Cisco Aironet 1240 Does Not Connect Any Client

On the AP, try pasting the following into the CLI:

conf t
dot11 ssid Company Employee
   no authentication network-eap eap_methods
   authentication network-eap
 !
dot11 ssid Company Public
   no authentication network-eap eap_methods
   authentication network-eap
!
interface Dot11Radio0
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
!
interface Dot11Radio1
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
end

Select allOpen in new window

Check that the RADIUS server is listening on ports 1645 and 1646.  If it's a Microsoft NPS or IAS server try setting the ports to 1812 and 1813 instead.

Do you have DHCP running on VLANs 17 and 20?  If not, the connection will fail if the client doesn't have a static IP address.

craigbeck:

I will try your suggestion(s) tomorrow morning at work.  If you can, please tell me what the


no broadcast-key vlan 17 change 1800 membership-termination capability-change
no broadcast-key vlan 20 change 1800

commands do.

I do not really know what the other commands you posted do, but I think they have to do with authentication.  I will research on them.

I am looking for books and resources where to learn about Cisco Aironets.

Thanks.
--Willie

The no broadcast-key vlan x change ... command stops the dynamic key from being changed periodically during the authenticated session.  I am suggesting to remove this command using the 'no' prefix purely for testing purposes.

The other commands just tell the AP to expect Network-based authentication.  The RADIUS parameter isn't required for this section of the config as the authentication method is already told to use RADIUS.

craigbeck:

Thanks for your response.  

I forgot to answer your question about VLANs in my previous post.  I am not sure where the DHCP server is.  I believe it is on VLAN 16, which is not in the configuration file above.  I added this VLAN 16 yesterday, but it did not change the results.  

We have a Cisco ASA 5510 on VLAN 100,  I will add this VLAN 100 to Gi0/44 since I do not know if this Cisco ASA is also serving as a DHCP server.

Another doubt that I have about this configuration is whether the switch port, to which this Cisco Aironet connects to, should only allow the VLANs in its configuration file, namely VLANs 17, 20, and 200 or if it makes a difference if any other VLAN, such as VLAN 16, is also allowed on that trunk port.  As indicated above, that port is Gi0/44.  Then, my question is if the only VLANs that should send traffic on port Gi0/44 are just VLANs 17, 20 and 200, since they are the VLANs in the Cisco Aironet configuration file, or if it allowing any other VLANs would have any effect?

I may be doing things that do not make any sense at all.  I was given this task without ever doing any Cisco at all.  



Once again, thanks.
--Willlie

craigbeck:

I tried your suggestions, but for some reason, they did not work.
This all I did:

I ran the commands just as you posted them.  When I ran the

authentication network-eap

I received and error indicating that this command is an

%Incomplete command.


:-(

I then just ran the following commands, excluding any other ones:

config t
interface Dot11Radio0
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
!
interface Dot11Radio1
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
end      


However, that did not work either.

I then tried running all commands again, but with

dot11 ssid AOC Employee
   no authentication network-eap eap_methods
   authentication open
 !
dot11 ssid AOC Public
   no authentication network-eap eap_methods
   authentication open
!

That did not work either.

I also included VLANs 16 and 100 on the switch port, but nothing worked.

This is what I now get after running the sh dot11 assocations all | incl Address command:

#sh dot11 associations all | inc Address
Address           : 91f3.4d4y.3bac     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0
#


I hope you have any other suggestion(s).

Can you try making the changes in the GUI?

In the SSID page, you should select the SSID, then tick the Open Authentication and Network Authentication boxes, then select 'with EAP' from the Open Authentication drop-down box.

Then, repost your config if you can?

Here is the sh run config file after going to the GUI to make the changes:


Building configuration...

