[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

12/02/2008 at 11:49PM PST, ID: 23952442
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.8

Why does my Cisco 877W wireless authentication stop working?

Asked by v0r73x in Wireless Technologies, Cisco PIX Firewall

Tags: Cisco 877W, CCKM Authentication Failed

Hi,

I've recently configured a Cisco 877W with a mix of the CLI & SDM and everything currently appears to work ok, however wireless will work for a certain amount of time and then just stop authentication devices with the following error in the console:

%DOT11-7-CCKM_AUTH_FAILED: Station {MAC Address} CCKM authentication failed

I've tried shutting down the interface and starting it up again but this doesn't help, I need to reboot the device and then it starts letting devices on wireless again. Any ideas?! I've gone through a lot of sample configs and as far as I can see wireless is set fine for a single SSID with WPA-PSK as protection. Any help appreciated.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
Router#show run
Building configuration...
 
001212: *Dec  3 07:37:49.560 London: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 8799 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 informational
logging monitor informational
enable secret 5 **********************
!
aaa new-model
!         
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
dot11 syslog
!
dot11 ssid HarveyWAP
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 ********************
!
no ip source-route
!
!
ip port-map user-protocol--2 port tcp 3389 description RDP
ip port-map user-protocol--3 port tcp 5900 description RealVNC
ip port-map user-protocol--1 port tcp 8081 description VibeStream
ip cef
no ip bootp server
no ip domain lookup
ip name-server 192.168.11.254
!
!
!
!
username admin privilege 15 secret 5 ******************
! 
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 106
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 105
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 102
 match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-https-1
 match access-group 103
 match protocol https
class-map type inspect match-all sdm-nat-ftp-1
 match access-group 107
 match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect 
 class type inspect sdm-nat-smtp-1
  inspect 
 class type inspect sdm-nat-https-1
  inspect 
 class type inspect sdm-nat-user-protocol--1-1
  inspect 
 class type inspect sdm-nat-user-protocol--2-1
  inspect 
 class type inspect sdm-nat-user-protocol--3-1
  inspect 
 class type inspect sdm-nat-ftp-1
  inspect 
 class class-default
  drop
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect 
 class type inspect sdm-protocol-http
  inspect 
 class type inspect SDM-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description Nildram ISP
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description WLAN
 no ip address
 !
 encryption mode ciphers tkip 
 !
 ssid HarveyWAP
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description LAN
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname **************
 ppp chap password 7 *************
 ppp pap sent-username ************* password 7 *************
!
interface BVI1
 description Bridged LAN WLAN$FW_INSIDE$
 ip address 192.168.11.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.11.254 80 interface Dialer0 80
ip nat inside source static tcp 192.168.11.254 25 interface Dialer0 25
ip nat inside source static tcp 192.168.11.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.11.254 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.11.254 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.11.2 5900 interface Dialer0 5900
ip nat inside source static tcp 192.168.11.254 21 interface Dialer0 21
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.11.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.11.0 0.0.0.255
access-list 3 deny   any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.11.254
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.11.254
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.11.254
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.11.254
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.11.254
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.11.2
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.11.254
access-list 108 remark VTY Access-class list
access-list 108 remark SDM_ACL Category=1
access-list 108 permit ip 192.168.11.0 0.0.0.255 any
access-list 108 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
 
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CThis is a PRIVATE router, disconnect IMMEDIATELY^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 108 in
 password 7 *************
 authorization exec local_author
 logging synchronous
 login authentication local_authen
 transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 194.164.127.6 source ATM0.1
ntp server 194.35.252.7 prefer source ATM0.1
end
[+][-]12/03/08 01:50 PM, ID: 23090639

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12/03/08 02:35 PM, ID: 23091040

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/03/08 07:43 PM, ID: 23092501

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12/05/08 10:57 AM, ID: 23107502

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/06/08 11:33 PM, ID: 23115017

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/07/08 08:22 PM, ID: 23118755

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Wireless Technologies, Cisco PIX Firewall
Tags: Cisco 877W, CCKM Authentication Failed
Sign Up Now!
Solution Provided By: Darr247
Participating Experts: 1
Solution Grade: A
 
 
[+][-]12/07/08 11:45 PM, ID: 23119089

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/08/08 10:37 AM, ID: 23122769

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20090824-EE-VQP-74 - Hierarchy / EE_QW_3_20080625