Question

Cisco AP1400 Authentication Failed

Asked by: shahzoor

I am using Aironet AP1410 for connectivity and the buildings are 20km apart.
I can see the bridges are associated but on Root Bridge its giving me authentication failed message. I am attaching the setting below, kindly let me know where is the mistake.

Root Bridge
 
Express Setup:
Role in Radio Network: Root Bridge
Optimize Radio Network: Range
Aironet Extensions: Enable
 
Express Security:
Static WEP Key 128 bit Key 1
 
Securtiy:
 
Encryption Manager:
WEP Encryption: Mandatory
SSID Manager:
Radio Cehcked
Client Authentication: Shared Authentication with EAP
Guest Mode/Infrastructure SSID Setting
Set Guest Mode SSID: partnet
Set Infrastructure SSID: partner
Force Infrastructure Decvices to associate only in SSID CHECKED
 
Server Manager:Corportate Server List
Root server ip
shared key
 
Default Server Priorities: EAP Priority of Root Server
AP Authentication: No Settings
Local Radius Server: General Serup : Authentication Protocol: LEAP
 
 
 
NonRoot Bridge
 
Express Setup:
Role in Radio Network: NonRoot
Optimize Radio Network: Range
 
Express Security:
Static WEP Key 128 bit Key 1
 
 
Securtiy:
 
Encryption Manager:
WEP Encryption: Mandatory
SSID Manager:
Radio Cehcked
Client Authentication: Shared Authentication with EAP
Guest Mode/Infrastructure SSID Setting
Set Guest Mode SSID: partner
Set Infrastructure SSID: partner
Force Infrastructure Decvices to associate only in SSID CHECKED
 
Server Manager: No Settings
AP Authentication: No Settings

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-24 at 04:38:16ID24171729
Tags

Cisco

,

Aironet

,

Wireless

,

Authentication

,

AP1410

Topics

Wireless Technologies

,

Wireless Local Area Network

,

802.11x

Participating Experts
1
Points
250
Comments
28

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Aironet 1200 Bridging
    I picked up a pair of Cisco Aironet 1200s recently. They both have 802.11g radios in them and I've upgrade both to IOS c1200-k9w7-tar.122-15.JA Here's the problem I'm having. I have some experience with Cisco equipment, but what I'm finding is that these units are a lot mor...
  2. configuring cisco aironet
    dear sir i have a cisco aironet 350 series wireless access point and another cisco aironet 350 series workgroup bridge , how can i configure them to connect two locations with each other .
  3. CISCO AIRONET AUTHENTICATION ISSUES
    CISCO AIRONET 1200: We have 20 node AP WIFI network. THE Cisco AIRONET 1200 series AP connect to Cisco Catalyst 500 switches. We use power over Ethernet. The problem is, when we roam it can take 5 minutes to de-authenticate from one AP to the next. Or sometimes you can neve...
  4. Cisco Aironet 1300 series Wireless Bridge
    I have 2 Cisco Aironet 1300. 1st is setup for root-bridge and the 2nd is setup for non-root bridge. I use a test QCheck to test the throughtput and I'm only getting 3 mbps. Should I be getting more?? My setup on Cisco Aironet 1300 series is pretty basic or default. Also, the...
  5. Cisco aironet 1250 Bridge
    I have been asked to setup a bridge between 2 buildings using 2 Cisco 1252 Aironets. i looking for a sample config or a document to help with the setup.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: amprantiPosted on 2009-02-25 at 00:03:31ID: 23731230

Can you post the config of the APs, removing any sensitive data?

Thanks

 

by: shahzoorPosted on 2009-02-25 at 03:30:35ID: 23732401

sorry i am new to it, dont know how to get the config. I have tftp server and have upgraded the IOS.
plz guide me in steps

 

by: amprantiPosted on 2009-02-25 at 04:52:59ID: 23733034

connect a console to the AP, or if possible connect using telnet /ssh
When you login, and you are in enable mode (see the # next to device name) type

"sh run"

and paste here , after you remove username/passwords etc

 

by: shahzoorPosted on 2009-02-25 at 08:49:23ID: 23735648

I have attached the Config of Root and Non Root Bridge. The log at both ends is also in the same config.

