Question

Why does my Cisco 877W wireless authentication stop working?

Asked by: v0r73x

Hi,

I've recently configured a Cisco 877W with a mix of the CLI & SDM and everything currently appears to work ok, however wireless will work for a certain amount of time and then just stop authentication devices with the following error in the console:

%DOT11-7-CCKM_AUTH_FAILED: Station {MAC Address} CCKM authentication failed

I've tried shutting down the interface and starting it up again but this doesn't help, I need to reboot the device and then it starts letting devices on wireless again. Any ideas?! I've gone through a lot of sample configs and as far as I can see wireless is set fine for a single SSID with WPA-PSK as protection. Any help appreciated.

Router#show run
Building configuration...
 
001212: *Dec  3 07:37:49.560 London: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 8799 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 informational
logging monitor informational
enable secret 5 **********************
!
aaa new-model
!         
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
dot11 syslog
!
dot11 ssid HarveyWAP
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 ********************
!
no ip source-route
!
!
ip port-map user-protocol--2 port tcp 3389 description RDP
ip port-map user-protocol--3 port tcp 5900 description RealVNC
ip port-map user-protocol--1 port tcp 8081 description VibeStream
ip cef
no ip bootp server
no ip domain lookup
ip name-server 192.168.11.254
!
!
!
!
username admin privilege 15 secret 5 ******************
! 
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 106
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 105
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 102
 match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-https-1
 match access-group 103
 match protocol https
class-map type inspect match-all sdm-nat-ftp-1
 match access-group 107
 match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect 
 class type inspect sdm-nat-smtp-1
  inspect 
 class type inspect sdm-nat-https-1
  inspect 
 class type inspect sdm-nat-user-protocol--1-1
  inspect 
 class type inspect sdm-nat-user-protocol--2-1
  inspect 
 class type inspect sdm-nat-user-protocol--3-1
  inspect 
 class type inspect sdm-nat-ftp-1
  inspect 
 class class-default
  drop
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect 
 class type inspect sdm-protocol-http
  inspect 
 class type inspect SDM-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description Nildram ISP
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description WLAN
 no ip address
 !
 encryption mode ciphers tkip 
 !
 ssid HarveyWAP
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description LAN
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname **************
 ppp chap password 7 *************
 ppp pap sent-username ************* password 7 *************
!
interface BVI1
 description Bridged LAN WLAN$FW_INSIDE$
 ip address 192.168.11.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.11.254 80 interface Dialer0 80
ip nat inside source static tcp 192.168.11.254 25 interface Dialer0 25
ip nat inside source static tcp 192.168.11.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.11.254 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.11.254 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.11.2 5900 interface Dialer0 5900
ip nat inside source static tcp 192.168.11.254 21 interface Dialer0 21
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.11.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.11.0 0.0.0.255
access-list 3 deny   any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.11.254
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.11.254
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.11.254
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.11.254
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.11.254
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.11.2
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.11.254
access-list 108 remark VTY Access-class list
access-list 108 remark SDM_ACL Category=1
access-list 108 permit ip 192.168.11.0 0.0.0.255 any
access-list 108 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
 
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CThis is a PRIVATE router, disconnect IMMEDIATELY^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 108 in
 password 7 *************
 authorization exec local_author
 logging synchronous
 login authentication local_authen
 transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 194.164.127.6 source ATM0.1
ntp server 194.35.252.7 prefer source ATM0.1
end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-12-02 at 23:49:01ID23952442
Tags

