WLC 5508 WPA Authentication Problems

Hello,
We have a WLC 5508 with 7.4.100.0 Firmware.
We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
The strange thing is that the problem is solved restarting the Access-points.
Anyone had this problem previusly?
Thanks in advance.

I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
Cisco Recommended  and not recommended Authentication Settings
Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
These images provide examples of incompatible settings for TKIP and AES:
Note: Be aware that security settings permit unsupported features.
These images provide examples of compatible settings:

Similar Messages

  • WLC 5508 Local Authentication- need guidance

    Hi formers'
    i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
    The environment don't have ACS, no directory services ( AD or LDAP).
    Requirement:
    say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
    user's entry is store at WLC.
    i create the user at local net user, and map it to appropirate WLAN.
    at the WLAN, i enable local EAP and select the profile that i create.
    PROBLEM STATEMENT:
    The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
    Question
    a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
    b. can please post any useful document URL or any supportive info, it will be very helpful
    Thanks
    Noel

    Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
    You could also follow the WLC config guide in the "Local eap" chapter.
    The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

  • WLC 5508 - wlan stability problems

    Hi.
    I have a WLC 5508 with half a dozen LAPs (AIR-CAP3502I-E-K9).
    They have been working but sometimes clients detect conectivity problems with the wlan.
    Here is the message log I can obtain from the controller:
    Nov 09 12:16:31.886: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32Previous message occurred 7 times.Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*apfReceiveTask: Nov 09 11:51:30.788: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *spamApTask2: Nov 09 11:51:20.144: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.23.1.118*dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67*apfReceiveTask: Nov 09 11:50:40.672: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:38.625: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:35.531: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:31.068: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:29.257: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:28.707: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    Can somebody help me to understand these messages?
    1)
    *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    2)
    Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
    3)
    *dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67
    Thanks

    1)
    *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    //APs are rebooting. don't panic, check the up time of AP. This message seen when AP rebooted/freshly joined and waiting for wlc to assign channel.
    2)
    Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
    //It is cosmetic and can be ignored.
    3)
    *dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32
    //Keys M1-M5 used for wireless auth, here client having struggle completing the auth process.
    get output of, WLC>debug client

  • WLC/LDAP/WPA authentication solution

    Hi Experts,
    I have Cisco WLC 4404 with 100 LWAP access points. Currently I am using shared WEP authentication. I like to migrate it WPA. I want the clients to have authenticated using Individual username / password to get into the network. I am using LDAP for username password repository. I also have Cisco ACS (AAA) server kept unused.
    I think it can be achieved using
    1. web authentication configured in WLC itself. But i donot want this as WLC may be loaded unnecessarily. Is this correct.
    2. Another option I read is 802.1x authentication with WPA. Since I am integrating with LDAP, I also learned that only EAP-FAST can be used.
    The question is, whether windows XP supports EAP-FAST client by default (I didn't the option in win XP). Or otherwise should i load a third party clients in all the client laptops. Whether cisco aironet client is free to download and use?
    Kindly help me
    THANKS IN ADVANCE
    sairam

    Let me list your requirements, to better define them:
    1) Clients must log in (each time?) with their username and password
    2) You don't have, and don't want to implement, a certificate server
    3) You are using a non-Windows AD LDAP directory for user authentication
    4) You have a Cisco ACS (version ?) that you can use for RADIUS, to interact between the client and the LDAP server
    5) You want to avoid web authentication if you can, because of concerns about overloading the WLC.
    One thing - what is your supplicant? Are these standard Windows XP, SP2 machines? Also, what are your encryption requirements? Web authentication provides no encryption for the data after authentication.
    And, without a certificate on at least the ACS server (plus appropriate Certificate Authority server), you're out of luck for EAP.
    EAP-FAST generally requires a certificate on the server side (if you want it to be at least somewhat secure). And, it requires a Cisco supplicant, such as the Aironet Desktop Utility with the Cisco CB21AG PCMCIA card (or can potentially use the EAPHost supplicant in Windows Vista.)
    If you don't need encryption, go with web authentication. The WLC should not have a problem handling the requests (how many simultaneous logins are you looking at?) If you do need encryption, you are going to need some additional components, whether supplicants or a certificate server.

  • Wlc 5508 radius authentication fail

    I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
    so settings are:
    Layer Wlan settings:
    Layer 2 security:WPA+WPA2
    AES
    Auth Key mgmt:802.1x
    We have the authentication server enabled:
    Ip an port are correct
    AAA overide not enabled
    Order for authentication, radius only
    Advanced: dafault settings
    Radius authentication servers:
    Call Station ID Type: IP address
    MAC Delimiter: Colon
    Network User
    Management
    Server Index
    Server Address
    Port
    IPSec
    Admin Status
    Server Index
    Server Address
    Shared Secret Format
                     ASCII                 Hex              
    Shared Secret
    Confirm Shared Secret
    Key Wrap
      (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
    Port Number
    Server Status
                     Enabled                  Disabled              
    Support for RFC 3576
                     Enabled                  Disabled              
    Server Timeout
      seconds
    Network User
    Enable
    Management
    Enable
    IPSec
    Enable
    *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
    *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    Radius server occasionally sees attempts from user "XXZZYY"