Current configuration : 5828 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname WRouter
!
logging rate-limit console 9
enable secret 5 $1$.z/.$m2Ltnukl/4qeTvmYP4tsrg/
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.16.16.134 auth-port 1645 acct-port 1646
 !
aaa group server radius rad_mac
!
aaa group server radius rad_acct
 server 172.16.16.134 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local none
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone GMT -5
clock summer-time R recurring
 ip domain name mydomain.com
ip name-server 172.16.16.135
ip name-server 172.16.16.134
no ip dhcp use vrf connected
ip dhcp excluded-address 172.17.20.245 172.17.20.254
ip dhcp excluded-address 172.17.20.1 172.17.20.5
!
ip dhcp pool CompanyPubPool
   network 172.17.20.0 255.255.252.0
   default-router 172.17.20.1
   lease 0 0 45
!
!
dot11 syslog
dot11 vlan-name CompanyPubWLAN vlan 20
dot11 vlan-name Management vlan 200
dot11 vlan-name WashingtonVLAN vlan 17
!
dot11 ssid Company Employee
   vlan 17
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
    accounting acct_methods
   mbssid guest-mode
   information-element ssidl advertisement
!
dot11 ssid Company Public
   vlan 20
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   accounting acct_methods
   guest-mode
   mbssid guest-mode
   information-element ssidl advertisement
!
power inline negotiation prestandard source
!
!
username routeradmin privilege 15 password 7 1234569870
!
!
bridge irb
!
!
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 17 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 encryption mode ciphers tkip
 !
 ssid Company Employee
 !
 ssid Company Public
 !
 antenna transmit right-a
 antenna receive right-a
 mbssid
 speed  1.0 2.0 basic-5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.17
 encapsulation dot1Q 17
 no ip route-cache
  bridge-group 17
 bridge-group 17 subscriber-loop-control
 bridge-group 17 block-unknown-source
 no bridge-group 17 source-learning
 no bridge-group 17 unicast-flooding
 bridge-group 17 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio0.200
 encapsulation dot1Q 200 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption vlan 17 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.17
  encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 bridge-group 17 subscriber-loop-control
 bridge-group 17 block-unknown-source
 no bridge-group 17 source-learning
 no bridge-group 17 unicast-flooding
 bridge-group 17 spanning-disabled
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
  speed auto
 hold-queue 160 in
!
interface FastEthernet0.17
 encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 no bridge-group 17 source-learning
 bridge-group 17 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface FastEthernet0.200
 encapsulation dot1Q 200 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
interface BVI1
 ip address 10.200.2.244 255.255.0.0
 no ip route-cache
!
ip default-gateway 10.200.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community CompanyOne
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.16.134 auth-port 1645 acct-port 1646 key 7 4J8453K85IAFDASF4DFAD
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
line con 0
 logging synchronous
line vty 0 4
 transport input ssh
!
sntp server 54.12.298.222
sntp broadcast client
end




Thanks.
--Willie

Ok that's good.

You're only using the 2.4GHz radio right?

I've just seen your comment regarding the DHCP server.  If you connect a wired client PC to a port on VLAN 17, can it get an IP address from the DHCP server?

Yes, we are using the 2.4GHz radio only.  That is what the other Cisco APs are using, and I am following that here.

Regarding the DHCP server, I just tested connecting a client PC to a port on VLAN 17, and it gets an IP address from the DHCP server.

That means that the DHCP server is on VLAN 17.


Thanks.
--Willie

What's in the logs on the AP when the client tries to connect?

Please see the attached file that contains the logs.



Thanks.
--Willie
logging.log

Can you verify the shared secret is correct between the AP and RADIUS server?

Also check that the RADIUS server is listening on ports 1645 and 1646 and that a firewall is allowing the ports through if you have one?

From this commands, I believe the RADIUS server is listening on ports 1645 and 1646:


aaa group server radius rad_eap
 server 172.16.16.134 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
 server 172.16.16.134 auth-port 1645 acct-port 1646

Also, all other APs are connected to the same firewall than this one is connected to.  That tells me the firewall is allowing the ports through.

I want to edit/re-enter the shared secret, but I am having a hard time doing it via the GUI.  Is there a way to do that via the CLI?


Thanks.
--Willie

I think I found a way to re-enter the share secret key and change the retransmit timeout to 60 seconds:

#config t
(config)#radius-server host 172.16.16.134 auth-port 1645 acct-port 1646 key my-shared-secret-key
(config)#radius-server timeout 60
(config)#end

So far nothing has changed.

Thanks.
--Willie

craigbeck:


OK.  I then need to re-enter the secret key on the RADIUS server as well.  I think I understand now.   I am not sure if other APs we have here in the office are using the different shared-secret keys.  Would re-entering this key overwrite any other keys?

