877W %DOT11-7-CCKM_AUTH_FAILED

Sometimes when I connect to 877W router via WiFi Im getting notice (which mentioned on cisco.com site) in logs:
%DOT11-7-CCKM_AUTH_FAILED : Station [enet] CCKM authentication failed
official explanation is: "The station has failed CCKM authentication."
And "Recommended Action" is: "Verify the topology of the APs under the WDS domain."
But 877W does not support WDS commands. And also there no ability to turn CCKM off.
Only one thing helps: reload.
I tried and made some tests with following IOSs:
c870-advipservicesk9-mz.124-22.T
c870-advipservicesk9-mz.124-15.T7
I was using 3 different PC's (two XP's and one OSX Leopard, all of them were with latest updates/patches)
To confirm highly mentioned problem its enough to switch reauth period to 10 seconds:
dot1x reauth-period 10
And after few minutes we'll get many notices like:
%DOT11-7-CCKM_AUTH_FAILED: Station [enet] authentication failed
And all clients which are trying to reassociate or associate with 877w are unable to connect.
I was surfing through forum and noticed following steps for testing:
- to leave only one SSID
- to turn guest-mode off
- to turn off TKIP and allow only AES.
I tried everything and that was useless.
Maybe someone got any idea how to solve this problem?

After some series of tests I discovered following.
Bug exists only in IOS 22.T + AES. If im using TKIP encryption or if I turn encryption off everything works perfectly.

Similar Messages

  • UC500 with integrated wireless AP

    Notebooks can authenticate for serveral day and suddenly they cannot. The only thing that helps is a reload.
    This is the message I'm getting when I cannot reconnect :
    %DOT11-7-CCKM_AUTH_FAILED
    Thx
    Filip

    Version 12.4(22)T
    did work with previous IOS versions

  • Getting Started with Wireless: Wireless configuration on 877W router - STUC

    Just letting you know that I've already posted an identical post under "Getting Started with Wireless" but don't feel that I'm getting any attention so I made another post. Thank you.
    Hi all
    I have a Cisco 877W router running IOS v 12.4(15)T3. Have been trying to configure wireless to run WPA-PSK and is stuck at the final stage. Spent a lot of time configuring the router using CLI but ended up using the Web GUI interface. I was able to configure the wireless settings (I think) but failed when connecting to the router from WinXP-SP2 and was wondering if you have any suggestion for me. I've ran the following debugs on the router:
    VNRouter#sho debug
    DHCP server event debugging is on.
    dot11:
    802.1X module WPA/WPA-PSK/CCKM key management debugging is on
    dot11 Syslog debugging is on
    Below is the error message when connecting wirelessly
    *Mar 4 18:46:25.655: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    VNRouter#
    *Mar 4 18:46:25.659: %DOT11-6-ASSOC: Interface Dot11Radio0, Station VNRouter 001b.771a.dbad Associated SSID[VN-WiLess1] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    VNRouter#
    *Mar 4 18:47:25.571: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    *Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    *Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    *Mar 4 18:47:25.579: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded.
    I've created two VLANs (and tied these two vlans to 2 separate SSID) on this router for a reason and so far has not been able to connect to any of them (SSID). I've also attached the config so you can have a look. Thanks in advance for your help.

    The configuration looks fine. In most cases, the connectivity issues with WPA-PSK is due to the mismatch in PSK on the Client and the AP. Try re-entering the PSK key on both the router and the client and check if you are seeing any issues.

