877W %DOT11-7-CCKM_AUTH_FAILED
Sometimes when I connect to 877W router via WiFi Im getting notice (which mentioned on cisco.com site) in logs:
%DOT11-7-CCKM_AUTH_FAILED : Station [enet] CCKM authentication failed
official explanation is: "The station has failed CCKM authentication."
And "Recommended Action" is: "Verify the topology of the APs under the WDS domain."
But 877W does not support WDS commands. And also there no ability to turn CCKM off.
Only one thing helps: reload.
I tried and made some tests with following IOSs:
c870-advipservicesk9-mz.124-22.T
c870-advipservicesk9-mz.124-15.T7
I was using 3 different PC's (two XP's and one OSX Leopard, all of them were with latest updates/patches)
To confirm highly mentioned problem its enough to switch reauth period to 10 seconds:
dot1x reauth-period 10
And after few minutes we'll get many notices like:
%DOT11-7-CCKM_AUTH_FAILED: Station [enet] authentication failed
And all clients which are trying to reassociate or associate with 877w are unable to connect.
I was surfing through forum and noticed following steps for testing:
- to leave only one SSID
- to turn guest-mode off
- to turn off TKIP and allow only AES.
I tried everything and that was useless.
Maybe someone got any idea how to solve this problem?
After some series of tests I discovered following.
Bug exists only in IOS 22.T + AES. If im using TKIP encryption or if I turn encryption off everything works perfectly.
Similar Messages
-
UC500 with integrated wireless AP
Notebooks can authenticate for serveral day and suddenly they cannot. The only thing that helps is a reload.
This is the message I'm getting when I cannot reconnect :
%DOT11-7-CCKM_AUTH_FAILED
Thx
FilipVersion 12.4(22)T
did work with previous IOS versions -
Getting Started with Wireless: Wireless configuration on 877W router - STUC
Just letting you know that I've already posted an identical post under "Getting Started with Wireless" but don't feel that I'm getting any attention so I made another post. Thank you.
Hi all
I have a Cisco 877W router running IOS v 12.4(15)T3. Have been trying to configure wireless to run WPA-PSK and is stuck at the final stage. Spent a lot of time configuring the router using CLI but ended up using the Web GUI interface. I was able to configure the wireless settings (I think) but failed when connecting to the router from WinXP-SP2 and was wondering if you have any suggestion for me. I've ran the following debugs on the router:
VNRouter#sho debug
DHCP server event debugging is on.
dot11:
802.1X module WPA/WPA-PSK/CCKM key management debugging is on
dot11 Syslog debugging is on
Below is the error message when connecting wirelessly
*Mar 4 18:46:25.655: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
VNRouter#
*Mar 4 18:46:25.659: %DOT11-6-ASSOC: Interface Dot11Radio0, Station VNRouter 001b.771a.dbad Associated SSID[VN-WiLess1] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
VNRouter#
*Mar 4 18:47:25.571: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.579: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded.
I've created two VLANs (and tied these two vlans to 2 separate SSID) on this router for a reason and so far has not been able to connect to any of them (SSID). I've also attached the config so you can have a look. Thanks in advance for your help.The configuration looks fine. In most cases, the connectivity issues with WPA-PSK is due to the mismatch in PSK on the Client and the AP. Try re-entering the PSK key on both the router and the client and check if you are seeing any issues.
-
Configure VPN Server Cisco 877W
Hello!
I need to implement VPN Server on a Cisco 877W.
