using FreeRadius) and the radius server even sends a SUCCESS back to the root bridge. However I'm seeing this error on the non-root bridge: DOT1X_SHIM-3-PLUMB_KEY_ERR: Unable to plumb keys - Eap key struct is NULL and the bridges do not authenticate.
View 2 Replies
View Related
Aug 2, 2012
I have three Autonomous AP´s in a small office running voice applications, all of them are connected to the same infrastructure switch and they have same configuration, voice Vlan is configure to open authentication. I have two models of AP 1252 and 1262 and I paste Radio configuration below.
First issue: During calls users are facing problems when roaming between AP´s, and eventually calls are dropped.
Second issue: Sometimes one of these AP´s(1252) lose all transmit signal and when return I got authentication error on log.
View 4 Replies
View Related
Feb 13, 2013
I am trying to configure a Cisco 1042 autonomous AP and have ran into some problems. I require 2 broadcasted SSIDs that use WPA v2. When I only have 1 of the SSIDs enabled, I can authenticate with no problems. When I have both SSIDs enabled, I can connect to one of the networks, but not the other. I have verified the PSK multiple times, but the logs still show dot11-7-auth_failed. If I remove the working SSID and make no changes to the SSID for which authentication previously fails, everything works fine. Upon adding the other SSID back, I run into the same authentication issue.
View 3 Replies
View Related
Mar 15, 2011
wht would be change on configuration of remote access VPN on asa 5540.
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,
[Code].....
View 3 Replies
View Related
Jul 3, 2007
I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user. WLC 4402 version 4.1.171.0 [URL]
View 2 Replies
View Related
Aug 18, 2011
Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local
[Code].....
View 2 Replies
View Related
Jun 19, 2012
I have a c2969-48PST-L switch running IOS Version 12.2(55) SE. The switch is configured for 802.1x authentication. The radius server is a Cisco ACS 5.2. We are using PEAP and allowing EAP-TLS and EAP-MS-CHAPv2. Windows 7 PCs (HP Elitebooks) are using the "windows" supplicant and configured to 802.1x authentication is enabled using Microsoft Protected EAP (PEAP), we are not validating any certificates and the authentication method is Secured password (EAP-MSCHAP v2). What is occurring every so often is that the PC will fail authentication (intermittently) and the ACS shows the reason as being 5411 EAP session timeout. This is a pretty generic message according to TAC. The interesting part to me is the Authentication Method showing on the ACS when the authentication fails is simply PEAP. However, when it does not fail the Authenication Method is shown as PEAP (EAP-MSCHAPv2). We have the Cisco TAC looking at the ACS and they are saying the issue is the client not reponding to the request correctly from the switch.if the version of IOS softare on the switch maynot be handling the communication to the ACS correctly. I have wireshark traces of a successful authenication and unsuccessful one. There does seem to be any difference from the client side at all.
View 1 Replies
View Related
Feb 8, 2012
I am getting the below error on my new switch though I can’t find out A. why I am getting the error and obviously B. how to resolve said error as I need to ensure I am operating under the letter of the law and compliance. The switch is a WS-C3750X-48T-S running C3750E-IPBASEK9-M, per my research IP base is the correct IOS for a T-S switch, the label on the outside of the switch matches the show ver (WS-C3750X-48T-S) so I know that IPBase is the right IOS for the hardware. Could it be that I don’t have the license file installed? Below is what I get when I do a show license. Lastly is there a place that I can find what IOS ships default with what switches, not version but type like c3750e-ipbasek9-mz.150-1.SE vs c3750e-ipbase-mz.150-1.SE
Error“%ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization. This product may contain software that was copied in violation of Cisco's license terms. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.”
[code].....
View 3 Replies
View Related
Mar 21, 2013
I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]
View 3 Replies
View Related
Jul 15, 2012
when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
port config:
interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500
[code]....
View 3 Replies
View Related
Dec 8, 2011
accounting in ACS 5.3. When I setup accounting on WLC 440x / 5508 ACS takes them as an authentication request and fail.
Here are some logs what I see in acsview:
Dec 9,11 6:05:11.783 PM
Radius authentication failed for USER: navrka2 MAC: a.b.c.d AUTHTYPE: Radius authentication failed
ACS Session ID:
dc2aaa1v/112555963/420
Audit Session ID:
0a9a01d7000001fd4ee23a3d
Tunnel Details:
[code]...
View 4 Replies
View Related
Feb 22, 2012
We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
View 3 Replies
View Related
Jun 19, 2012
After upgrading to 7.2 on my 5508 WCS, the 1310 APs will no longer join. After a call to TAC they said the 1300 and 1400 APs are no longer supported on WCS. Is there any plan to add them back as supported in future releases?I was thinking I could downgrade my backup 5508 and change the APs to autonomous. Or is there some easier way to make them autonomous?
Also, as a low cost outdoor AP, I guess I am reduced to putting 1262s in a NEMA box with outdoor antennas. The 1552s are way too expensive for the quantity I need. Is there some other inexpensive outdoor AP that will replace 1300-1400 series?
View 6 Replies
View Related
Dec 18, 2012
I am trying to setup a wireless link between two locations, and be able to pass VLANs through the Wireless link.Currently I have two 1310 bridges.I followed the information at url..., but it is only passing VLAN 1 across the link. I cannot figure what the problem is.Both Bridges are running c1310-k9w7-mx.123-8.JEA3. [code]
View 4 Replies
View Related
Apr 18, 2011
Is it possible to make a bridge using a 1242 and a 1310? I have been able to get them to associate together and it appears it will function as a bridge. I have the 12(4) 253 JA IOS for both devices. I would like to use the g antenna on the 1242 for the bridge and the a antenna for wireless clients. The configuration on the web management appears to support bridge root and non root for both devices.