Cisco 877W

,

CCKM Authentication Failed

Topics

Wireless Technologies

,

Cisco PIX Firewall

Participating Experts
1
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco Wireless security
    currently using in our current setup cisco wireless points SSID Open Encryption wep128bit with mac authentication what is the latest most secure setup for these devices??? we currently have a cisco Radius server which we use for mac authentication
  2. Cisco Wireless security
    Hi We have just purchased a Cisco Aironet 1240AG WAP to provide wireless access to the guest area of our building. These users will need access to the internet and printers. Network wise, we have several 3Com 4228G switches, a PIX 506e Firewall and a 2501 ISP-managed Cisco ...
  3. Cisco Aironet - broadcast SSID
    I have a Cisco Aironet 1130 running WPA-PSK with TKIP. A manager would like the SSID to be broadcasted, so that visitors can see that wireless is available. We'll still have to provide them with the Pre-Shared Key to get on. What line do I need to add to do this?
  4. Cisco Wireless CLI configuration
    Hi everyone, Hopefully someone can help me, I have a cisco 2811 Router with a HWIC-1ADSL, HWIC-AP-AG, VIC2-4FXO. I am trying to get the wireless working. I have a /27 Public subnet assign to this connection which I have divided into 2 x /28. 1 for wireless and one for LAN. Th...
  5. Cisco Wireless Two SSID's
    I've got a cisco aironet and I'm trying to have two SSID's one with WPA security the other with wep (for our kids nintendo ds's). Or if I must no security at all on the second SSID (nintendo) if it can't be done, but in that case i'd prefer the SSID was hidden. Our neighbor...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Darr247Posted on 2008-12-03 at 13:50:24ID: 23090639

It appears to be an IOS message...

Error Message    

%DOT11-7-CCKM_AUTH_FAILED : Station [enet] CCKM authentication failed


Explanation                    The station has failed CCKM authentication.

Recommended Action     Verify the topology of the APs under the WDS domain.


What is the specific MAC address... can you pinpoint its location on the network?

In windows if you run
arp -a
in a command window, it would show you a list of MACs and IPs recently seen on the LAN.

 

by: v0r73xPosted on 2008-12-03 at 14:35:43ID: 23091040

Unfortunately it's any device trying to access the wireless side of the 877. The CCKM error is what I see in the CLI Console which I can't figure out especially with Cisco's Explanation/Recommended Action (hence the post :)). The MAC address is specified, I should have said I replaced it with {MAC Address} as it of course varies depending on device.

Wireless works fine for a period and then for some reason everything fails to connect, which is where I then see the CCKM error on the 877. It works again only after I've rebooted the 877.

Hopefully that makes sense?

 

by: Darr247Posted on 2008-12-03 at 19:43:01ID: 23092501

I don't see anything in your configuration to indicate you're connected to a domain, ergo I'm thrown by the wireless domain services message... but after digging around in the Software Configuration Guide, I found these options that seem to be missing from your config...
try adding
 
broadcast-key change 3600

to the dot11 interface. That will make it change keys every hour (3600 seconds). If that doesn't help, lower it to 10 minutes (600 instead of 3600). I'm not sure if it's never changing, or changing too often.


To enable AES encryption (WPA2), add aes-ccm to the encryption mode ciphers. e.g.

encryption mode ciphers aes-ccm tkip  

You should also add that line to the VLAN1 interface.

Then see how long it will run after applying the config with those additions.

 

by: v0r73xPosted on 2008-12-05 at 10:57:22ID: 23107502

I added the aes-ccm back into the config the other day as I did have this in previously, tried removing it with no joy. It did appear to last longer on WPA2 however I have come home this evening and the CCKM error has re-occurred.

I've entered the broadcast-key change which will hopefully do the trick as I really can't see why/where it's going wrong! Will post again with the results :)

 

by: v0r73xPosted on 2008-12-06 at 23:33:38ID: 23115017

Nope, still get the CCKM_AUTH_FAILED error pop up after a period of time?! Have read through the the Cisco wireless guide and it shouldn't even be using CCKM? as the key management is set to wpa so any further thoughts appreciated.

Going to try a different IOS just to test.

 

by: Darr247Posted on 2008-12-07 at 20:22:52ID: 23118755

> Going to try a different IOS just to test.

I was going to ask if you had an alternate configuration image saved.

 

by: v0r73xPosted on 2008-12-07 at 23:45:43ID: 23119089

I was using the latest 12.4(22)T IOS but have since stumbled on a post in the Cisco forum that mentions the CCKM is possibly a bug with this build. It was supposed to affect the 2800's only but also looks to affect the 85/870 series wireless as well.

Have changed to the MD build 12.4(15)T8 and wireless is still working this morning. Will see how it goes for the rest of the day but it looks like we have a winner!

 

by: Darr247Posted on 2008-12-08 at 10:37:26ID: 23122769

You can accept your own answer (23119089) as the solution... or accept and award points if you want to give me some points for an 'assisted solution', but it looks like you figured it out yourself, so I won't object whichever way you close it. :-)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...