Just a piece of information that both AP are associated but not Authenticated. I cannot ping Root from NonRoot Bridge. But i can see they are assocaited.
thanks

Root Bridge Config
==================
 
Building configuration... 
Current configuration : 2672 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Root
!
logging buffered 3545584 debugging
no logging console
enable secret 5 *******************
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.0.1 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
!
aaa group server radius rad_eap2
 server 192.168.0.1 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication login eap_methods2 group rad_eap2
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 activity-timeout unknown default 10
dot11 activity-timeout client default 10 maximum 100000
dot11 activity-timeout workgroup-bridge default 10 maximum 100000
dot11 activity-timeout bridge default 10 maximum 100000
!
dot11 ssid CONNECT
   authentication shared eap eap_methods2
   guest-mode
   infrastructure-ssid
!
!
!
dot1x timeout reauth-period server
username Cisco privilege 15 password 7 ****************
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 ************** transmit-key
 encryption mode wep mandatory
 !
 ssid CONNECT
 !
 countermeasure tkip hold-time 0
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 5805
 station-role root bridge
 rts threshold 4000
 cca 15
 concatenation
 distance 20
 beacon privacy guest-mode
 infrastructure-client
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.0.1 255.255.255.240
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history size 500
snmp-server community defaultCommunity RW
radius-server local
  no authentication eapfast
  no authentication mac
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7 ***************
09345C4329415044
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end 
 
Log at Root Bridge
==================
1 Mar 14 08:25:17.927 UTC Debugging Station ******************** Authentication failed  
2 Mar 14 08:24:47.706 UTC Debugging Station ******************** Authentication failed  
3 Mar 14 08:24:17.535 UTC Debugging Station ******************** Authentication failed  
4 Mar 14 08:23:47.285 UTC Debugging Station ******************** Authentication failed  
5 Mar 14 08:23:16.753 UTC Debugging Station ******************** Authentication failed  
6 Mar 14 08:22:46.294 UTC Debugging Station ******************** Authentication failed  
7 Mar 14 08:22:16.152 UTC Debugging Station ******************** Authentication failed  
8 Mar 14 08:21:45.981 UTC Debugging Station ******************** Authentication failed  
9 Mar 14 08:21:15.046 UTC Debugging Station ******************** Authentication failed  
10 Mar 14 08:20:44.475 UTC Debugging Station ******************** Authentication failed  
11 Mar 14 08:20:05.937 UTC Debugging Station ******************** Authentication failed  
12 Mar 14 08:19:35.450 UTC Debugging Station ******************** Authentication failed  
13 Mar 14 08:19:04.478 UTC Debugging Station ******************** Authentication failed  
14 Mar 14 08:18:33.573 UTC Debugging Station ******************** Authentication failed  
15 Mar 14 08:18:03.242 UTC Debugging Station ******************** Authentication failed  
16 Mar 14 08:17:32.313 UTC Debugging Station ******************** Authentication failed  
17 Mar 14 08:17:02.029 UTC Warning Packet to client ******************** reached max retries, removing the client  
18 Mar 14 08:17:01.963 UTC Debugging Station ******************** Authentication failed  
19 Mar 14 08:16:30.960 UTC Debugging Station ******************** Authentication failed  
20 Mar 14 08:16:00.247 UTC Debugging Station ******************** Authentication failed  
 
 
 
 
NonRoot  Bridge Configuration
=============================
 
NonRoot#sh run
Building configuration... 
Current configuration : 2424 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname NonRoot
!
no logging console
enable secret 5 *******
!
ip subnet-zero
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool local-default-pool
   network 10.0.0.0 255.255.255.224
   default-router 10.0.0.1
   lease 0 0 1
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no dot11 igmp snooping-helper
dot11 activity-timeout client maximum 100000
dot11 activity-timeout repeater maximum 100000
dot11 activity-timeout workgroup-bridge maximum 100000
dot11 activity-timeout bridge maximum 100000
!
dot11 ssid CONNECT
   authentication shared eap eap_methods
   guest-mode
   infrastructure-ssid
!
!
!
dot1x timeout reauth-period server
username Cisco privilege 15 password 7 ********
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 ******** transmit-key
 encryption mode wep mandatory
 !
 ssid CONNECT
 !
 countermeasure tkip hold-time 0
 speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role non-root bridge
 rts threshold 4000
 concatenation
 infrastructure-client
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 hold-queue 80 in
!
interface BVI1
 ip address 192.168.0.2 255.255.255.240
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
snmp-server community defaultCommunity RW
radius-server local
  user NonRoot nthash 7 ********
254F350E0F
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end 
 