The idea is as follows:
Access the network from anywhere using the Cisco VPN Client;
The router need receive a minimum 5 simultaneous connections;
Each User would have a login and password;
Cisco 877W (System image file is "flash: C870-advipservicesk9-mz.150-1.M10.bin")
Following script:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
hostname VPN
boot-start-marker
boot-end-marker
logging buffered 10240
enable secret PASS@PASS
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone BR -3
dot11 syslog
dot11 ssid ACESSO01
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii PASS@PASS
no ip source-route
ip dhcp pool ODIM
import all
network 192.168.100.224 255.255.255.224
default-router 192.168.100.254
dns-server 10.151.176.80 201.10.120.3 10.151.176.79 201.10.1.2
update arp
ip cef
no ip bootp server
no ip domain lookup
ip domain name local
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
no ipv6 cef
multilink bundle-name authenticated
archive
path flash:config
write-memory
file verify auto
username suporte privilege 15 secret 5 $1$WdPL$PHwugOutS3fztS8hBUl9g0
ip tcp timestamp
ip ssh version 2
bridge irb
interface ATM0
description #### A D S L - INTERNET ####
no ip address
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description #### A D S L - INTERNET ####
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description #### I N T R A N E T ####
switchport trunk native vlan 100
switchport mode trunk
load-interval 30
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip proxy-arp
load-interval 30
encryption mode ciphers aes-ccm tkip
ssid ACESSO01
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
description #### ETH`S ####
no ip address
no ip proxy-arp
load-interval 30
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan100
description #### I N T R A N E T ####
ip address dhcp
no ip proxy-arp
ip nat outside
ip virtual-reassembly
interface Dialer0
description #### I N T E R N E T ####
ip address negotiated
ip access-group Traffic-Permit-IN in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect firewall out
ip virtual-reassembly
rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname user@user
ppp chap password pass@pass
ppp pap sent-username user@user password pass@pass
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp route default
no cdp enable
interface BVI1
description #### BRIDGE Vlan1/Dot11Radio0 ####
ip address 192.168.100.254 255.255.255.224
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map PBR
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map ADSL interface Dialer0 overload
ip nat inside source route-map INTRANET interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 name ADSL
ip route 0.0.0.0 0.0.0.0 10.48.50.1 name INTRANET
ip access-list extended ADSL
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
deny ip any host 192.168.100.255
deny udp any any eq tftp log
deny ip any 0.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.0.2.0 0.0.0.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 198.18.0.0 0.1.255.255 log
deny udp any any eq 135 log
deny tcp any any eq 135 log
deny udp any any eq netbios-ns log
deny udp any any eq netbios-dgm log
deny tcp any any eq 445 log
deny ip any any log
ip access-list extended INTRANET
permit ip any 10.0.0.0 0.255.255.255
deny ip any any
deny ip any host 10.48.50.255
deny udp any any eq tftp log
deny ip any 0.0.0.0 0.255.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.0.2.0 0.0.0.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 198.18.0.0 0.1.255.255 log
deny udp any any eq 135 log
deny tcp any any eq 135 log
deny udp any any eq netbios-ns log
deny udp any any eq netbios-dgm log
deny tcp any any eq 445 log
ip access-list extended Traffic-Permit-IN
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 224.0.0.0 0.15.255.255 any
deny ip any host 255.255.255.255
permit tcp any any eq 1723
permit gre any any
deny icmp any any echo
deny ip any any log
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any echo
access-list 110 permit ip 192.168.100.224 0.0.0.31 any
dialer-list 1 protocol ip permit
no cdp run
route-map ADSL permit 10
match ip address 110
match interface Dialer0
route-map INTRANET permit 10
match ip address 110
match interface Vlan100
route-map PBR permit 10
match ip address ADSL
set interface Dialer0
route-map PBR permit 20
match ip address INTRANET
set interface Vlan100
control-plane
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
endSome Help?
-
Cisco 877W Dual SSID/VLAN Security Issue
Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
endIgnore that. self zone got me. Argh! phew!