  • Configure VPN Server Cisco 877W

    Hello!
    I need to implement VPN Server on a Cisco 877W.
    The idea is as follows:
    Access the network from anywhere using the Cisco VPN Client;
    The router need receive a minimum 5 simultaneous connections;
    Each User would have a login and password;
    Cisco 877W (System image file is "flash: C870-advipservicesk9-mz.150-1.M10.bin")
    Following script:
    version 15.0
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service sequence-numbers
    hostname VPN
    boot-start-marker
    boot-end-marker
    logging buffered 10240
    enable secret PASS@PASS
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    clock timezone BR -3
    dot11 syslog
    dot11 ssid ACESSO01
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii PASS@PASS
    no ip source-route
    ip dhcp pool ODIM
       import all
       network 192.168.100.224 255.255.255.224
       default-router 192.168.100.254
       dns-server 10.151.176.80 201.10.120.3 10.151.176.79 201.10.1.2
       update arp
    ip cef
    no ip bootp server
    no ip domain lookup
    ip domain name local
    ip inspect name firewall tcp
    ip inspect name firewall udp
    ip inspect name firewall cuseeme
    ip inspect name firewall h323
    ip inspect name firewall rcmd
    ip inspect name firewall realaudio
    ip inspect name firewall streamworks
    ip inspect name firewall vdolive
    ip inspect name firewall sqlnet
    ip inspect name firewall tftp
    ip inspect name firewall ftp
    ip inspect name firewall icmp
    ip inspect name firewall sip
    ip inspect name firewall esmtp max-data 52428800
    ip inspect name firewall fragment maximum 256 timeout 1
    ip inspect name firewall netshow
    ip inspect name firewall rtsp
    ip inspect name firewall pptp
    ip inspect name firewall skinny
    no ipv6 cef
    multilink bundle-name authenticated
    archive
    path flash:config
    write-memory
    file verify auto
    username suporte privilege 15 secret 5 $1$WdPL$PHwugOutS3fztS8hBUl9g0
    ip tcp timestamp
    ip ssh version 2
    bridge irb
    interface ATM0
    description #### A D S L - INTERNET ####
    no ip address
    no ip proxy-arp
    load-interval 30
    no atm ilmi-keepalive
    interface ATM0.1 point-to-point
    description #### A D S L - INTERNET ####
    pvc 0/35
      pppoe-client dial-pool-number 1
    interface FastEthernet0
    description #### I N T R A N E T ####
    switchport trunk native vlan 100
    switchport mode trunk
    load-interval 30
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Dot11Radio0
    no ip address
    no ip proxy-arp
    load-interval 30
    encryption mode ciphers aes-ccm tkip
    ssid ACESSO01
    speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Vlan1
    description #### ETH`S ####
    no ip address
    no ip proxy-arp
    load-interval 30
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface Vlan100
    description #### I N T R A N E T ####
    ip address dhcp
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    interface Dialer0
    description #### I N T E R N E T ####
    ip address negotiated
    ip access-group Traffic-Permit-IN in
    no ip redirects
    no ip unreachables
    ip mtu 1492
    ip nat outside
    ip inspect firewall out
    ip virtual-reassembly
    rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop
    encapsulation ppp
    load-interval 30
    dialer pool 1
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname user@user
    ppp chap password pass@pass
    ppp pap sent-username user@user password pass@pass
    ppp ipcp dns request
    ppp ipcp wins request
    ppp ipcp route default
    no cdp enable
    interface BVI1
    description #### BRIDGE Vlan1/Dot11Radio0 ####
    ip address 192.168.100.254 255.255.255.224
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    ip policy route-map PBR
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source route-map ADSL interface Dialer0 overload
    ip nat inside source route-map INTRANET interface Vlan100 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0 name ADSL
    ip route 0.0.0.0 0.0.0.0 10.48.50.1 name INTRANET
    ip access-list extended ADSL
    deny   ip any 10.0.0.0 0.255.255.255
    permit ip any any
    deny   ip any host 192.168.100.255
    deny   udp any any eq tftp log
    deny   ip any 0.0.0.0 0.255.255.255 log
    deny   ip any 127.0.0.0 0.255.255.255 log
    deny   ip any 169.254.0.0 0.0.255.255 log
    deny   ip any 172.16.0.0 0.15.255.255 log
    deny   ip any 192.0.2.0 0.0.0.255 log
    deny   ip any 192.168.0.0 0.0.255.255 log
    deny   ip any 198.18.0.0 0.1.255.255 log
    deny   udp any any eq 135 log
    deny   tcp any any eq 135 log
    deny   udp any any eq netbios-ns log
    deny   udp any any eq netbios-dgm log
    deny   tcp any any eq 445 log
    deny   ip any any log
    ip access-list extended INTRANET
    permit ip any 10.0.0.0 0.255.255.255
    deny   ip any any
    deny   ip any host 10.48.50.255
    deny   udp any any eq tftp log
    deny   ip any 0.0.0.0 0.255.255.255 log
    deny   ip any 10.0.0.0 0.255.255.255 log
    deny   ip any 127.0.0.0 0.255.255.255 log
    deny   ip any 169.254.0.0 0.0.255.255 log
    deny   ip any 172.16.0.0 0.15.255.255 log
    deny   ip any 192.0.2.0 0.0.0.255 log
    deny   ip any 192.168.0.0 0.0.255.255 log
    deny   ip any 198.18.0.0 0.1.255.255 log
    deny   udp any any eq 135 log
    deny   tcp any any eq 135 log
    deny   udp any any eq netbios-ns log
    deny   udp any any eq netbios-dgm log
    deny   tcp any any eq 445 log
    ip access-list extended Traffic-Permit-IN
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 224.0.0.0 0.15.255.255 any
    deny   ip any host 255.255.255.255
    permit tcp any any eq 1723
    permit gre any any
    deny   icmp any any echo
    deny   ip any any log
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any echo
    access-list 110 permit ip 192.168.100.224 0.0.0.31 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map ADSL permit 10
    match ip address 110
    match interface Dialer0
    route-map INTRANET permit 10
    match ip address 110
    match interface Vlan100
    route-map PBR permit 10
    match ip address ADSL
    set interface Dialer0
    route-map PBR permit 20
    match ip address INTRANET
    set interface Vlan100
    control-plane
    bridge 1 route ip
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    transport input telnet ssh
    scheduler max-task-time 5000
    end

    Some Help?

  • Cisco 877W Dual SSID/VLAN Security Issue

    Hi All
    I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST).  The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
    Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
    P.S config has been pared down to basics below
    version 15.1
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ROUTER
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
    no aaa new-model
    dot11 syslog
    dot11 ssid PRIVATE@123
     vlan 100
     authentication open
     authentication key-management wpa
     wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
    dot11 ssid VISITOR@123
     vlan 200
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 03374C0A08392040420C00
    ip source-route
    no ip dhcp conflict logging
    ip dhcp excluded-address 172.16.1.1 172.16.1.10
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    ip dhcp pool GUEST
     utilization mark low 70 log
     network 172.16.1.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 172.16.1.1
    ip dhcp pool PRIVATE
     utilization mark low 70 log
     network 192.168.0.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 192.168.0.1
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 password 7 073F205F5D1E491713
    policy-map type inspect PM-DENYGUEST
     class class-default
      drop
    zone security GUEST
    zone security PRIVATE
    zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
     service-policy type inspect PM-DENYGUEST
    bridge irb
    interface ATM0
     no ip address
     shutdown
     no atm ilmi-keepalive
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     switchport access vlan 100
     no ip address
    interface FastEthernet2
     switchport access vlan 100
     no ip address
    interface FastEthernet3
     no ip address
    interface Dot11Radio0
     no ip address
     encryption vlan 100 mode ciphers aes-ccm
     encryption vlan 200 mode ciphers aes-ccm
     broadcast-key vlan 100 change 30
     broadcast-key vlan 200 change 30
     ssid PRIVATE@123
     ssid VISITOR@123
     mbssid
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    interface Dot11Radio0.100
     encapsulation dot1Q 100 native
     zone-member security PRIVATE
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.200
     encapsulation dot1Q 200
     zone-member security GUEST
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 spanning-disabled
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
    interface Vlan1
     no ip address
    interface Vlan100
     no ip address
     bridge-group 1
    interface Vlan200
     no ip address
     bridge-group 2
    interface Dialer0
     ip address negotiated
     ip access-group 101 out
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp authentication chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 10580A4F1C4005005B
    interface BVI1
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security PRIVATE
    interface BVI2
     ip address 172.16.1.1 255.255.0.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security GUEST
    ip forward-protocol nd
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0
    logging trap debugging
    logging 192.168.0.11
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    line con 0
     exec-timeout 5 0
     no modem enable
     transport output all
    line aux 0
     exec-timeout 0 1
     no exec
     transport output none
    line vty 0 4
     exec-timeout 5 0
     login local
     transport input telnet ssh
     transport output none
    end

    Ignore that. self zone got me. Argh! phew!