 
Log at NonRoot
==============
1 Mar 2 04:39:23.857 UTC Error Interface Dot11Radio0, changed state to up  
2 Mar 2 04:39:23.856 UTC Warning Interface Dot11Radio0, Associated To AP Root ******************* [None]  
3 Mar 2 04:39:23.630 UTC Error Interface Dot11Radio0, changed state to down  
4 Mar 2 04:39:23.629 UTC Warning Interface Dot11Radio0, parent lost: Received deauthenticate (23) 23  
5 Mar 2 04:38:53.630 UTC Error Interface Dot11Radio0, changed state to up  
6 Mar 2 04:38:53.629 UTC Warning Interface Dot11Radio0, Associated To AP Root ******************* [None]  
7 Mar 2 04:38:53.287 UTC Error Interface Dot11Radio0, changed state to down  
8 Mar 2 04:38:53.286 UTC Warning Interface Dot11Radio0, parent lost: Received deauthenticate (23) 23  
9 Mar 2 04:38:23.287 UTC Error Interface Dot11Radio0, changed state to up  
10 Mar 2 04:38:23.286 UTC Warning Interface Dot11Radio0, Associated To AP Root ******************* [None]  
11 Mar 2 04:38:23.042 UTC Error Interface Dot11Radio0, changed state to down  
12 Mar 2 04:38:23.040 UTC Warning Interface Dot11Radio0, parent lost: Received deauthenticate (23) 23  
13 Mar 2 04:37:53.041 UTC Error Interface Dot11Radio0, changed state to up  
14 Mar 2 04:37:53.041 UTC Warning Interface Dot11Radio0, Associated To AP Root ******************* [None]  
15 Mar 2 04:37:52.230 UTC Error Interface Dot11Radio0, changed state to down  
16 Mar 2 04:37:52.228 UTC Warning Interface Dot11Radio0, parent lost: Received deauthenticate (23) 23  
17 Mar 2 04:37:22.229 UTC Error Interface Dot11Radio0, changed state to up  
18 Mar 2 04:37:22.228 UTC Warning Interface Dot11Radio0, Associated To AP Root ******************* [None]  
19 Mar 2 04:37:21.692 UTC Error Interface Dot11Radio0, changed state to down  
20 Mar 2 04:37:21.690 UTC Warning Interface Dot11Radio0, parent lost: Received deauthenticate (23) 23  
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:

Select allOpen in new window

 

by: amprantiPosted on 2009-02-25 at 08:55:18ID: 23735719

A fast way to solve your probem is:

conf t
dot11 ssid CONNECT
   authentication shared

Are you sure that aaa server 192.168.0.1 is working?

 

by: amprantiPosted on 2009-02-25 at 09:32:26ID: 23736129

However, checking again the logs this isnt an authentication error!
This is due to some connectivity issue; wireless is subject to many and random radio interference problems, which can cause disconnections.

Can you check that your antenna havent been moved?
I dont know if it possible to check the frenzel zone for an 20km link!!

 

by: shahzoorPosted on 2009-02-25 at 09:34:49ID: 23736153

yes i think so
beacuse before i had different settings and i was able to ping from Roo to nonRoot and vice versa. Packet loss was also minimum but it was disconnecting.
But its just giving me Authentication Failed as u can see in log :(

 

by: shahzoorPosted on 2009-02-25 at 09:36:24ID: 23736171

are you sure there is nothing wrong in the configurations ??

 

by: shahzoorPosted on 2009-02-25 at 09:49:11ID: 23736306

antenna didint move bcz with same direction and everything i was able to ping b4 but the data transfer was not possible. But now i am not even able to ping :(

 

by: amprantiPosted on 2009-02-25 at 11:18:57ID: 23737236

For me looks like an RF problem
20km is huge distance for a wireless link, and its functionality depends on many, easy to change, factors. In a 20km link, a few cm is huge change to antenna aligment

- Try to reboot AP to both sides.
- Try to change channel to "root bridge" AP.
- Create a new SSID, with no security /authentication and check if ti works. If does work, then increase security step by step, and check where is the error.

Check that both sides configuration hasnt been altered (i see default usernames and default snmp communities).