-
Cisco 877W router and external ADSL modem
Cisco 877W router and external ADSL modem
In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxxxxxxxxxxxxxxxxxxxx
boot-start-marker
boot-end-marker
logging buffered 4096 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa group server radius sdm-vpn-server-group-2
aaa group server radius rad_eap
server 192.168.253.1 auth-port 1812 acct-port 1813
server 192.168.253.1 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_2 local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2834265337
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2834265337
revocation-check none
rsakeypair TP-self-signed-2834265337
crypto pki certificate chain TP-self-signed-2834265337
certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
dot11 syslog
dot11 ssid GuestAP
vlan 101
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 113B162712001F4A2D2B25
dot11 ssid LanAP
vlan 100
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
mbssid guest-mode
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.252.1 192.168.252.8
ip dhcp excluded-address 192.168.252.15 192.168.252.254
ip dhcp pool sdm-pool1
import all
network 192.168.252.0 255.255.255.0
domain-name XXX.Local
dns-server xxx.xxx.xxx.xxx
default-router 192.168.252.254
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name XXX.Local
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip reflexive-list timeout 120
vpdn enable
vpdn-group 1
request-dialin
protocol pppoe
username administrator privilege 15 secret 5 £££££££££££££££££££££
class-map type inspect match-any IN_to_OUT_CLASS
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any OUT_to_IN_CLASS
match protocol https
match protocol smtp extended
class-map type inspect match-any DMZ_to_IN_CLASS
match protocol http
match protocol https
match protocol smtp extended
policy-map type inspect DMZ_to_IN_POL
class type inspect DMZ_to_IN_CLASS
inspect
class class-default
drop log
policy-map type inspect IN_to_OUT_POL
class type inspect IN_to_OUT_CLASS
inspect
class class-default
drop log
policy-map type inspect OUT_to_IN_POL
class type inspect OUT_to_IN_CLASS
inspect
class class-default
drop log
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
service-policy type inspect OUT_to_IN_POL
zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
service-policy type inspect IN_to_OUT_POL
zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
service-policy type inspect IN_to_OUT_POL
zone-pair security DMZ_TO_IN source DMZ destination INSIDE
service-policy type inspect DMZ_to_IN_POL
bridge irb
interface Loopback0
no ip address
interface Null0
no ip unreachables
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet0
description Outside Interface (PPPoE)
interface FastEthernet1
description Inside Interface
switchport access vlan 10
interface FastEthernet2
description Inside Interface
switchport access vlan 10
spanning-tree portfast
interface FastEthernet3
description Inside Interface
switchport access vlan 10
spanning-tree portfast
interface Dot11Radio0
no ip address
no ip route-cache cef
no ip route-cache
encryption vlan 100 mode ciphers aes-ccm tkip
encryption vlan 101 mode ciphers aes-ccm tkip
ssid GuestAP
ssid LanAP
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
interface Dot11Radio0.100
description LanAP
encapsulation dot1Q 100
no ip route-cache
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!interface Dot11Radio0.101
! description GuestAP
! encapsulation dot1Q 101
! no ip route-cache
! no cdp enable
! bridge-group 1
! bridge-group 1 subscriber-loop-control
! bridge-group 1 spanning-disabled
! bridge-group 1 block-unknown-source
! no bridge-group 1 source-learning
! no bridge-group 1 unicast-flooding
interface Vlan1
description $ES_LAN$
no ip address
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1
bridge-group 1
interface Vlan10
no ip address
ip virtual-reassembly
bridge-group 10
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security OUTSIDE
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXX
ppp chap password 7 xxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
interface Dialer0
no ip address
interface BVI10
description Inside Interface
ip address 192.168.253.254 255.255.255.0
ip access-group 101 in
ip helper-address 192.168.253.1
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
interface BVI1
description DMZ Interface
ip address 192.168.252.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security DMZ
ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
ip access-list extended DMZ_to_IN_POL
remark SDM_ACL Category=128
permit ip any any
ip access-list extended Inside_Clients_NAT
remark SDM_ACL Category=2
permit ip 192.168.253.0 0.0.0.255 any
logging 192.168.253.10
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.253.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.253.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
access-list 101 deny tcp any host 192.168.253.254 eq telnet
access-list 101 deny tcp any host 192.168.253.254 eq 22
access-list 101 deny tcp any host 192.168.253.254 eq www
access-list 101 deny tcp any host 192.168.253.254 eq 443
access-list 101 deny tcp any host 192.168.253.254 eq cmd
access-list 101 deny udp any host 192.168.253.254 eq snmp
access-list 101 permit ip any any
access-list 199 permit ip any host 10.1.1.1
dialer-list 1 protocol ip permit
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
banner login C Border Router
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
privilege level 15
length 0
transport input telnet ssh
scheduler max-task-time 5000
scheduler interval 500
ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
sntp server xxx.xxx.xxx.xxx
endHi Jody,
Apologies delay in replying. I have done the following:
Made two of the FE ports vlan1,BVI1 (for LAN traffic)
Left one port as VLAN10 as the pppoe client conected to the externalmodem
Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
I have DHCP configured to serve the DMZ addresses.