  • Cisco 877W router and external ADSL modem

    Cisco 877W router and external ADSL modem
    In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
    The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
    The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
    If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    hostname xxxxxxxxxxxxxxxxxxxxx
    boot-start-marker
    boot-end-marker
    logging buffered 4096 warnings
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    aaa new-model
    aaa group server radius sdm-vpn-server-group-2
    aaa group server radius rad_eap
     server 192.168.253.1 auth-port 1812 acct-port 1813
     server 192.168.253.1 auth-port 1645 acct-port 1646
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa authorization ipmobile default group rad_pmip
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    crypto pki trustpoint TP-self-signed-2834265337
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2834265337
     revocation-check none
     rsakeypair TP-self-signed-2834265337
    crypto pki certificate chain TP-self-signed-2834265337
     certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
    dot11 syslog
    dot11 ssid GuestAP
       vlan 101
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 113B162712001F4A2D2B25
    dot11 ssid LanAP
       vlan 100
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
       mbssid guest-mode
    no ip source-route
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 192.168.252.1 192.168.252.8
    ip dhcp excluded-address 192.168.252.15 192.168.252.254
    ip dhcp pool sdm-pool1
       import all
       network 192.168.252.0 255.255.255.0
       domain-name XXX.Local
       dns-server xxx.xxx.xxx.xxx
       default-router 192.168.252.254
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    no ip bootp server
    no ip domain lookup
    ip domain name XXX.Local
    ip name-server xxx.xxx.xxx.xxx
    ip name-server xxx.xxx.xxx.xxx
    ip reflexive-list timeout 120
    vpdn enable
    vpdn-group 1
     request-dialin
      protocol pppoe
    username administrator privilege 15 secret 5 £££££££££££££££££££££
    class-map type inspect match-any IN_to_OUT_CLASS
     match protocol tcp
     match protocol udp
     match protocol icmp
    class-map type inspect match-any OUT_to_IN_CLASS
     match protocol https
     match protocol smtp extended
    class-map type inspect match-any DMZ_to_IN_CLASS
     match protocol http
     match protocol https
     match protocol smtp extended
    policy-map type inspect DMZ_to_IN_POL
     class type inspect DMZ_to_IN_CLASS
      inspect
     class class-default
      drop log
    policy-map type inspect IN_to_OUT_POL
     class type inspect IN_to_OUT_CLASS
      inspect
     class class-default
      drop log
    policy-map type inspect OUT_to_IN_POL
     class type inspect OUT_to_IN_CLASS
      inspect
     class class-default
      drop log
    zone security INSIDE
    zone security OUTSIDE
    zone security DMZ
    zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
     service-policy type inspect OUT_to_IN_POL
    zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
     service-policy type inspect IN_to_OUT_POL
    zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
     service-policy type inspect IN_to_OUT_POL
    zone-pair security DMZ_TO_IN source DMZ destination INSIDE
     service-policy type inspect DMZ_to_IN_POL
    bridge irb
    interface Loopback0
     no ip address
    interface Null0
     no ip unreachables
    interface ATM0
     no ip address
     shutdown
     no atm ilmi-keepalive
     dsl operating-mode auto
    interface FastEthernet0
     description Outside Interface (PPPoE)
    interface FastEthernet1
     description Inside Interface
     switchport access vlan 10
    interface FastEthernet2
     description Inside Interface
     switchport access vlan 10
     spanning-tree portfast
    interface FastEthernet3
     description Inside Interface
     switchport access vlan 10
     spanning-tree portfast
    interface Dot11Radio0
     no ip address
     no ip route-cache cef
     no ip route-cache
     encryption vlan 100 mode ciphers aes-ccm tkip
     encryption vlan 101 mode ciphers aes-ccm tkip
     ssid GuestAP
     ssid LanAP
     mbssid
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     channel 2437
     station-role root
    interface Dot11Radio0.100
     description LanAP
     encapsulation dot1Q 100
     no ip route-cache
     no cdp enable
     bridge-group 10
     bridge-group 10 subscriber-loop-control
     bridge-group 10 spanning-disabled
     bridge-group 10 block-unknown-source
     no bridge-group 10 source-learning
     no bridge-group 10 unicast-flooding
    !interface Dot11Radio0.101
    ! description GuestAP
    ! encapsulation dot1Q 101
    ! no ip route-cache
    ! no cdp enable
    ! bridge-group 1
    ! bridge-group 1 subscriber-loop-control
    ! bridge-group 1 spanning-disabled
    ! bridge-group 1 block-unknown-source
    ! no bridge-group 1 source-learning
    ! no bridge-group 1 unicast-flooding
    interface Vlan1
     description $ES_LAN$
     no ip address
     ip virtual-reassembly
     pppoe enable group global
     pppoe-client dial-pool-number 1
     bridge-group 1
    interface Vlan10
     no ip address
     ip virtual-reassembly
     bridge-group 10
    interface Dialer1
     description $FW_OUTSIDE$
     ip address negotiated
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip mtu 1452
     ip nat outside
     ip virtual-reassembly
     zone-member security OUTSIDE
     encapsulation ppp
     ip route-cache flow
     dialer pool 1
     dialer-group 1
     ppp authentication chap pap callin
     ppp chap hostname XXXXXXX
     ppp chap password 7 xxxxxxxxxxxxxxxxxxx
     ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
     ppp ipcp dns request
     ppp ipcp wins request
     hold-queue 224 in
    interface Dialer0
     no ip address
    interface BVI10
     description Inside Interface
     ip address 192.168.253.254 255.255.255.0
     ip access-group 101 in
     ip helper-address 192.168.253.1
     ip nat inside
     ip virtual-reassembly
     zone-member security INSIDE
    interface BVI1
     description DMZ Interface
     ip address 192.168.252.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     zone-member security DMZ
    ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http access-class 1
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
    ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
    ip access-list extended DMZ_to_IN_POL
     remark SDM_ACL Category=128
     permit ip any any
    ip access-list extended Inside_Clients_NAT
     remark SDM_ACL Category=2
     permit ip 192.168.253.0 0.0.0.255 any
    logging 192.168.253.10
    access-list 1 remark Auto generated by SDM Management Access feature
    access-list 1 remark SDM_ACL Category=1
    access-list 1 permit 192.168.253.0 0.0.0.255
    access-list 100 remark VTY Access-class list
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit ip 192.168.253.0 0.0.0.255 any
    access-list 100 deny   ip any any
    access-list 101 remark Auto generated by SDM Management Access feature
    access-list 101 remark SDM_ACL Category=1
    access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
    access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
    access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
    access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
    access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
    access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
    access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
    access-list 101 deny   tcp any host 192.168.253.254 eq telnet
    access-list 101 deny   tcp any host 192.168.253.254 eq 22
    access-list 101 deny   tcp any host 192.168.253.254 eq www
    access-list 101 deny   tcp any host 192.168.253.254 eq 443
    access-list 101 deny   tcp any host 192.168.253.254 eq cmd
    access-list 101 deny   udp any host 192.168.253.254 eq snmp
    access-list 101 permit ip any any
    access-list 199 permit ip any host 10.1.1.1
    dialer-list 1 protocol ip permit
    no cdp run
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
    radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
    radius-server vsa send accounting
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 10 protocol ieee
    bridge 10 route ip
    banner login C Border Router
    line con 0
     no modem enable
     transport output telnet
    line aux 0
     transport output telnet
    line vty 0 4
     access-class 100 in
     privilege level 15
     length 0
     transport input telnet ssh
    scheduler max-task-time 5000
    scheduler interval 500
    ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
    ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
    sntp server xxx.xxx.xxx.xxx
    end