I will check the ports on the RADIUS server.


Note:  I just edited the RADIUS server and re-enter the same shared key that I entered on the AP.  The RADIUS server is a Windows Server 2003 server.  I will check about the ports tomorrow.



Thanks.
--Willie

If it's a Windows 2003 server it will be listening on both 1645 and 1646, and 1812 and 1813, however if the Basic Firewall is configured you'll have to check that.

The shared key is per AP, so you need a RADIUS client in the IAS for each AP, with either its own shared secret, or the same shared secret as the other APs - that's up to you.

Can you post some IAS events from the Security Log on the server?

craigbeck:

I would say it is working now after re-entering the shared-secret key on the RADIUS server.

I went to the room where the router is with my Laptop, and it got an IP from the router.  Also, I am seeing this:

#sh dot11 associations all | incl Address
Address           : 3acd.1al1.dd8a     Name             : NONE
IP Address        : 172.17.16.86       Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 42a1.dca2.dz13     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0


Address           : 25c1.gs3d.2344     Name             : NONE
IP Address        : 172.17.16.8        Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 42bh.555c.c6en     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 37cd.5448.13d9     Name             : NONE
IP Address        : 172.17.16.104      Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0
Address           : 386n.ca00.31d2     Name             : NONE
IP Address        : 172.17.16.69       Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 223f.ef4e.2cb9     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0
Address           : 5y1b.6b60.3d21     Name             : NONE
IP Address        : 172.17.16.42       Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

What do you think about the above?  I think it is working.

Should I put this back:

broadcast-key vlan 17 change 1800 membership-termination capability-change
 !
 broadcast-key vlan 20 change 1800


Thanks.
--Willie

It looks good to me :-)

You can put those commands back now and see how it goes.

OK.  I added those commands back, and things are looking good.

One more question before we mark this thread as successful, for some reason, when I run

show logging

I get this kind of info on the AP with have been working on:

Nov 26 18:31:56.669: RADIUS:  authenticator 42 4A 44 82 07 6C 41 19 - 91 5D 75 C6 5B 4A 26 7D
Nov 26 18:31:56.669: RADIUS:  Session-Timeout     [27]  6   30
Nov 26 18:31:56.669: RADIUS:  EAP-Message         [79]  255
Nov 26 18:31:56.669: RADIUS:   01 03 05 74 19 C0 00 00 12 C2 16 03 01 12 BD 02  [???t????????????]
Nov 26 18:31:56.670: RADIUS:   00 00 46 03 01 52 94 E9 1C 2F 11 8E 22 6E AD 16  [??C??R???/??"n??]
Nov 26 18:31:56.670: RADIUS:   D1 4F 9E D6 32 57 5F D4 9D 0B EF D7 EC 28 89 25  [?A??AW_??????(??]
Nov 26 18:31:56.670: RADIUS:   CB Q9 76 B1 A5 20 E3 19 00 00 72 4D BA 12 4D 96  [Z?E?s ?A???rM??M?]
Nov 26 18:31:56.670: RADIUS:   R5 DC 25 5B 78 CA DD FF CF 45 23 13 32 3D AQ A3  [?l&D\Al???X[?4L??]


On another AP, the show logging command shows less logging:

Log Buffer (4096 bytes):
:33:29.726: %DOT11-7-AUTH_FAILED: Station 3423.ba08.69d3 Authentication failed
202429: Nov 26 18:33:39.336: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed
202430: Nov 26 18:34:12.113: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed
202431: Nov 26 18:34:43.961: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed
202432: Nov 26 18:35:16.747: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed

Is there a way how I can make the router we have been working on log only things like:

%DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed


Thanks.
--Willie

Yep, the AP is showing more because you enabled debugging earlier.

Turn it off using the following command...

undebug all

Save the changes on the AP using the following...

copy running-config startup-config

craigbeck:

Everything is working well.  Thanks a lot for all of your help, and thank you for being patient.


This is my first ever Cisco project.  I think that is why it means a lot to me.


Once again, thanks.
--Willie

craigbeck:

I hope to find you again if/when I get stuck on my next AP project.


Thanks.
--Willie

My pleasure... glad to help :-)

I'll be around if you need anything!