View 2 Replies
View Related
May 20, 2013
i converted the C1310 to LAP using upgrade tool. but the AP is not able to join the controller i was not able to view SHA Key in upgrade tool, so i ran the "debug pm pki enable " on the controler to get it. i'm still not able to view SHA key.
here is the output of debug command
*spamApTask0: May 21 15:07:43.527: 88:43:e1:d1:fc:9e Received LWAPP JOIN REQUEST from AP 88:43:e1:d1:fc:9e to cc:ef:48:b3:23:ef on port '13'
*spamApTask0: May 21 15:07:43.549: sshpmGetIssuerHandles: locking ca cert table
[Code].....
View 3 Replies
View Related
Apr 15, 2012
I have an access point 1310. I want to add to the WLC as an access point. It have been configured with IP address correctly and the radio interface is up. I need to add it to the WLC as CAPWAP.
View 5 Replies
View Related
Jul 26, 2011
I am looking for an example configuration of a Cisco 1310 running 123-7.JA2 Z Ios, for Wpa2 using an external Cisco acs radius server.
View 3 Replies
View Related
Apr 29, 2013
I've got a Cisco Aironet LAP1310AG-A-K9 that I can't access through Internet Explorer or Firefox (multiple versions). I set a static IP in DHCP, I can ping the unit, but I can't browse to the GUI.
View 1 Replies
View Related
May 20, 2012
I have cisco 1310 bridge with IOS version Version 12.3(7)JA5. Sometimes bridges are disconnecting by showing the following error message.
*Mar 1 01:22:21.856: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 003a.99eb.cc00 Reason: Previous authentication no longer valid
*Mar 1 01:22:22.115: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
[Code]....
Once it is deassossiated, ihave to manually restart the bridges. How can avoid manual restarting so it would automatically associate after some time.
View 14 Replies
View Related
Apr 5, 2012
Any IOS image for the Aironet 1310? May I have a copy of it. I cant access to Cisco support today.
- C1310-k9w7-tar.124-25d.JA1.tar
- C1310-k9w7-tar.124-21a.JY.tar
View 2 Replies
View Related
Jun 2, 2012
Why does my D-Link WBR 1310 Router constantly need rebooting? By rebooting I mean unplugging power source for 10-15 seconds then replugging it. This problem has been going on for the last 2-3 months.
View 3 Replies
View Related
Dec 23, 2011
I have a WBR-1310 D-link and was in setup this morning trying to fix my password cause the old one stopped working. Somehow I changed the password and no longer have access to the settings to change it to one that I can use to log on with my other wireless devices!!! Is there a way I can reset the whole thing? I mean something that makes sense to someone who is new to wireless internetting?
View 1 Replies
View Related
Feb 9, 2013
When I set a static IP on my device, it works for a short time, then it won't connect again unless I do DHCP. It's like the router chooses an IP for the device, and only allows it to use that one.
The same thing happened a while ago with my desktop, I wanted to set a static IP so I could access it from another building, and the router, being the piece of crap it is, reset all the IPs, and wouldn't allow the computer to connect.D-Link WBR-1310, Hardware B1, Firmware 2.02
View 2 Replies
View Related
Jan 11, 2012
In bridged network environment. We have a pair of Cisco 1310 bridges configued betweeen 2 buildings the config on each is simple one as a root bridge the other as non root no spanning tree is running and source route learning is turned off. We had both on in the past. One side of the network has a link out to the internet. About 3 -4 times a day the IP address on the default gateway becomes unreachable i.e cant be pinged. Only a reboot of one or other of the bridges corrects the issue. This happens only during the day when the netwrok is in use. When this happens everything inside the network works fine and everybody can see everybody else. The ISP can see intot eh network and can ping our devices but we cannot see out of the network.
View 0 Replies
View Related
Apr 11, 2013
We have a failed power injector on a 1310 series bridge. Will the "Power Injector LR" from a 1410 series bridge work on the 1310?
View 1 Replies
View Related
Nov 28, 2010
I have two 1310 bridges...one set as root and the other as non-root.For some reason they keep losing connection. When I reboot the non-root bridge, link is established.Both bridges have an antenna connected with the right connector and they have the setting antenna transmit right antenna receive right
logs from root bridge
Nov 29 13:52:53.311: %DOT11-4-MAXRETRIES: Packet to client XXXX.XXXX.XXXX reached max retries, removing the clientNov 29 13:52:53.311: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station XXXX.XXXX.XXXX Reason: Previous authentication no longer validNov 29 13:52:53.568: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Test XXX.XXXX.XXXX Reassociated KEY_MGMT[WPAv2 PSK]Nov 29 13:55:16.260: %DOT11-4-MAXRETRIES: Packet to client XXXX.XXXX.XXXX reached max retries, removing the clientNov 29 13:55:16.260: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station XXXX.XXXX.XXXX Reason: Previous authentication no longer validNov 29 13:55:16.550: %DOT11-4-MAXRETRIES: Packet to client XXXX.XXXX.XXXX reached max retries, removing the clientNov 29 13:55:16.550: Client XXXX.XXXX.XXXX failed: reached maximum retries
logs from non-root Nov 29 2010 13:52:55: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio0, parent lost: Received deauthenticate (2) not validNov 29 2010 13:52:55: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down The signal strength is around -84dBm Cisco IOS Software on both bridges is: C1310 Software (C1310-K9W7-M), Version 12.4(10b)JA1, RELEASE SOFTWARE (fc2)
View 12 Replies
View Related