This all works for LAN clients and also works for a client attachedto that physical DMZ port.
When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
I cannot add another VLAN due to the 2 vlan limit in this image.
Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
Think I am about to give upon this.
Regards, -
Hi,
I have another problem - after upgrade ios wirelles connection not work.
After reload i have :
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
STP: Unable to get the port parameters.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
SETUP: new interface NVI0 placed in "shutdown" state
my old configuration work propertly in the old software, but after update i have notificatio.
Old thread:
https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
my current sh run:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname cisco
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s.
aaa new-model
aaa session-id common
dot11 syslog
dot11 ssid ciscowifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 050D031D26595D0617
dot11 wpa handshake timeout 500
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
ip dhcp pool CLIENT
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
dns-server 8.8.8.8 194.204.159.1 194.204.152.34
lease 0 2
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
username marek password 7 00121A0908500A
archive
log config
hidekeys
ip tcp path-mtu-discovery
bridge irb
interface ATM0
description Polaczenie ADSL do ISP$ES_WAN$
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
hold-queue 224 in
interface FastEthernet0
description Edzia
interface FastEthernet1
description dom
interface FastEthernet2
description Dziadek
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip redirects
ip local-proxy-arp
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers tkip
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid ciscowifi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU indoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
description ciscowifi
encapsulation dot1Q 1 native
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
description Interfejs dzwoniacy
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
interface BVI1
description Polaczenie dla sieci LAN
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22
logging trap debugging
logging 192.168.56.10
access-list 100 permit ip 192.168.56.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run
snmp-server community ciskacz RO
snmp-server chassis-id ciskacz
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
end
please help - thanks!Hello Marek,
I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
Remove the Dot11Radio0.1 subinterface entirely
In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
In the dot11 ssid ciscowifi section, remove the vlan 1 command
After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
Best regards,
Peter -
Hello,
I configured the wireless connectivity on my Cisco router 877w, but the interface Virtual-Dot11Radio0.10 status is Down Down even though Dot11Radio0.10 is UP UP.
Here is my interface config :
interface Dot11Radio0
no ip address
encryption vlan 10 mode ciphers tkip
ssid ******
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 *******
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
infrastructure-client
interface Dot11Radio0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1392
no snmp trap link-status
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
What am I doing wrong or missing?
Thanks for your help,
MehdiRemove and reconfigure the interface. If this doesnt work Shut the interface and bring up the interface again.
-
Configuring wireless on cisco 877w router
Hi all
I have a Cisco 877W wireless/ADSL router and having great difficulty with configuring wireless on this router. Here is a quick summary.
1. The ADSL is configured to obtain public IP from the ISP
2. Default interface vlan 1 is configured with an IP address
3. I went into vlan database, tried to configure multi vlans and the router prompted me that it can only have max 2 vlans. Hence what's the use of up to 16 different SSID using wireless?
4. I've setup DHCP scope on the router to give out IP address to clients (both wireless and wired)
5. I'm able to configure WPA-PSK on the router and was able to connect wirelessly to the router but I won't be able to obtain an IP address from the router
6. There are two scenarios that I'd like to do:
A. Setup wireless to connect to the same subnet as what's on vlan1
B. Setup wireless to connect to a different subnet to vlan1
For the life of me, I could not find docs on Cisco web site that shows me how to exactly this. I found some documents that use interface F0 as a trunk port and treat the interface Dot11Radio0 with sub-interfaces. I don't connect this router to a switch (standalone router) so how can I do this? Please point me to some docs.