 

by: shahzoorPosted on 2009-02-26 at 02:30:14ID: 23743178

rebooted AP = no difference
changed channel = no difference
SSID = checking now
will check the alignment as well

 

by: shahzoorPosted on 2009-02-28 at 04:41:12ID: 23763347

HI ampranti
                   I have deleted the SSID and created a new one. This time i configured it with minimum configurations having WEP Mandatory only. Now i can ping Root from Non Root.
Still i am getting some strange log. Deviced are associated. Please check and let me know whats wrong.I am attaching the config as well as the log of both bridges

ROOT BRIDGE 
===========
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ROOT
!
logging buffered 3545584 debugging
no logging console
enable secret 5 **********************
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
!
aaa group server radius rad_eap2
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication login eap_methods2 group rad_eap2
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 activity-timeout unknown default 10
dot11 activity-timeout client default 10 maximum 100000
dot11 activity-timeout workgroup-bridge default 10 maximum 100000
dot11 activity-timeout bridge default 10 maximum 100000
!
dot11 ssid CONNECT
   authentication open
   guest-mode
   infrastructure-ssid
!
!
!
dot1x timeout reauth-period server
username Cisco privilege 15 password 7 ************************
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 ************************* transmit-key
 encryption mode wep mandatory
 !
 ssid CONNECT
 !
 countermeasure tkip hold-time 0
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48
.0 basic-54.0
 channel 5805
 station-role root bridge
 rts threshold 4000
 cca 15
 concatenation
 distance 20
 beacon privacy guest-mode
 infrastructure-client
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.12.2 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history size 500
snmp-server community defaultCommunity RW
radius-server local
  no authentication eapfast
  no authentication mac
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
 
LOG AT ROOT
===========
1 Mar 15 23:55:47.356 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
2 Mar 15 23:55:47.266 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
3 Mar 15 23:52:06.981 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
4 Mar 15 23:52:06.359 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
5 Mar 15 23:50:55.789 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
6 Mar 15 23:50:55.671 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
7 Mar 15 23:50:22.529 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Associated KEY_MGMT[NONE]  
8 Mar 15 23:50:22.501 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
9 Mar 15 23:49:43.044 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
10 Mar 15 23:49:42.957 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
11 Mar 15 23:48:51.048 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
12 Mar 15 23:48:51.022 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
13 Mar 15 23:41:04.975 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
14 Mar 15 23:41:04.912 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
15 Mar 15 23:40:13.922 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
16 Mar 15 23:40:13.887 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
17 Mar 15 23:39:47.138 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Reassociated KEY_MGMT[NONE]  
18 Mar 15 23:39:47.106 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
19 Mar 15 23:38:07.880 UTC Information Interface Dot11Radio0, Station NonRoot 
 
******************* Associated KEY_MGMT[NONE]  
20 Mar 15 23:38:07.844 UTC Information Interface Dot11Radio0, Deauthenticating 
 
Station ******************* Reason: Sending station has left the BSS  
 
 
 
 
 
Non Root Bridge
===============
Current configuration : 2447 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xRB_DCC
!
no logging console
enable secret 5 *******************
!
ip subnet-zero
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool local-default-pool
   network 10.0.0.0 255.255.255.224
   default-router 10.0.0.1
   lease 0 0 1
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no dot11 igmp snooping-helper
dot11 activity-timeout client maximum 100000
dot11 activity-timeout repeater maximum 100000
dot11 activity-timeout workgroup-bridge maximum 100000
dot11 activity-timeout bridge maximum 100000
!
dot11 ssid CONNECT
   authentication open
   guest-mode
   infrastructure-ssid
!
!
!
dot1x timeout reauth-period server
username Cisco privilege 15 password 7 *****************
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 ************************8 transmit-key
 encryption mode wep mandatory
 !
 ssid CONNECT
 !
 countermeasure tkip hold-time 0
 speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
 station-role non-root bridge
 rts threshold 4000
 concatenation
 infrastructure-client
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 hold-queue 80 in
!
interface BVI1
 ip address 192.168.12.3 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
snmp-server community defaultCommunity RW
radius-server local
  user NonRoot nthash 7 *************************************
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
 
LOG AT NONROOT
===============
1 Mar 1 00:15:07.420 UTC Notification Line protocol on Interface Dot11Radio0, 
 
changed state to up  
2 Mar 1 00:15:06.419 UTC Error Interface Dot11Radio0, changed state to up  
3 Mar 1 00:15:06.419 UTC Warning Interface Dot11Radio0, Associated To AP ROOT 
 