    Hi Jody,
    Apologies delay in replying. I have done the following:
    Made two of the FE ports vlan1,BVI1 (for LAN traffic)
    Left one port as VLAN10 as the pppoe client conected to the externalmodem
    Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
    I have DHCP configured to serve the DMZ  addresses.
    This all works for LAN clients and also works for a client attachedto that physical DMZ port.
    When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
    I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
    If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
    I cannot add another VLAN due to the 2 vlan limit in this image.
    Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
    Think I am about to give upon this.
    Regards,

  • Cisco 877w -Configuration of subinterfaces and main interface within the same bridge group is not permitted

    Hi,
    I have another problem - after upgrade ios wirelles connection not work.
    After reload i have :
    Configuration of subinterfaces and main interface
    within the same bridge group is not permitted
    STP: Unable to get the port parameters.
    Please configure the bridge group on this interface first.
    Please configure the bridge group on this interface first.
    Please configure the bridge group on this interface first.
    SETUP: new interface NVI0 placed in "shutdown" state
    my old configuration work propertly in the old software, but after update i have notificatio.
    Old thread:
    https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
    my current sh run:
    version 12.4 
    no service pad 
    service tcp-keepalives-in 
    service tcp-keepalives-out 
    service timestamps debug datetime msec localtime 
    service timestamps log datetime msec localtime 
    service password-encryption 
    hostname cisco 
    boot-start-marker 
    boot system flash:c870-advipservicesk9-mz.124-24.T6.bin 
    boot-end-marker 
    logging message-counter syslog 
    logging buffered 4096 informational 
    enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s. 
    aaa new-model 
    aaa session-id common 
    dot11 syslog 
    dot11 ssid ciscowifi 
     vlan 1 
     authentication open 
     authentication key-management wpa 
     guest-mode 
     wpa-psk ascii 7 050D031D26595D0617 
    dot11 wpa handshake timeout 500 
    ip source-route 
    no ip dhcp use vrf connected 
    ip dhcp excluded-address 192.168.56.1 
    ip dhcp pool CLIENT 
       import all 
       network 192.168.56.0 255.255.255.0 
       default-router 192.168.56.1 
       dns-server 8.8.8.8 194.204.159.1 194.204.152.34 
       lease 0 2 
    ip cef 
    no ip domain lookup 
    no ipv6 cef 
    multilink bundle-name authenticated 
    username marek password 7 00121A0908500A 
    archive 
     log config 
      hidekeys 
    ip tcp path-mtu-discovery 
    bridge irb 
    interface ATM0 
     description Polaczenie ADSL do ISP$ES_WAN$ 
     no ip address 
     no atm ilmi-keepalive 
     pvc 0/35 
      encapsulation aal5mux ppp dialer 
      dialer pool-member 1 
     hold-queue 224 in 
    interface FastEthernet0 
     description Edzia 
    interface FastEthernet1 
     description dom 
    interface FastEthernet2 
     description Dziadek 
    interface FastEthernet3 
    interface Dot11Radio0 
     no ip address 
     no ip redirects 
     ip local-proxy-arp 
     ip nat inside 
     ip virtual-reassembly 
     no dot11 extension aironet 
     encryption vlan 1 mode ciphers tkip 
     encryption mode ciphers aes-ccm tkip 
     broadcast-key change 3600 
     ssid ciscowifi 
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 
     station-role root 
     world-mode dot11d country AU indoor 
     no cdp enable 
     bridge-group 1 
     bridge-group 1 subscriber-loop-control 
     bridge-group 1 spanning-disabled 
     bridge-group 1 block-unknown-source 
     no bridge-group 1 source-learning 
     no bridge-group 1 unicast-flooding 
    interface Dot11Radio0.1 
     description ciscowifi 
     encapsulation dot1Q 1 native 
     no cdp enable 
    interface Vlan1 
     no ip address 
     bridge-group 1 
    interface Dialer0 
     description Interfejs dzwoniacy 
     ip address negotiated 
     ip nat outside 
     ip virtual-reassembly 
     encapsulation ppp 
     dialer pool 1 
     dialer-group 1 
     ppp chap hostname [email protected] 
     ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx 
    interface BVI1 
     description Polaczenie dla sieci LAN 
     ip address 192.168.56.1 255.255.255.0 
     ip nat inside 
     ip virtual-reassembly 
    no ip forward-protocol nd 
    ip route 0.0.0.0 0.0.0.0 Dialer0 
    no ip http server 
    no ip http secure-server 
    ip nat inside source list 100 interface Dialer0 overload 
    ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80 
    ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22 
    logging trap debugging 
    logging 192.168.56.10 
    access-list 100 permit ip 192.168.56.0 0.0.0.255 any 
    access-list 100 deny   ip any any 
    no cdp run 
    snmp-server community ciskacz RO 
    snmp-server chassis-id ciskacz 
    control-plane 
    bridge 1 protocol ieee 
    bridge 1 route ip 
    line con 0 
     no modem enable 
    line aux 0 
    line vty 0 4 
     exec-timeout 0 0 
     transport preferred ssh 
     transport input ssh 
    scheduler max-task-time 5000 
    end 
    please help - thanks!