Thanks in advance for your help.My configuration works for wireless no authentication, but failed for WPA-PSK:
ip dhcp excluded-address 172.16.250.1
ip dhcp pool TEST
import all
network 172.16.250.0 255.255.255.0
default-router 172.16.250.1
bridge irb
interface FastEthernet4
description $ES_WAN$
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Dot11Radio0
no ip address
ssid 111
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 Cisco1234
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.250.1 255.255.255.0
ip nat inside
ip virtual-reassembly
After I configured the same wpa-psk key on the XP computer using windows zero configuration and tried to connect to the wireless work, I got the following errors on the router:
*Mar 1 03:00:51.623: *** Not encrypted dot1x packet from 000c.f123.25cf has been discarded
*Mar 1 03:00:52.623: %DOT11-7-AUTH_FAILED: Station 000c.f123.25cf Authentication failed
What could be wrong? Thanks! -
Wireless configuration on 877W router - STUCK
Hi all
I have a Cisco 877W router running IOS v 12.4(15)T3. Have been trying to configure wireless to run WPA-PSK and is stuck at the final stage. Spent a lot of time configuring the router using CLI but ended up using the Web GUI interface. I was able to configure the wireless settings (I think) but failed when connecting to the router from WinXP-SP2 and was wondering if you have any suggestion for me. I've ran the following debugs on the router:
VNRouter#sho debug
DHCP server event debugging is on.
dot11:
802.1X module WPA/WPA-PSK/CCKM key management debugging is on
dot11 Syslog debugging is on
Below is the error message when connecting wirelessly
*Mar 4 18:46:25.655: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
VNRouter#
*Mar 4 18:46:25.659: %DOT11-6-ASSOC: Interface Dot11Radio0, Station VNRouter 001b.771a.dbad Associated SSID[VN-WiLess1] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
VNRouter#
*Mar 4 18:47:25.571: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.579: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded.
I've created two VLANs (and tied these two vlans to 2 separate SSID) on this router for a reason and so far has not been able to connect to any of them (SSID). I've also attached the config so you can have a look. Thanks in advance for your help.The configuration looks fine. In most cases, the connectivity issues with WPA-PSK is due to the mismatch in PSK on the Client and the AP. Try re-entering the PSK key on both the router and the client and check if you are seeing any issues.
-
Apple TV does not work with 877W
Hi all,
I am using an 877W as my DSL router and trying to use Apple TV or other Apple Bonjour services over Wireless. It is simply not working although I tried several IGMP configurations. I've seen some references to 877W issues but they were all about bridging between wired and wireless. In my case though everything is on wireless (PC with iTunes, Apple TV and and iPhone to be more specific). I wanted to ask once more as I've also seen references to people having this setup working ok.
interface Dot11Radio0
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 30
encryption mode ciphers aes-ccm
ssid Princes
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2472
station-role root
end
I tried with igmp snooping on and off with no luck, also it didn't helped to add 239.0.0.0 as a static group to the interface.
If you have apple stuff working on your 8xxW environment I appreciate if you can share your configuration, any other ideas are more than welcome.
Many thanks,
CagriHi Cagri,
Hope you've found an answer to your problem already, if not I had similar issues trying to get mine to work.
I did manage to get it to work in the end, I've added an article to my blog which goes over what I had to do to get it working.
Basically, configured correct multicast-routing groups, IGMP v3, pim dense-mode on both the radio and BVI interfaces and it started working.
http://www.thehelpdesk.co.nz/2012/01/how-to-use-apple-tv-with-cisco-877w.html
Cheers,
Sully. -
Cisco 877w - Apple devices not able to see wired apple TV
Hello All,
Can anyone point me to a doc or forum discussion on how to setup the wireless interface to forward multicast packets? Basically I cant get the ipads etc.. to see the AppleTV to control it. I connected an AP and it works fine so its got to be something with the way the router handles the packets from teh integrated wireless interface. I've been searching the forum for about 1hr and haven't founf anything other than a breif mention of broadcast forwarding and multicast setup.
Has anyone got anything more complrehensive I can read?
