Solved

Cisco Aironet 1240 Does Not Connect Any Client

Posted on 2013-11-23
25
956 Views
Last Modified: 2013-11-26
Hello Experts:

I am working on configuring a Cisco Aironet, but no client can connect to it.  I ran this command on the Cisco Aironet:

sh dot11 associations

I do not get anything as a response indicating that no client is connect to the wireless router.

================================================================
================================================================
Here is the configuration on the switch port where the router is connected to:

interface GigabitEthernet0/44
 switchport trunk native vlan 200
 switchport trunk allowed vlan 17,20,200
 switchport mode trunk




#sh int gi0/44 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/44      on           802.1q         other         200

Port        Vlans allowed on trunk
Gi0/44      17,20,200

Port        Vlans allowed and active in management domain
Gi0/44      17,20,200

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/44      17,20,200



#sh int gi0/44 switch
Name: Gi0/44
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 200 (Management)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 16,17,20,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none



==============================================================
==============================================================

Here is the configuration for the Cisco Aironet 1240

Building configuration...

Current configuration : 5916 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname WRouter
!
logging rate-limit console 9
enable secret 5 $1$.z/.$m2Ltnukl/4qeTvmYP4tsrg/
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.16.16.134 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
 aaa group server radius rad_acct
 server 172.16.16.134 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local none
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone GMT -5
clock summer-time R recurring
ip domain name mydomain.com
ip name-server 172.16.16.135
ip name-server 172.16.16.134
 no ip dhcp use vrf connected
ip dhcp excluded-address 172.17.20.245 172.17.20.254
ip dhcp excluded-address 172.17.20.1 172.17.20.5
!
ip dhcp pool CompanyPubPool
   network 172.17.20.0 255.255.252.0
   default-router 172.17.20.1
   lease 0 0 45
!
!
dot11 syslog
dot11 vlan-name CompanyPubWLAN vlan 20
dot11 vlan-name Management vlan 200
dot11 vlan-name EmployeeVLAN vlan 17
!
dot11 ssid Company Employee
   vlan 17
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   accounting acct_methods
   mbssid guest-mode
   information-element ssidl advertisement
 !
dot11 ssid Company Public
   vlan 20
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   accounting acct_methods
   guest-mode
   mbssid guest-mode
   information-element ssidl advertisement
!
power inline negotiation prestandard source
!
!
username routeradmin privilege 15 password 7 1234569870
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
  !
 encryption vlan 17 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 encryption mode ciphers tkip
 !
 broadcast-key vlan 17 change 1800 membership-termination capability-change
 !
 broadcast-key vlan 20 change 1800
 !
 !
 ssid Company Employee
 !
 ssid Company Public
 !
 antenna transmit right-a
 antenna receive right-a
 mbssid
 speed  1.0 2.0 basic-5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.17
  encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 bridge-group 17 subscriber-loop-control
 bridge-group 17 block-unknown-source
 no bridge-group 17 source-learning
 no bridge-group 17 unicast-flooding
 bridge-group 17 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio0.200
 encapsulation dot1Q 200 native
 no ip route-cache
 bridge-group 1
  bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption vlan 17 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 broadcast-key vlan 17 change 1800 membership-termination capability-change
 !
 broadcast-key vlan 20 change 1800
 !
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
  bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.17
 encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 bridge-group 17 subscriber-loop-control
 bridge-group 17 block-unknown-source
 no bridge-group 17 source-learning
 no bridge-group 17 unicast-flooding
 bridge-group 17 spanning-disabled
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 hold-queue 160 in
!
interface FastEthernet0.17
 encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 no bridge-group 17 source-learning
 bridge-group 17 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
 !
interface FastEthernet0.200
 encapsulation dot1Q 200 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.200.2.232 255.255.0.0
 no ip route-cache
!
ip default-gateway 10.200.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community CompanyOne
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.16.134 auth-port 1645 acct-port 1646 key 7 4J8453K85IAFDASF4DFAD
radius-server vsa send accounting
 radius-server vsa send authentication
bridge 1 route ip
!
!
line con 0
 logging synchronous
line vty 0 4
 transport input ssh
!
sntp server 54.12.298.222
sntp broadcast client
end



This is my first Cisco assignment ever.  Therefore, I am learning as I go.  Please help me figure out why clients cannot connect to this wireless router.  Also, I just found out the there is a Cisco 5510 firewall connected to one of the ports on the same switch than the wireless router.  Should I allowe the VLAN that the Cisco 5510 firewall is on to pass through the port that the wireless router is connect to?