    Hello Marek,
    I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
    In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
    Remove the Dot11Radio0.1 subinterface entirely
    In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
    In the dot11 ssid ciscowifi section, remove the vlan 1 command
    After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
    Best regards,
    Peter

  • Wireless configuration 877w

    Hello,
    I configured the wireless connectivity on my Cisco router 877w, but the interface Virtual-Dot11Radio0.10 status is Down Down even though Dot11Radio0.10 is UP UP.
    Here is my interface config :
    interface Dot11Radio0
    no ip address
    encryption vlan 10 mode ciphers tkip
    ssid ******
    vlan 10
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 *******
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    no dot11 extension aironet
    infrastructure-client
    interface Dot11Radio0.10
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1392
    no snmp trap link-status
    no cdp enable
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 spanning-disabled
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    What am I doing wrong or missing?
    Thanks for your help,
    Mehdi

    Remove and reconfigure the interface. If this doesnt work Shut the interface and bring up the interface again.

  • Configuring wireless on cisco 877w router

    Hi all
    I have a Cisco 877W wireless/ADSL router and having great difficulty with configuring wireless on this router. Here is a quick summary.
    1. The ADSL is configured to obtain public IP from the ISP
    2. Default interface vlan 1 is configured with an IP address
    3. I went into vlan database, tried to configure multi vlans and the router prompted me that it can only have max 2 vlans. Hence what's the use of up to 16 different SSID using wireless?
    4. I've setup DHCP scope on the router to give out IP address to clients (both wireless and wired)
    5. I'm able to configure WPA-PSK on the router and was able to connect wirelessly to the router but I won't be able to obtain an IP address from the router
    6. There are two scenarios that I'd like to do:
    A. Setup wireless to connect to the same subnet as what's on vlan1
    B. Setup wireless to connect to a different subnet to vlan1
    For the life of me, I could not find docs on Cisco web site that shows me how to exactly this. I found some documents that use interface F0 as a trunk port and treat the interface Dot11Radio0 with sub-interfaces. I don't connect this router to a switch (standalone router) so how can I do this? Please point me to some docs.
    Thanks in advance for your help.

    My configuration works for wireless no authentication, but failed for WPA-PSK:
    ip dhcp excluded-address 172.16.250.1
    ip dhcp pool TEST
    import all
    network 172.16.250.0 255.255.255.0
    default-router 172.16.250.1
    bridge irb
    interface FastEthernet4
    description $ES_WAN$
    ip address dhcp client-id FastEthernet4
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface Dot11Radio0
    no ip address
    ssid 111
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 Cisco1234
    speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Vlan1
    no ip address
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 172.16.250.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    After I configured the same wpa-psk key on the XP computer using windows zero configuration and tried to connect to the wireless work, I got the following errors on the router:
    *Mar 1 03:00:51.623: *** Not encrypted dot1x packet from 000c.f123.25cf has been discarded
    *Mar 1 03:00:52.623: %DOT11-7-AUTH_FAILED: Station 000c.f123.25cf Authentication failed
    What could be wrong? Thanks!

  • Wireless configuration on 877W router - STUCK

    Hi all
    I have a Cisco 877W router running IOS v 12.4(15)T3. Have been trying to configure wireless to run WPA-PSK and is stuck at the final stage. Spent a lot of time configuring the router using CLI but ended up using the Web GUI interface. I was able to configure the wireless settings (I think) but failed when connecting to the router from WinXP-SP2 and was wondering if you have any suggestion for me. I've ran the following debugs on the router:
    VNRouter#sho debug
    DHCP server event debugging is on.
    dot11:
    802.1X module WPA/WPA-PSK/CCKM key management debugging is on
    dot11 Syslog debugging is on
    Below is the error message when connecting wirelessly
    *Mar 4 18:46:25.655: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    VNRouter#
    *Mar 4 18:46:25.659: %DOT11-6-ASSOC: Interface Dot11Radio0, Station VNRouter 001b.771a.dbad Associated SSID[VN-WiLess1] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    VNRouter#
    *Mar 4 18:47:25.571: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    *Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    *Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
    *Mar 4 18:47:25.579: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded.
    I've created two VLANs (and tied these two vlans to 2 separate SSID) on this router for a reason and so far has not been able to connect to any of them (SSID). I've also attached the config so you can have a look. Thanks in advance for your help.

    The configuration looks fine. In most cases, the connectivity issues with WPA-PSK is due to the mismatch in PSK on the Client and the AP. Try re-entering the PSK key on both the router and the client and check if you are seeing any issues.