Thanks
DavidHello David,
Thank you for contacting the Sales Acceleration Center (SAC) regarding your recent inquiry, Case Number
Case Description:
Cisco 877w - Apple devices not able to see wired apple TV
Case Solution:
The Bonjour service uses multicast to advertise your Home Sharing enabled device to the local network. In my case the Cisco 877W I was using had a Layer 3 enabled BVI (Bridged Virtual Interface) to which the Wireless Dot11Radio interface was not fowarding multicast packets properly.
First of all, obtain the Multicast groups your wireless adapter is configured for (on Windows open a command prompt and run the below command):
The result will give you an output as per below, we are interested in the multicast address directly after the 224.0.0.252 address 239.255.255.250:
Then we need to enable multicast routing on the router, connect to your router and enter config terminal mode:
Next we will configure IGMP v3 and add the relevant Wireless interface on your router to the correct multicast address group:
Next perform the same config your BVI interface:
Once complete save your changes and confirm both interfaces have been added to the multicast groups using the command sh ip igmp group:
You now need to reload your router and restart iTunes and then attempt to connect to Home Sharing from your Apple TV.
Other commands that I used to troubleshoot with were:
debug ip mpacket - Multicast Packet Debugging
debug ip mroute - Debug Multicast Routing
sh ip mroute - Show IP Multicast Routes
By default the Cisco implementation of a Dot11Radio interface and a BVI interface don't appear to forward multicast packets between each other. Seems odd to me as they're both in the same L2 bridging group..anyway.
I am going to close the case for this specific inquiry on my side. If you need moere information Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We strive to provide you with excellent service. We value your input and look forward to serving you moving forward. -
How to run a cable internet on 877W router, please help.
Hello everyone!
I have made many variants of IOS configuration but nothing seem to work yet and finally I need someone to tell me if this is possible at all.
I was using 877W when I was registered to my ISP as a DSL user, everything was perfect. Now I'm using a cable internet and I just can't believe this device can't handle it. I'm trying to get it done for months with one result - network loop (I guess). Don't want to give up.
Situation is as following:
Because 877W doesn't have a routable port, I'm using a VLAN and a Bridge interface to assign an IP address from ISP.
ISP -> FE0 switchport -> VLAN 1 - BVI 1 (BVI with mac address set so ISP will give it IP from their DHCP)
interface FastEthernet0
interface Vlan1
no ip address
no ip redirects
ip virtual-reassembly
no autostate
bridge-group 1
interface BVI1
mac-address ####.####.####
ip address dhcp
ip nat outside
ip virtual-reassembly
By this configuration, internet works for for a while, then it drops and I have to restart BVI 1 interface to bring internet back again.
If I add this command in main config:
no spanning-tree vlan 1
Internet will never drop but it will became very slow, from say 35Mbps to 1-5mbps.
I think that I need somehow to force my ISP switch to "think" that my FE0 switchport is not a switchport but a single host.
Guys, I need your help!http://download.oracle.com/otn_hosted_doc/forms/forms/A73071_01.pdf
Good luck...
Sim -
How does one avoid co-channel interference on dot11a solutions in EMEA ?
When deploying wireless access points on dot11b/g, co-channel interference can be minimized by appropriate manual choice of channel numbers across the physical site.
In the US, the same methodology applies for dot11a solutions, where manual frequency selection for an AP is an option.
However, Here in EMEA, with compulsory DFS for dot11a, there appears to be no manual control at all on channel selection.
The default behaviour as I understand it - is for an AP to pick a random channel during interface initialization, and then if no radar detected, continue to use that channel.
(This has hit us on one solution, where four APs in neighbouring rooms at a client site selected the same channel on startup - causing significant co-channel interference!)
So how does one avoid co-channel interference on dot11a solutions in EMEA ?
Do wireless LAN controllers (with thin APs) have an option to preselect dot11a channels before the DFS listen check ? (Rather than just a random choice)
The IDEAL solution, would be for Cisco to add the following option to its IOS syntax :-
Interface dot11radio1
Dfs band 2 3 4 block
Channel 36 preferred
Adding a preferred keyword option would allow co-channel interference to be avoided by design, whilst still allowing a DFS check to prevent wireless interference.