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • WLC 5508 AD authentication for management

    Hi,
    I was wondering if it is possible to set up a 5508 to authenticate to AD for management.  Currently, all of our Cisco devices authenticate to AD through NPS running on a windows 2008 server and if the server is unavailable, they failover to local authentication.  I'd like to do this on our new controller but I can't seem to find the correct info on how to do this, if it can.  All my searches result in instructions on how to authenticate wireless users.
    Thanks

    Yes, you can via NPS (Radius) which then ties into AD. Here is a Cisco exmaple document:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
    I hope this helps...

  • WLC 5508 WLAN SSID Problem

    Hi,
    I recently got a 5508 controller. I use 1 SSID for the employees on the main site (using certificate authentication). On the Remote sites I want to use the same SSID with different DHCP Servers (AP are configuring with HREAP mode). So I tried to configure different WLAN ID using the same SSID (I override DHCP Server IP Address). When I try to activate SSID, I got the following error : "WLAN with duplicate SSID's and L2 security policy found". I tryed to use "AP Group" and put the different WLAN ID in different AP Group but it dosen't work.
    Anyone as an idea?
    Thanks in advance
    Regards,
    Eric

    Hi,
    This is the expected behaviour!! and there is no way to overcome issue as the error thats popping up is self explanatory!! if you are using Internal WEB AUTH page then the HREAP local switching supports the internal WEB AUTH, and another thing is.. a single WLAN will do the Job!! You just need to configure Local switching on the WLAN so that, the clients in the central site use ( AP in local mode will use central side DHCP) and the AP in the HREAP will use the mapped VLAN to grab the IP!!
    here is the link to do the same!!
    http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#webauth
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
    Lemme know if htis answered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • Wlc 5508 invalid ipad mac address

    Hello,
    Help me pls,
    While configuring mac address filter on a WLC 5508 there is problem with mac address beginning with 77:....
    I cant add it to WLC mac filter.
    Thanks in advance

    If you are using dot1x then no, the mac address is sent since the client does not receive an ip address till authetication succeeds.
    Sent from Cisco Technical Support Android App

  • WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR

    Hi all,
    I have WLC 5508 with version 7.4.110.0 and with 13 AccessPoints.So 12 of this AP are  AIR-LAP1142N-E-K9 and 1 is AIR-CAP3602I-E-K9.
    Logs of my WLC are:
    *Dot1x_NW_MsgTask_1: Jan 11 01:15:05.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 90:c1:15:c6:c3:49 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 01:09:41.015: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 5c:0a:5b:c1:16:34 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.269: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.266: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 24:77:03:67:01:48 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_5: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:da:c1:cd - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_2: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client cc:78:5f:29:cc:82 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_4: Jan 11 01:03:31.633: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 08:11:96:55:81:c4 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.631: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 84:3a:4b:56:36:50 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 01:03:31.630: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:e2:d4:91 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 00:59:52.593: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client a0:88:b4:60:20:f8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *apfRogueTask_3: Jan 11 00:59:32.168: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 2, Requested containment level 4
    *apfRogueTask_3: Jan 11 00:58:38.635: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 1, Requested containment level 4
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.885: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.883: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 02
    *dot1xMsgTask: Jan 11 00:49:05.842: #DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:618 Client c8:e0:eb:19:2a:97 may be using an incorrect PSK
    *apfRogueTask_3: Jan 11 00:40:42.576: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 3, Requested containment level 4
    *Dot1x_NW_MsgTask_3: Jan 11 00:40:17.471: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:43:8f:f1:8c:8b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 00:40:03.368: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client f0:d1:a9:8e:1a:dc - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 00:39:30.528: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:d8:84:09 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    I already go to this link to check the Description of errors-
    http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html#wp1000139
    Appreciate all feedback. Thank you.

    Hi Ruben,
    a) After successful dot1x authentication, session keys are derived from pairwise master key.
    b) When the AP transmits a key to a station by default, it expects a response back within a set timeframe.
    c) If the station does not respond, the AP increments the counter and retransmits the key.
    d) If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.
    This in most of the cases will be a client driver problem.
    Solution :
    1) try to increase the EAPOL-Key Timeout ( config advanced eap ).
    2) Upgrade the client driver.
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • SNMP web authenticated users wlc 5508

    Hello everyone,
    I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
    I am using an external web server and my client are authenticated with ldap.
    I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
    Can anyone help me ?
    Thanks a lot for your answers.