  • Apple TV does not work with 877W

    Hi all,
    I am using an 877W as my DSL router and trying to use Apple TV or other Apple Bonjour services over Wireless. It is simply not working although I tried several IGMP configurations. I've seen some references to 877W issues but they were all about bridging between wired and wireless. In my case though everything is on wireless (PC with iTunes, Apple TV and and iPhone to be more specific). I wanted to ask once more as I've also seen references to people having this setup working ok.
    interface Dot11Radio0
    ip address 192.168.15.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    load-interval 30
    encryption mode ciphers aes-ccm
    ssid Princes
    speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
    channel 2472
    station-role root
    end
    I tried with igmp snooping on and off with no luck, also it didn't helped to add 239.0.0.0 as a static group to the interface.
    If you have apple stuff working on your 8xxW environment I appreciate if you can share your configuration, any other ideas are more than welcome.
    Many thanks,
    Cagri

    Hi Cagri,
    Hope you've found an answer to your problem already, if not I had similar issues trying to get mine to work.
    I did manage to get it to work in the end, I've added an article to my blog which goes over what I had to do to get it working.
    Basically, configured correct multicast-routing groups, IGMP v3, pim dense-mode on both the radio and BVI interfaces and it started working.
    http://www.thehelpdesk.co.nz/2012/01/how-to-use-apple-tv-with-cisco-877w.html
    Cheers,
    Sully.

  • Cisco 877w - Apple devices not able to see wired apple TV

    Hello All,
    Can anyone point me to a doc or forum discussion on how to setup the wireless interface to forward multicast packets?  Basically I cant get the ipads etc.. to see the AppleTV to control it.  I connected an AP and it works fine so its got to be something with the way the router handles the packets from teh integrated wireless interface.  I've been searching the forum for about 1hr and haven't founf anything other than a breif mention of broadcast forwarding and multicast setup.
    Has anyone got anything more complrehensive I can read?
    Thanks
    David

    Hello David,
    Thank you for contacting the Sales Acceleration Center (SAC) regarding your recent inquiry, Case Number
    Case Description:
    Cisco 877w - Apple devices not able to see wired apple TV
    Case Solution:
    The Bonjour service uses multicast to advertise your Home Sharing enabled device to the local network. In my case the Cisco 877W I was using had a Layer 3 enabled BVI (Bridged Virtual Interface) to which the Wireless Dot11Radio interface was not fowarding multicast packets properly.
    First of all, obtain the Multicast groups your wireless adapter is configured for (on Windows open a command prompt and run the below command):
    The result will give you an output as per below, we are interested in the multicast address directly after the 224.0.0.252 address 239.255.255.250:
    Then we need to enable multicast routing on the router, connect to your router and enter config terminal mode:
    Next we will configure IGMP v3 and add the relevant Wireless interface on your router to the correct multicast address group:
    Next perform the same config your BVI interface:
    Once complete save your changes and confirm both interfaces have been added to the multicast groups using the command sh ip igmp group:
    You now need to reload your router and restart iTunes and then attempt to connect to Home Sharing from your Apple TV.
    Other commands that I used to troubleshoot with were:
    debug ip mpacket - Multicast Packet Debugging
    debug ip mroute - Debug Multicast Routing
    sh ip mroute - Show IP Multicast Routes
    By default the Cisco implementation of a Dot11Radio interface and a BVI interface don't appear to forward multicast packets between each other. Seems odd to me as they're both in the same L2 bridging group..anyway.
    I am going to close the case for this specific inquiry on my side. If you need moere information Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We strive to provide you with excellent service. We value your input and look forward to serving you moving forward.

  • How to run a cable internet on 877W router, please help.

    Hello everyone!
    I have made many variants of IOS configuration but nothing seem to work yet and finally I need someone to tell me if this is possible at all.
    I was using 877W when I was registered to my ISP as a DSL user, everything was perfect. Now I'm using a cable internet and I just can't believe this device can't handle it. I'm trying to get it done for months with one result - network loop (I guess). Don't want to give up.
    Situation is as following:
    Because 877W doesn't have a routable port, I'm using a VLAN and a Bridge interface to assign an IP address from ISP.
    ISP -> FE0 switchport -> VLAN 1 - BVI 1 (BVI with mac address set so ISP will give it IP from their DHCP)
    interface FastEthernet0
    interface Vlan1
     no ip address
     no ip redirects
     ip virtual-reassembly
     no autostate
     bridge-group 1
    interface BVI1
     mac-address ####.####.####
     ip address dhcp
     ip nat outside
     ip virtual-reassembly
    By this configuration, internet works for for a while, then it drops and I have to restart BVI 1 interface to bring internet back again.
    If I add this command in main config:
    no spanning-tree vlan 1
    Internet will never drop but it will became very slow, from say 35Mbps to 1-5mbps.
    I think that I need somehow to force my ISP switch to "think" that my FE0 switchport is not a switchport but a single host.
    Guys, I need your help!

    http://download.oracle.com/otn_hosted_doc/forms/forms/A73071_01.pdf
    Good luck...
    Sim

  • How does one avoid co-channel interference on dot11a solutions in EMEA ?

    When deploying wireless access points on dot11b/g, co-channel interference can be minimized by appropriate manual choice of channel numbers across the physical site.
    In the US, the same methodology applies for dot11a solutions, where manual frequency selection for an AP is an option.
    However, Here in EMEA, with compulsory DFS for dot11a, there appears to be no manual control at all on channel selection.
    The default behaviour as I understand it - is for an AP to pick a random channel during interface initialization, and then if no radar detected, continue to use that channel.
    (This has hit us on one solution, where four APs in neighbouring rooms at a client site selected the same channel on startup - causing significant co-channel interference!)
    So how does one avoid co-channel interference on dot11a solutions in EMEA ?
    Do wireless LAN controllers (with thin APs) have an option to preselect dot11a channels before the DFS listen check ? (Rather than just a random choice)
    The IDEAL solution, would be for Cisco to add the following option to its IOS syntax :-
    Interface dot11radio1
    Dfs band 2 3 4 block
    Channel 36 preferred
    Adding a preferred keyword option would allow co-channel interference to be avoided by design, whilst still allowing a DFS check to prevent wireless interference.
    If I wanted to pursue the inclusion of this new option into AP IOS, what would be the best method in tackling this?