If I wanted to pursue the inclusion of this new option into AP IOS, what would be the best method in tackling this?I don't have an answer for you but I do have a question. I have been researching the issue of which channels in the 2.4 band are permitted according to law in the various countries in Europe. We have offices in Germany, France, Spain, Netherlands and England and I was wondering which channels we are permitted to use. Do you know or could you point me to a document I could read?
-
%DOT11-7-AUTH_FAILED: %DOT11-6-DISASSOC:
Hello again,
Thought this issue was fixed yesterday after finding out my printer was the MAC address flashing up on the log, however it seems that every device is playing up.
Thanks
James
These are my wirless devices,
APPLE IPHONE 6809.2780.219a
DELL LAPTOP 0026.c7e2.68be
HTC PHONE bccf.cca7.43ea
LG TV 9444.4434.d43c
HP LAPTOP 001f.3c83.bd9e
PRINTER 0080.927b.0edb
SONY ERICSSON b8f9.3410.9524
PLAYSTATION 3 280d.fcec.27c4
The log....
*Aug 28 21:05:35.845: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 280d.fcec.27c4 Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:06:32.913: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 280d.fc
ec.27c4 Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:06:37.321: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 280d.fcec.27c4 Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:07:49.533: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
80.219a Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:09:37.537: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:09:41.117: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Reassociat
ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:11:47.057: %DOT11-7-AUTH_FAILED: Station 6809.2780.219a Authentication failed
*Aug 28 21:11:49.413: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 6809.2780.219a Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:11:55.321: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
80.219a Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:19:21.612: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:19:25.176: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:19:39.324: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:23:54.664: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:23:59.212: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:24:07.756: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Reassociat
ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:26:06.168: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
*Aug 28 21:28:33.444: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cc
a7.43ea Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:37:08.112: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
*Aug 28 21:42:36.712: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:42:41.080: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:42:46.828: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:43:20.296: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associa
ted SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:43:20.300: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:43:25.808: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
This is my running config....
CORE#sh run
Building configuration...
Current configuration : 6692 bytes
! Last configuration change at 21:37:08 UTC Wed Aug 28 2013 by James
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname CORE
boot-start-marker
boot-end-marker
logging buffered 64000
no aaa new-model
dot11 syslog
dot11 ssid THE MATRIX
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid
wpa-psk ascii 7 xxxxx
ip source-route
ip cef
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.61 192.168.0.254
ip dhcp excluded-address 172.0.0.1 172.0.0.10
ip dhcp pool LAN_Addresses
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
default-router 192.168.0.1
lease 5
ip dhcp pool THE MATRIX
import all
network 172.0.0.0 255.255.255.0
default-router 172.0.0.1
dns-server 8.8.8.8 4.2.2.2
lease 5
no ip domain lookup
ip domain name firewire2013
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3845826623
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3845826623
revocation-check none
crypto pki certificate chain TP-self-signed-3845826623
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383435 38323636 3233301E 170D3133 30383235 30363031
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343538
32363632 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009FF5 DA191624 A7ECAE35 A3F660AB A049B91F CB83F93F 888EB00D F5E2C20E
83486395 E7069E1D 36BD1EEB 12AFCE88 2E8F5320 52E67F70 3F4716E9 97B1F33E
0147A66D D573E9BC 36D35EA1 226D723B FAEDDCB2 C263511B DA745A66 8798BCEC
F581248B FCD39380 FE92CEB9 09328BCD 71F9D1E1 BCCCB9DB EFA1DC22 ED7CF8BD
25FD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143D0167 51FECFA9 ED03DF31 6B0A562E E10A9300 AE301D06
03551D0E 04160414 3D016751 FECFA9ED 03DF316B 0A562EE1 0A9300AE 300D0609
2A864886 F70D0101 04050003 8181006B C454436A 370AC181 BBA4017F 41E3DFD2
CFE9665B 80F797DC B7130067 318318F9 094A4672 5BA2A50F 80EC1225 4C958474