******************** [None]  
4 Mar 1 00:15:05.782 UTC Notification Line protocol on Interface Dot11Radio0, 
 
changed state to down  
5 Mar 1 00:15:04.782 UTC Error Interface Dot11Radio0, changed state to down  
6 Mar 1 00:15:04.780 UTC Warning Interface Dot11Radio0, parent lost: Too many 
 
retries  
7 Mar 1 00:14:34.163 UTC Notification Line protocol on Interface Dot11Radio0, 
 
changed state to up  
8 Mar 1 00:14:33.163 UTC Error Interface Dot11Radio0, changed state to up  
9 Mar 1 00:14:33.163 UTC Warning Interface Dot11Radio0, Associated To AP ROOT 
 
******************** [None]  
10 Mar 1 00:14:32.990 UTC Warning Interface Dot11Radio0, cannot associate: Rcvd 
 
response from ******************** channel 161 16668  
11 Mar 1 00:14:31.612 UTC Notification Line protocol on Interface Dot11Radio0, 
 
changed state to down  
12 Mar 1 00:14:30.989 UTC Warning Interface Dot11Radio0, cannot associate: No 
 
Response  
13 Mar 1 00:14:30.613 UTC Error Interface Dot11Radio0, changed state to down  
14 Mar 1 00:13:53.681 UTC Error Interface Dot11Radio0, changed state to up  
15 Mar 1 00:13:53.680 UTC Warning Interface Dot11Radio0, Associated To AP ROOT 
 
******************** [None]  
16 Mar 1 00:13:53.213 UTC Error Interface Dot11Radio0, changed state to down  
17 Mar 1 00:13:53.211 UTC Warning Interface Dot11Radio0, parent lost: Too many 
 
retries  
18 Mar 1 00:13:02.741 UTC Notification Line protocol on Interface Dot11Radio0, 
 
changed state to up  
19 Mar 1 00:13:01.739 UTC Error Interface Dot11Radio0, changed state to up  
20 Mar 1 00:13:01.737 UTC Warning Interface Dot11Radio0, Associated To AP ROOT 
 
******************** [None]  

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:

Select allOpen in new window

 

by: amprantiPosted on 2009-02-28 at 08:43:55ID: 23764324

5 Mar 1 00:15:04.782 UTC Error Interface Dot11Radio0, changed state to down  
6 Mar 1 00:15:04.780 UTC Warning Interface Dot11Radio0, parent lost: Too many retries  
The SNR for this link isnt too good

Please give us the output of " sh dot11 association <MAC>" while link is connected



 

by: shahzoorPosted on 2009-02-28 at 23:31:36ID: 23767274

SSID [CONNECT] :
MAC Address    IP address      Device        Name            Parent         Stat
*************       192.168.12.3    bridge        NonRoot         self           Associated

SSID [CONNECT] :
MAC Address    IP address      Device        Name            Parent         Stat
***********         192.168.12.2    br1410        ROOT                -         Associated

 

by: amprantiPosted on 2009-03-01 at 00:58:11ID: 23767421

sh dot11 association <MAC> , replace MAC with the real MAC adderss... It shows the signal of the link

 

by: shahzoorPosted on 2009-03-01 at 04:45:27ID: 23767969

i tried
NonRoot#sh dot11 association "added mac address"\
but it showed me nothing
came back to
NonRoot#
prommpt

 

by: amprantiPosted on 2009-03-01 at 04:56:59ID: 23767990

If shows nothing then when you did it the client wasnt connected....
Just to be sure the <MAC address> is the MAC of the device on the other side..

For example:

1111.x.x.1111 <..........................> 2222.x.x.2222

If you are to 1111.x.x.1111 do:

sh dot11 assoc 2222.x.x.2222

 

by: shahzoorPosted on 2009-03-01 at 07:58:08ID: 23768479

as i told u earlier that i have recreated SSID etc and then i was able to ping Root from Non Root and vice versa.
Few hours ago i  did the realignment of the device as well and have changed IP addresses.
The associations log as requested by you is pasted below. Just to remind the log is taken after the alignment

Root#show dot11 associations *******************
Address           : *******************     Name             : NonRoot
IP Address        : 192.168.12.13      Interface        : Dot11Radio 0
Device            : bridge             Software Version : 12.3
CCX Version       : NONE               Client MFP       : Off
 
State             : Assoc              Parent           : self
SSID              : CONNECT
VLAN              : 0
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 36.0               Capability       : WMM
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled
Signal Strength   : -81  dBm           Connected for    : 318 seconds
Signal to Noise   : 10  dB            Activity Timeout : 29 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE
 
Packets Input     : 1100               Packets Output   : 625
Bytes Input       : 512238             Bytes Output     : 80540
Duplicates Rcvd   : 0                  Data Retries     : 305
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0
 