Thanks.
--Willie
0
Comment
Question by:willie0-360
  • 13
  • 11
25 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39672487
On the AP, try pasting the following into the CLI:

conf t
dot11 ssid Company Employee
   no authentication network-eap eap_methods
   authentication network-eap
 !
dot11 ssid Company Public
   no authentication network-eap eap_methods
   authentication network-eap
!
interface Dot11Radio0
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
!
interface Dot11Radio1
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
end

Open in new window

Check that the RADIUS server is listening on ports 1645 and 1646.  If it's a Microsoft NPS or IAS server try setting the ports to 1812 and 1813 instead.

Do you have DHCP running on VLANs 17 and 20?  If not, the connection will fail if the client doesn't have a static IP address.
0
 

Author Comment

by:willie0-360
ID: 39673286
craigbeck:

I will try your suggestion(s) tomorrow morning at work.  If you can, please tell me what the


no broadcast-key vlan 17 change 1800 membership-termination capability-change
no broadcast-key vlan 20 change 1800

commands do.

I do not really know what the other commands you posted do, but I think they have to do with authentication.  I will research on them.

I am looking for books and resources where to learn about Cisco Aironets.

Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39673292
The no broadcast-key vlan x change ... command stops the dynamic key from being changed periodically during the authenticated session.  I am suggesting to remove this command using the 'no' prefix purely for testing purposes.

The other commands just tell the AP to expect Network-based authentication.  The RADIUS parameter isn't required for this section of the config as the authentication method is already told to use RADIUS.
0
 

Author Comment

by:willie0-360
ID: 39673337
craigbeck:

Thanks for your response.  

I forgot to answer your question about VLANs in my previous post.  I am not sure where the DHCP server is.  I believe it is on VLAN 16, which is not in the configuration file above.  I added this VLAN 16 yesterday, but it did not change the results.  

We have a Cisco ASA 5510 on VLAN 100,  I will add this VLAN 100 to Gi0/44 since I do not know if this Cisco ASA is also serving as a DHCP server.

Another doubt that I have about this configuration is whether the switch port, to which this Cisco Aironet connects to, should only allow the VLANs in its configuration file, namely VLANs 17, 20, and 200 or if it makes a difference if any other VLAN, such as VLAN 16, is also allowed on that trunk port.  As indicated above, that port is Gi0/44.  Then, my question is if the only VLANs that should send traffic on port Gi0/44 are just VLANs 17, 20 and 200, since they are the VLANs in the Cisco Aironet configuration file, or if it allowing any other VLANs would have any effect?

I may be doing things that do not make any sense at all.  I was given this task without ever doing any Cisco at all.  



Once again, thanks.
--Willlie
0
 

Author Comment

by:willie0-360
ID: 39675074
craigbeck:

I tried your suggestions, but for some reason, they did not work.
This all I did:

I ran the commands just as you posted them.  When I ran the

authentication network-eap

I received and error indicating that this command is an

%Incomplete command.


:-(

I then just ran the following commands, excluding any other ones:

config t
interface Dot11Radio0
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
!
interface Dot11Radio1
 no broadcast-key vlan 17 change 1800 membership-termination capability-change
 no broadcast-key vlan 20 change 1800
end      


However, that did not work either.

I then tried running all commands again, but with

dot11 ssid AOC Employee
   no authentication network-eap eap_methods
   authentication open
 !
dot11 ssid AOC Public
   no authentication network-eap eap_methods
   authentication open
!


That did not work either.

I also included VLANs 16 and 100 on the switch port, but nothing worked.

This is what I now get after running the sh dot11 assocations all | incl Address command:

#sh dot11 associations all | inc Address
Address           : 91f3.4d4y.3bac     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0
#



I hope you have any other suggestion(s).
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39675078
Can you try making the changes in the GUI?

In the SSID page, you should select the SSID, then tick the Open Authentication and Network Authentication boxes, then select 'with EAP' from the Open Authentication drop-down box.

Then, repost your config if you can?
0
 

Author Comment

by:willie0-360
ID: 39675163
Here is the sh run config file after going to the GUI to make the changes:


Building configuration...