E309731D 9E4E5265 B861BAF0 36E4996B B396CB6C BF210CE6 59F3D165 441C2302
3693441B DB45704D 5A6A15F5 79F939F9 6A9DDA84 DFDF5D11 E729D505 A1692E21
2D95292C 6AC1263E FB35C46E 6D6874
quit
license udi pid CISCO2811 sn FCZ09237316
username James privilege 15 secret 5 xxxxxxxxxxxxxxxxx
redundancy
class-map type inspect match-any sdm-cls-insp-traffic
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 102
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
interface FastEthernet0/0
description CONNECTION TO MODEM>ISP$ETH-WAN$
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
interface FastEthernet0/1
description CONNECTION TO LAB
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 100
interface Dot11Radio0/2/0
description WLAN TO MOBILE USERS
ip address 172.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
encryption mode ciphers tkip
ssid THE MATRIX
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface FastEthernet0/0/0
description CONNECTION TO CORE PC
no ip address
interface FastEthernet0/0/1
description CONNECTION TO PS3
no ip address
interface FastEthernet0/0/2
description CONNECTION TO ACCESS SERVER
no ip address
interface FastEthernet0/0/3
no ip address
interface Vlan1
description MANAGEMENT INTERFACE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
router eigrp 10
network 192.168.0.0 0.0.255.255
redistribute static
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.0.0.0 0.0.0.255
access-list 70 remark THIS WILL DENY HOST FROM TELNETTING TO R1
access-list 70 deny 192.168.10.50
access-list 70 permit any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.0.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 172.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
control-plane
mgcp profile default
alias exec s show ip interface brief
alias exec rc show running-config
alias exec r show ip route
alias exec v show version
banner motd ^CCCC
###DO NOT LOG ON AUTHORIZED PERSONNEL ONLY####
^C
line con 0
exec-timeout 100 0
password 7 xxxxxx
logging synchronous
login
line aux 0
exec-timeout 30 0
password 7 xxxxxx
logging synchronous
login
line vty 0 4
access-class 70 in
exec-timeout 100 0
privilege level 15
password 7 xxxxxxx
logging synchronous
login local
transport input telnet ssh
scheduler allocate 20000 1000
endTried that and its still the same. All the devices are playing up.
Could the hardware be toast?
*Aug 30 18:23:43.762: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
*Aug 30 18:23:49.326: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 30 18:24:03.778: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
--More--
*Aug 30 18:31:52.314: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station bccf.cca7.43ea Associated SSID[THE MATRIX] AU
TH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:04.478: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:32:09.114: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:18.710: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Prev
ious authentication no longer valid SSID[THE MATRIX]
CORE#
*Aug 30 18:32:20.230: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
CORE#
*Aug 30 18:32:26.070: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:34.058: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:32:47.258: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
CORE#
*Aug 30 18:32:47.678: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:33:12.146: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:33:32.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:34.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:39.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:44.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:46.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:48.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:53.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:34:10.206: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cca7.43ea Reason: Prev
ious authentication no longer valid SSID[THE MATRIX]
Maybe you are looking for
-
My new mac is giving my pc's some d/c problems...
Hello there guys, im a proud owner of a new model imac 2.66 (my first mac) and everything so far is perfect, i cant believe i didnt switch before from pc to mac. I still got 2 pc's at home, a laptop and a desktop both connected wireless to my router.
-
On the contrary....
Ive had the 1gb shuffle since a little before they hit the shelves and NEVER had a problem. Im perfectly happy with it!! Even thou the nano makes me wanna give up women completly I dont feel a need (urge) to upgrade.......yet. Thank you Apple and mr.
-
JDBC driver 8.1.6 for jdk 1.1 download fails
I've tried to download the classes111.zip for 8.1.6 jdbc drivers for four times now and each time after the downlaod is complete I get an error stating that the archive is missing 576 bytes I'm using ie4 with no firewalls. The size of the downloaded
-
Hi, i am able to create image reference but not able to create image path from dam i am putting like this map.put("type", "dam:Asset"); is this correct or is there any other way to getpath of image from dam .please let me know code------------
-
I need to change the email in iCloud