 
 
NonRoot#show dot11 associations *******************
Address           : *******************     Name             : Root
IP Address        : 192.168.12.12      Interface        : Dot11Radio 0
Device            : br1410             Software Version : 12.4
CCX Version       : NONE
 
State             : Assoc              Parent           : Our Parent
SSID              : CONNECT           VLAN             : 0
Hops to Infra     : 0                  Association Id   : 3
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 18.0               Capability       : WMM
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled
Signal Strength   : -82  dBm           Connected for    : 260 seconds
Signal to Noise   : 9   dBm            Activity Timeout : 15 seconds
Power-save        : Off                Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE
 
Packets Input     : 3014               Packets Output   : 1013
Bytes Input       : 417359             Bytes Output     : 499833
Duplicates Rcvd   : 0                  Data Retries     : 809
Decrypt Failed    : 0                  RTS Retries      : 25
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0
 
NonRoot#

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:

Select allOpen in new window

 

by: amprantiPosted on 2009-03-01 at 08:23:17ID: 23768552

Signal Strength   : -81  dBm & -82dBm
At the moment i cant find the specs with the minimum required signal level, but i bet its close to its minimum.
I cant think something different,sorry :(

 

by: shahzoorPosted on 2009-03-01 at 08:27:26ID: 23768569

you think that the signal strength is still too low?
cant i do something in radio settings to increase it?

 

by: shahzoorPosted on 2009-03-01 at 09:05:05ID: 23768716

whats the best way to align the device to have excellent signals?
should i keep same configuration while adjusting the device till i get better signals?
rotating the device for strenght will require rebooting the device?
is there any tool available to check the signal strength before making it live?

 

by: amprantiPosted on 2009-03-01 at 10:22:59ID: 23769022

You can increase power or use antennas with higher gain (db)

whats the best way to align the device to have excellent signals?
Use access points to see signal, and align antennas until you find the optimal signal

should i keep same configuration while adjusting the device till i get better signals?
Yes
rotating the device for strenght will require rebooting the device?
No
is there any tool available to check the signal strength before making it live?
conf t
int dot 0
statrion-role scanner

(Maybe isnt available if you have old IOS)
Check this command reference:
http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/command/reference/cr12410b-chap2.html#wp2309478

 

by: shahzoorPosted on 2009-03-01 at 13:48:05ID: 23769898

thanks ampranti
you have been such a great help
i will do the alignment part one again and will let you know
What are the recommended radio settings for Root Bridge through Web Interface?
the  best signal strength can be considered between what range ?

 

by: amprantiPosted on 2009-03-01 at 13:59:45ID: 23769944

Depends on your antennas, power etc...
-70 i think will be  ideal for 20km link....

 

by: shahzoorPosted on 2009-03-01 at 23:26:48ID: 23772147

hi
even after getting -79dbm strength i a m getting following logs at Root and Non Root
Is it bcz of poor signal strength?

Root Log
========
Information       Interface Dot11Radio0, Station NonRoot ************ Associated KEY_MGMT[NONE]  
Information       Interface Dot11Radio0, Deauthenticating Station ********** Reason: Sending station has left the BSS  


NonRoot Log
===========
Notification      Line protocol on Interface Dot11Radio0, changed state to up  
Error             Interface Dot11Radio0, changed state to up  

 

by: shahzoorPosted on 2009-03-02 at 06:07:01ID: 23774055

i have still made the device functional and to my astonishment the ping response is 1-5ms only :)
its working perfect
1 - Please let me know about the log i posted above, if slow signal strength mught create a problem in future, though the delay is 1-5ms on average.

2 - For checking signal strength  u told me about
conf t
int dot 0
statrion-role scanner

i am not able to use it :( since i am not a pro
please explain it and we will close this thread :)

i am really thankful to you and the support u provided. I learnt a lot from you :)

 

by: amprantiPosted on 2009-03-02 at 06:10:56ID: 23774084

1) If the signal dont get worse , you will not have any problem.
You may see some changes (depending on humidity etc) but should be ok.

2) Probably you need a newer IOS version

 

by: shahzoorPosted on 2009-03-02 at 06:28:03ID: 31550531

If there was a rating Higher than "A", i would have definately given it to Mr. Ampranti.  Really thankful for all the support and guidance. All tip and suggestions given were perfect and really helped me out in configuring the device. THANKS A LOT  :) May God Bless You

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...