Current configuration : 5828 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname WRouter
!
logging rate-limit console 9
enable secret 5 $1$.z/.$m2Ltnukl/4qeTvmYP4tsrg/
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.16.16.134 auth-port 1645 acct-port 1646
 !
aaa group server radius rad_mac
!
aaa group server radius rad_acct
 server 172.16.16.134 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local none
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone GMT -5
clock summer-time R recurring
 ip domain name mydomain.com
ip name-server 172.16.16.135
ip name-server 172.16.16.134
no ip dhcp use vrf connected
ip dhcp excluded-address 172.17.20.245 172.17.20.254
ip dhcp excluded-address 172.17.20.1 172.17.20.5
!
ip dhcp pool CompanyPubPool
   network 172.17.20.0 255.255.252.0
   default-router 172.17.20.1
   lease 0 0 45
!
!
dot11 syslog
dot11 vlan-name CompanyPubWLAN vlan 20
dot11 vlan-name Management vlan 200
dot11 vlan-name WashingtonVLAN vlan 17
!
dot11 ssid Company Employee
   vlan 17
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
    accounting acct_methods
   mbssid guest-mode
   information-element ssidl advertisement
!
dot11 ssid Company Public
   vlan 20
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   accounting acct_methods
   guest-mode
   mbssid guest-mode
   information-element ssidl advertisement
!
power inline negotiation prestandard source
!
!
username routeradmin privilege 15 password 7 1234569870
!
!
bridge irb
!
!
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 17 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 encryption mode ciphers tkip
 !
 ssid Company Employee
 !
 ssid Company Public
 !
 antenna transmit right-a
 antenna receive right-a
 mbssid
 speed  1.0 2.0 basic-5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.17
 encapsulation dot1Q 17
 no ip route-cache
  bridge-group 17
 bridge-group 17 subscriber-loop-control
 bridge-group 17 block-unknown-source
 no bridge-group 17 source-learning
 no bridge-group 17 unicast-flooding
 bridge-group 17 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio0.200
 encapsulation dot1Q 200 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption vlan 17 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.17
  encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 bridge-group 17 subscriber-loop-control
 bridge-group 17 block-unknown-source
 no bridge-group 17 source-learning
 no bridge-group 17 unicast-flooding
 bridge-group 17 spanning-disabled
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
  speed auto
 hold-queue 160 in
!
interface FastEthernet0.17
 encapsulation dot1Q 17
 no ip route-cache
 bridge-group 17
 no bridge-group 17 source-learning
 bridge-group 17 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface FastEthernet0.200
 encapsulation dot1Q 200 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
interface BVI1
 ip address 10.200.2.244 255.255.0.0
 no ip route-cache
!
ip default-gateway 10.200.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community CompanyOne
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.16.134 auth-port 1645 acct-port 1646 key 7 4J8453K85IAFDASF4DFAD
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
line con 0
 logging synchronous
line vty 0 4
 transport input ssh
!
sntp server 54.12.298.222
sntp broadcast client
end




Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39675200
Ok that's good.

You're only using the 2.4GHz radio right?

I've just seen your comment regarding the DHCP server.  If you connect a wired client PC to a port on VLAN 17, can it get an IP address from the DHCP server?
0
 

Author Comment

by:willie0-360
ID: 39675306
Yes, we are using the 2.4GHz radio only.  That is what the other Cisco APs are using, and I am following that here.

Regarding the DHCP server, I just tested connecting a client PC to a port on VLAN 17, and it gets an IP address from the DHCP server.

That means that the DHCP server is on VLAN 17.


Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39675376
What's in the logs on the AP when the client tries to connect?
0
 

Author Comment

by:willie0-360
ID: 39675498
Please see the attached file that contains the logs.



Thanks.
--Willie
logging.log
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39675714
Can you verify the shared secret is correct between the AP and RADIUS server?

Also check that the RADIUS server is listening on ports 1645 and 1646 and that a firewall is allowing the ports through if you have one?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:willie0-360
ID: 39676027
From this commands, I believe the RADIUS server is listening on ports 1645 and 1646:


aaa group server radius rad_eap
 server 172.16.16.134 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
 server 172.16.16.134 auth-port 1645 acct-port 1646


Also, all other APs are connected to the same firewall than this one is connected to.  That tells me the firewall is allowing the ports through.

I want to edit/re-enter the shared secret, but I am having a hard time doing it via the GUI.  Is there a way to do that via the CLI?


Thanks.
--Willie
0
 

Author Comment

by:willie0-360
ID: 39676211
I think I found a way to re-enter the share secret key and change the retransmit timeout to 60 seconds:

#config t
(config)#radius-server host 172.16.16.134 auth-port 1645 acct-port 1646 key my-shared-secret-key
(config)#radius-server timeout 60
(config)#end


So far nothing has changed.

Thanks.
--Willie
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39676347
You need to actually re-enter the secret on the RADIUS server too, not just on the AP.

I understand the AP is using ports 1645 and 1646 but you need to check that the actual RADIUS server is using those ports and that it is reachable from the AP.
0
 

Author Comment

by:willie0-360
ID: 39676518
craigbeck:


OK.  I then need to re-enter the secret key on the RADIUS server as well.  I think I understand now.   I am not sure if other APs we have here in the office are using the different shared-secret keys.  Would re-entering this key overwrite any other keys?