    Hello Julien,
    Thank you for the info. +5 for solving your own problem.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • WLC 5508 HA Problem Soft.ver 7.4.100

    Dear Support,
    we are using two WLC 5508 software ver.7.4.100 with first 50AP license and in the next day we add 50AP license again to the primary WLC. when we activate HA base in the following guiden http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html but when we doing test the failover we found a couple log message on the Secondary WLC like below and not for long time all AP on the Secondary WLC was drop off. 
    1. DP Critical Error
    2. *RRM-DCLNT-2_4: May 23 07:43:53.204: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
    *RRM-DCLNT-2_4: May 23 07:43:53.164: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
    *RRM-DCLNT-2_4: May 23 07:43:52.854: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:2c:36:f8:72:fc:c0,Key SlotId:0
    I also send a complete log for both problem above and enclose it with pdf file. need you advice and assistance,
    regard, afriansyah

    I agree go to version 7.4.121.0 I has some strange issues on prior releases. Personally I am running 7.6.120.0 right now but that's mainly due to support for the 3702 access points.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-74573
    that's a good guide just to double check yourself just in case. -

  • Upgrade WLC 5508 to 7.4.121.0 problem

    After I upgraded WLC 5508 from 7.2.111.3 to 7.4.121.0, all 3602i APs don't associate with the controller.  All APs were working/associating with controller on 7.2.111.3 at same setting.  IP address of APs are setup as DHCP.
    The error message is "AP couldn't get IP address".   
    Any one has this type of problem when you upgrade WLC 5508 from 7.2.111.3 to 7.4.121.0.
    Thanks,

    Hi,
    This doesn't look like software issue.
    You have to check why the APs are not able to get ip address. Try connecting a PC to a swtich port where one of these APs are connected and see if you are able to get IP on PC.
    Also check if the DHCP server is reachable and if there are IP address in the pool assigned for APs.
    HTH,
    Thanks & Regards,
    Ishant
    *** Please rate the post if you find it useful ***

  • Wlc 5508: windows 8 can't connect using wpa+wpa2

    Dear All,
    I need your help.
    My customer have Cisco WLC 5508 (cisco wlc 7.0.116.0) .
    We create ssid with layer 2 security wpa+wpa2.
    Using Windows 8, it's can't connect to the wireless lan.
    But if I change, the ssid, with layer 2 security wep.
    It can connect / connected.
    Please help.
    Thanks,
    Jerri

    This is a known issue with Windows 8.  You need to upgrade your firmware to 7.0.250.X for wireless clients running Win8. 
    Another thing, choose one:  Either WPA or WPA2.  Don't enable one and "hope" the wireless client will make the choice because most of the time, they won't.

  • WLC 5508, DHCP Problem after Update Cisco ASA(DHCP-Server)

    Hello,
    our Problem is, our Apple Devices get no ip adress from our Cisco ASA Cluster(ASA 9.1.2) over Wireless(Cisco WLC 5508). All other devices(Windows, Android,...) work correct, without problems. Our WLC is in HA-Mode.
    Does anybody have an Idea?
    Thank you very much and Best regards,
    Stefan

    Hello again,
    I hope this case is the solution.
    https://supportforums.cisco.com/message/3942112#3942112
    I will let you know after downgrade.
    Best regards,
    Stefan

  • WLC 5508 + NPS MS-CHAP v2 Auth problems

    Hi,
    I am having a lot of trouble trying to set up a Cisco WLC 5508 to use NPS on Windows Server 2008 as it's authentication.
    When a client attempts to connect to the WLAN, the authentication is denied on Windows 7/Vista/XP, however, on Mac/iOS clients, it asks to accept the certificate (this is a public cert, issued by Entrust - however, it is a wildcard cert..), but then it will connect.
    So I have two questions:
    1/ Why won't the windows clients authenticate? If I set up the WLAN profile on the windows machine, and I deselect "Validate server certificate", then they connect just fine....
    2/ Is it possible to make it so the user is not prompted to accept the certificate? Why can't this certificate be validated locally by the client?
    Thanks,
    Josh

    Looks like it might have been an issue with that certificate, I don't know.
    Either it didn't like the wildcard, or it didn't like the intermediate/root CA.
    I downloaded a Comodo Trial SSL and plugged that in - works like a charm now!

Maybe you are looking for

  • Mutt and msmtp - I just can't get mutt to send

    Hello all, I have been battling with this for some time, I hope you can help. I have been running arch for several years now and thought I might start using mutt.  I have installed the version from the AUR with the side bar patch (version 1.5.21) and

  • Wlan problem with iMac yosemite

    When opening iMac it has difficulties to find WLAN network. I have to use network assistant several times and shut down the computer. Sometimes there are no difficulties, sometimes i have to try half a dozen times. My new iMac Yosemite was created by

  • Revision number in sales order and scheduling agreement

    I want revision number in sales order as well as scheduling agreement. for this where we configure or  how will it come in VA01 as well as VA31. Regards

  • Is there a way to add Adobe Reader directly to my website for legal documents?

    Is there a way to add Adobe Reader directly to my website for legal documents? It is on Wordpress. [link removed by moderator]

  • How to download songs to a new PC computer?

    I have subscribed to iTunes Match and it work flawlessly on my original PC and on my iPod Touch (4th generation). But I cannot download songs from my library in the cloud to my second PC that I use at work. How can I do it?