    I don't have an answer for you but I do have a question. I have been researching the issue of which channels in the 2.4 band are permitted according to law in the various countries in Europe. We have offices in Germany, France, Spain, Netherlands and England and I was wondering which channels we are permitted to use. Do you know or could you point me to a document I could read?

  • %DOT11-7-AUTH_FAILED: %DOT11-6-DISASSOC:

    Hello again,
    Thought this issue was fixed yesterday after finding out my printer was the MAC address flashing up on the log, however it seems that every device is playing up.
    Thanks
    James
    These are my wirless devices, 
    APPLE IPHONE     6809.2780.219a
    DELL LAPTOP        0026.c7e2.68be
    HTC PHONE           bccf.cca7.43ea
    LG TV                    9444.4434.d43c
    HP LAPTOP           001f.3c83.bd9e
    PRINTER               0080.927b.0edb
    SONY ERICSSON  b8f9.3410.9524
    PLAYSTATION 3     280d.fcec.27c4
    The log....
    *Aug 28 21:05:35.845: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   280d.fcec.27c4 Associated
    SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:06:32.913: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 280d.fc
    ec.27c4 Reason: Sending station has left the BSS SSID[THE MATRIX]
    *Aug 28 21:06:37.321: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   280d.fcec.27c4 Associated
    SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:07:49.533: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
    80.219a Reason: Previous authentication no longer valid SSID[THE MATRIX]
    *Aug 28 21:09:37.537: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
    7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
    *Aug 28 21:09:41.117: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Reassociat
    ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:11:47.057: %DOT11-7-AUTH_FAILED: Station 6809.2780.219a Authentication failed
    *Aug 28 21:11:49.413: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   6809.2780.219a Associated
    SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:11:55.321: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
    80.219a Reason: Sending station has left the BSS SSID[THE MATRIX]
    *Aug 28 21:19:21.612: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
    7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
    *Aug 28 21:19:25.176: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
    *Aug 28 21:19:39.324: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Associated
    SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:23:54.664: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
    7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
    *Aug 28 21:23:59.212: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
    *Aug 28 21:24:07.756: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Reassociat
    ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:26:06.168: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
    *Aug 28 21:28:33.444: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cc
    a7.43ea Reason: Sending station has left the BSS SSID[THE MATRIX]
    *Aug 28 21:37:08.112: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
    *Aug 28 21:42:36.712: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
    7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
    *Aug 28 21:42:41.080: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
    *Aug 28 21:42:46.828: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Associated
    SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:43:20.296: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associa
    ted SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 28 21:43:20.300: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
    83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
    *Aug 28 21:43:25.808: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
    83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
    This is my running config....
    CORE#sh run
    Building configuration...
    Current configuration : 6692 bytes
    ! Last configuration change at 21:37:08 UTC Wed Aug 28 2013 by James
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname CORE
    boot-start-marker
    boot-end-marker
    logging buffered 64000
    no aaa new-model
    dot11 syslog
    dot11 ssid THE MATRIX
    authentication open
    authentication key-management wpa
    guest-mode
    infrastructure-ssid
    wpa-psk ascii 7 xxxxx
    ip source-route
    ip cef
    ip dhcp excluded-address 192.168.0.1 192.168.0.19
    ip dhcp excluded-address 192.168.0.61 192.168.0.254
    ip dhcp excluded-address 172.0.0.1 172.0.0.10
    ip dhcp pool LAN_Addresses
    import all
    network 192.168.0.0 255.255.255.0
    dns-server 8.8.8.8 4.2.2.2
    default-router 192.168.0.1
    lease 5
    ip dhcp pool THE MATRIX
    import all
    network 172.0.0.0 255.255.255.0
    default-router 172.0.0.1
    dns-server 8.8.8.8 4.2.2.2
    lease 5
    no ip domain lookup
    ip domain name firewire2013
    ip name-server 4.2.2.2
    no ipv6 cef
    multilink bundle-name authenticated
    voice-card 0
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-3845826623
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3845826623
    revocation-check none
    crypto pki certificate chain TP-self-signed-3845826623
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 33383435 38323636 3233301E 170D3133 30383235 30363031
      31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343538
      32363632 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      81009FF5 DA191624 A7ECAE35 A3F660AB A049B91F CB83F93F 888EB00D F5E2C20E
      83486395 E7069E1D 36BD1EEB 12AFCE88 2E8F5320 52E67F70 3F4716E9 97B1F33E
      0147A66D D573E9BC 36D35EA1 226D723B FAEDDCB2 C263511B DA745A66 8798BCEC
      F581248B FCD39380 FE92CEB9 09328BCD 71F9D1E1 BCCCB9DB EFA1DC22 ED7CF8BD
      25FD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 143D0167 51FECFA9 ED03DF31 6B0A562E E10A9300 AE301D06
      03551D0E 04160414 3D016751 FECFA9ED 03DF316B 0A562EE1 0A9300AE 300D0609
      2A864886 F70D0101 04050003 8181006B C454436A 370AC181 BBA4017F 41E3DFD2
      CFE9665B 80F797DC B7130067 318318F9 094A4672 5BA2A50F 80EC1225 4C958474
      E309731D 9E4E5265 B861BAF0 36E4996B B396CB6C BF210CE6 59F3D165 441C2302
      3693441B DB45704D 5A6A15F5 79F939F9 6A9DDA84 DFDF5D11 E729D505 A1692E21
      2D95292C 6AC1263E FB35C46E 6D6874
            quit
    license udi pid CISCO2811 sn FCZ09237316
    username James privilege 15 secret 5 xxxxxxxxxxxxxxxxx
    redundancy
    class-map type inspect match-any sdm-cls-insp-traffic
    class-map type inspect match-all sdm-insp-traffic
    match class-map sdm-cls-insp-traffic
    class-map type inspect match-any SDM-Voice-permit
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any sdm-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all sdm-invalid-src
    match access-group 102
    class-map type inspect match-all sdm-icmp-access
    match class-map sdm-cls-icmp-access
    class-map type inspect match-all sdm-protocol-http
    match protocol http
    interface FastEthernet0/0
    description CONNECTION TO MODEM>ISP$ETH-WAN$
    ip address dhcp
    ip nat outside
    ip virtual-reassembly in
    duplex full
    speed 100
    no cdp enable
    interface FastEthernet0/1
    description CONNECTION TO LAB
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex full
    speed 100
    interface Dot11Radio0/2/0
    description WLAN TO MOBILE USERS
    ip address 172.0.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    encryption mode ciphers tkip
    ssid THE MATRIX
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    interface FastEthernet0/0/0
    description CONNECTION TO CORE PC
    no ip address
    interface FastEthernet0/0/1
    description CONNECTION TO PS3
    no ip address
    interface FastEthernet0/0/2
    description CONNECTION TO ACCESS SERVER
    no ip address
    interface FastEthernet0/0/3
    no ip address
    interface Vlan1
    description MANAGEMENT INTERFACE
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    router eigrp 10
    network 192.168.0.0 0.0.255.255
    redistribute static
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip nat inside source list 2 interface FastEthernet0/0 overload
    ip access-list extended SDM_HTTPS
    remark SDM_ACL Category=1
    permit tcp any any eq 443
    ip access-list extended SDM_SHELL
    remark SDM_ACL Category=1
    permit tcp any any eq cmd
    ip access-list extended SDM_SSH
    remark SDM_ACL Category=1
    permit tcp any any eq 22
    access-list 1 permit 192.168.0.0 0.0.255.255
    access-list 2 remark SDM_ACL Category=2
    access-list 2 permit 172.0.0.0 0.0.0.255
    access-list 70 remark THIS WILL DENY HOST FROM TELNETTING TO R1
    access-list 70 deny   192.168.10.50
    access-list 70 permit any
    access-list 100 remark SDM_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip 172.0.0.0 0.0.0.255 any
    access-list 100 permit ip 192.168.0.0 0.0.0.255 any
    access-list 100 permit ip 192.168.1.0 0.0.0.255 any
    access-list 101 remark SDM_ACL Category=128
    access-list 101 permit ip any any
    access-list 102 remark SDM_ACL Category=128
    access-list 102 permit ip host 255.255.255.255 any
    access-list 102 permit ip 127.0.0.0 0.255.255.255 any
    access-list 102 permit ip 172.0.0.0 0.0.0.255 any
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    control-plane
    mgcp profile default
    alias exec s show ip interface brief
    alias exec rc show running-config
    alias exec r show ip route
    alias exec v show version
    banner motd ^CCCC
    ###DO NOT LOG ON AUTHORIZED PERSONNEL ONLY####
    ^C
    line con 0
    exec-timeout 100 0
    password 7 xxxxxx
    logging synchronous
    login
    line aux 0
    exec-timeout 30 0
    password 7 xxxxxx
    logging synchronous
    login
    line vty 0 4
    access-class 70 in
    exec-timeout 100 0
    privilege level 15
    password 7 xxxxxxx
    logging synchronous
    login local
    transport input telnet ssh
    scheduler allocate 20000 1000
    end