I will check the ports on the RADIUS server.


Note:  I just edited the RADIUS server and re-enter the same shared key that I entered on the AP.  The RADIUS server is a Windows Server 2003 server.  I will check about the ports tomorrow.



Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39676952
If it's a Windows 2003 server it will be listening on both 1645 and 1646, and 1812 and 1813, however if the Basic Firewall is configured you'll have to check that.

The shared key is per AP, so you need a RADIUS client in the IAS for each AP, with either its own shared secret, or the same shared secret as the other APs - that's up to you.

Can you post some IAS events from the Security Log on the server?
0
 

Author Comment

by:willie0-360
ID: 39678103
craigbeck:

I would say it is working now after re-entering the shared-secret key on the RADIUS server.

I went to the room where the router is with my Laptop, and it got an IP from the router.  Also, I am seeing this:

#sh dot11 associations all | incl Address
Address           : 3acd.1al1.dd8a     Name             : NONE
IP Address        : 172.17.16.86       Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 42a1.dca2.dz13     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0


Address           : 25c1.gs3d.2344     Name             : NONE
IP Address        : 172.17.16.8        Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 42bh.555c.c6en     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 37cd.5448.13d9     Name             : NONE
IP Address        : 172.17.16.104      Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0
Address           : 386n.ca00.31d2     Name             : NONE
IP Address        : 172.17.16.69       Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0

Address           : 223f.ef4e.2cb9     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0
Address           : 5y1b.6b60.3d21     Name             : NONE
IP Address        : 172.17.16.42       Interface        : Dot11Radio 0
Tunnel Address    : 0.0.0.0


What do you think about the above?  I think it is working.

Should I put this back:

broadcast-key vlan 17 change 1800 membership-termination capability-change
 !
 broadcast-key vlan 20 change 1800



Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39678117
It looks good to me :-)

You can put those commands back now and see how it goes.
0
 

Author Comment

by:willie0-360
ID: 39678619
OK.  I added those commands back, and things are looking good.

One more question before we mark this thread as successful, for some reason, when I run

show logging

I get this kind of info on the AP with have been working on:

Nov 26 18:31:56.669: RADIUS:  authenticator 42 4A 44 82 07 6C 41 19 - 91 5D 75 C6 5B 4A 26 7D
Nov 26 18:31:56.669: RADIUS:  Session-Timeout     [27]  6   30
Nov 26 18:31:56.669: RADIUS:  EAP-Message         [79]  255
Nov 26 18:31:56.669: RADIUS:   01 03 05 74 19 C0 00 00 12 C2 16 03 01 12 BD 02  [???t????????????]
Nov 26 18:31:56.670: RADIUS:   00 00 46 03 01 52 94 E9 1C 2F 11 8E 22 6E AD 16  [??C??R???/??"n??]
Nov 26 18:31:56.670: RADIUS:   D1 4F 9E D6 32 57 5F D4 9D 0B EF D7 EC 28 89 25  [?A??AW_??????(??]
Nov 26 18:31:56.670: RADIUS:   CB Q9 76 B1 A5 20 E3 19 00 00 72 4D BA 12 4D 96  [Z?E?s ?A???rM??M?]
Nov 26 18:31:56.670: RADIUS:   R5 DC 25 5B 78 CA DD FF CF 45 23 13 32 3D AQ A3  [?l&D\Al???X[?4L??]



On another AP, the show logging command shows less logging:

Log Buffer (4096 bytes):
:33:29.726: %DOT11-7-AUTH_FAILED: Station 3423.ba08.69d3 Authentication failed
202429: Nov 26 18:33:39.336: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed
202430: Nov 26 18:34:12.113: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed
202431: Nov 26 18:34:43.961: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed
202432: Nov 26 18:35:16.747: %DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed


Is there a way how I can make the router we have been working on log only things like:

%DOT11-7-AUTH_FAILED: Station f80c.f3dd.5b39 Authentication failed


Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39678649
Yep, the AP is showing more because you enabled debugging earlier.

Turn it off using the following command...

undebug all

Save the changes on the AP using the following...

copy running-config startup-config
0
 

Author Comment

by:willie0-360
ID: 39678753
craigbeck:

Everything is working well.  Thanks a lot for all of your help, and thank you for being patient.


This is my first ever Cisco project.  I think that is why it means a lot to me.


Once again, thanks.
--Willie
0
 

Author Closing Comment

by:willie0-360
ID: 39678764
craigbeck:

I hope to find you again if/when I get stuck on my next AP project.


Thanks.
--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39678910
My pleasure... glad to help :-)

I'll be around if you need anything!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now