    Tried that and its still the same.  All the devices are playing up.
    Could the hardware be toast?
    *Aug 30 18:23:43.762: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
    *Aug 30 18:23:49.326: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
    AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    *Aug 30 18:24:03.778: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
    ing station has left the BSS SSID[THE MATRIX]
    --More--
    *Aug 30 18:31:52.314: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   bccf.cca7.43ea Associated SSID[THE MATRIX] AU
    TH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    CORE#
    *Aug 30 18:32:04.478: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
    ing station has left the BSS SSID[THE MATRIX]
    CORE#
    *Aug 30 18:32:09.114: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
    AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    CORE#
    *Aug 30 18:32:18.710: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Prev
    ious authentication no longer valid SSID[THE MATRIX]
    CORE#
    *Aug 30 18:32:20.230: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
    CORE#
    *Aug 30 18:32:26.070: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
    AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    CORE#
    *Aug 30 18:32:34.058: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
    ing station has left the BSS SSID[THE MATRIX]
    CORE#
    *Aug 30 18:32:47.258: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
    CORE#
    *Aug 30 18:32:47.678: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
    AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
    CORE#
    *Aug 30 18:33:12.146: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
    ing station has left the BSS SSID[THE MATRIX]
    CORE#
    *Aug 30 18:33:32.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:33:34.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:33:39.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:33:44.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:33:46.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:33:48.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:33:53.442: Client 001f.3c83.bd9e failed: reached maximum retries
    CORE#
    *Aug 30 18:34:10.206: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cca7.43ea Reason: Prev
    ious authentication no longer valid SSID[THE MATRIX]

Maybe you are looking for

  • My new mac is giving my pc's some d/c problems...

    Hello there guys, im a proud owner of a new model imac 2.66 (my first mac) and everything so far is perfect, i cant believe i didnt switch before from pc to mac. I still got 2 pc's at home, a laptop and a desktop both connected wireless to my router.

  • On the contrary....

    Ive had the 1gb shuffle since a little before they hit the shelves and NEVER had a problem. Im perfectly happy with it!! Even thou the nano makes me wanna give up women completly I dont feel a need (urge) to upgrade.......yet. Thank you Apple and mr.

  • JDBC driver 8.1.6 for jdk 1.1 download fails

    I've tried to download the classes111.zip for 8.1.6 jdbc drivers for four times now and each time after the downlaod is complete I get an error stating that the archive is missing 576 bytes I'm using ie4 with no firewalls. The size of the downloaded

  • Regarding query builder api

    Hi,    i am able to create image reference but not able to create image path from dam i am putting like this    map.put("type", "dam:Asset"); is this correct or is there any other way to getpath of image from dam .please let me know code------------

  • Need to change my email

    I need to change the email in iCloud