802.1x auth fail through WLC but OK on autonomous APs
Hello,
I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
I send you in attachement a AP config which is OK.
But on the WLC, supplicants can't auth on Radius server.
I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.
When clients try to authenticate, I get these messages where xxx is login:
AAA Authentication Failure for UserName:821 User Type: WLAN USER
AAA Authentication Failure for UserName:200 User Type: WLAN USER
AAA Authentication Failure for UserName:209 User Type: WLAN USER
Security info on client page is:
Security Policy Completed
No
Policy Type
WPA
Encryption Cipher
TKIP-MIC
EAP Type
PEAP
SNMP NAC State
Access
Radius NAC State
8021X_REQD
What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.
In attachment there is a debug client "mac-address" on a device which cannot authenticate through WLC.
Thank you,
Clement
Hi Amjad,
I'm not using NAC.
Clients makes a MSCHAPv2/PEAP auth on a FreeRadius server through the WLC.
Because network is critical, I do a rollback so I passed the light APs into their autonomous original state.
Now all clients can successfully auth on the network. I don't understand what happens when APs are in lightweight mode :/
I have more information about the WLAN clients :
- Each client is an infrastructure which have a AXIS wireless modem in bridge mode, which is client of the WLAN. This modem have login/password for MSCHAPv2 auth.
- Behind the AXIS, there is a switch on which 4 devices in static IP are connected.
- If the AXIS is successfully authenticated on the WLAN, only one device of four is able to ping servers on the LAN. The others cannot, it seems to be a "token ring" like ?!
The WLAN clients infrastructures are very proprietary, it's very difficult to debug.
What I know, is all clients are OK on autonomous AP (auth 100% successfull, ping 100% successfull for 4 devices) and when the clients join a lightweight AP it is (auth 50% successfull, ping 100% successfull for 1 device, 0% successfull for 3 others devices)
Tell me if you need specific debug logs.
Clement
Similar Messages
-
802.1x Auth-Fail VLAN --- XP does not recognize
With Auth-Fail VLAN configured on Cisco 3550 the Switch successfully configures the port to the configured auth-fail vlan upon unsuccessful authentication. The PC even gets the IP address from DHCP.
However, the Windows XP network icon on the task bar continues to display as if it is trying to configure the network. The popup text displays "Attempting to authenticate" whereas the PC is fully connected and able to communicate on the network.
Any idea...????I am performing machine authentication against MS AD. It does get an ip address from the authentication VLAN but not before minor delay...(have seen up to a minutes delay in some cases).
The following is working fine in my case:
Machine Authenticaiton (S) ---> User Auth (S) then all is good.
Machine Auth (S) ---> User Auth (F) transition to Auth Fail VLAN
Machine Auth (F) ---> Machine is in AuthFail VLAN then User Auth (S) Machines transitions to correct access VLAN (or RADIUS assigned VLAN).
There are times when the behaviour is a bit variable in terms of VLAN assignment. Reading the IOS guide it makes sense if you are not assigning VLAN through RADIUS then switch sometimes tends to leave the port in the currently assigned VLAN, which depending on the port state (success/fail) could be the access VLAN or the AuthFail VLAN. -
802.1x Auth-Fail VLAN and Guest-VLan not available
Hi Pros,
Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
I found this link on Cisco's site:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
EZVPN_Remote(config-if)#int vlan1
EZVPN_Remote(config-if)#dot1x ?
default Configure Dot1x with default values for this port
host-mode Set the Host mode for 802.1x on this interface
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
pae Set 802.1x interface pae type
port-control set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
EZVPN_Remote#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 12-Jul-11 21:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
EZVPN_Remote uptime is 6 hours, 1 minute
System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
System restarted at 14:52:47 UTC Thu Oct 13 2011
System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
Processor board ID FTX153482GK
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO881-SEC-K9 xxxxxxxx
License Information for 'c880-data'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
Thanks in advance!Shamless bump...
-
Cisco ACS 5.1 802.1x auth fails on LAN when WLAN connected
I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan.
A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution
This is an intermittent fault and only effects users with both LAN and WLAN enabled.
Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.
Certificates are issues by group policy and only using computer authentication.
any help would be greatly appreciated
ThanksAfter a long TAC case with Cisco we discovered that the Mitel phone was not sending the EAPoL-Logoff packet so the switch still thought that the device off the back of the phone was connected.
There are no EAPoL-Logoff messages seen on switch when laptop is disconnected/port is shut down.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386903
This feature is supported by most IP phones - I do not know if Mitel phones support that but we cannot see this message in the debugs you sent.
As a workaround we can configure inactivity timer (by default it is infinity):
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11888691
This did resolve all our issues,
Aaron -
Upload fails through gateway - but succeeds without it!
Hi all,
we are using an upload application that we developped... it worked just fine uploading any file.. .but when we tried running it through the gateway (https), it timed out and was not able to upload large files...like 40- 50Mb... but before it worked (without the gateway)...
any ideas?Not sure if this has anything to do with it, but in our environment rewriter proxy was using more and more cpu during upload of files through gateway, about 2% per MB filesize. We never really tried what would happen with 50 MB files, failure to upload seems reasonable.
This issue was resolved with a portal patch, I think 118950-29(?). Please check your patch level and the online description of the patch.
hth Chris -
Auth-Fail Feature and Windows 802.1x Supplicant Compatibility
As per Cisco IOS design when authentication fails the switch sends a simulated EAP-Success message to the client so that DHCP can be implemented by the client. Taking into consideration the dot1x auth-fail command is configured.
However we have noticed that when using the built-in Windows XP SP2 802.1x supplicant and authentication fails, the Windows supplicant does not like this Cisco simulated EAP-Success message and drops the packet, therefore never re-initiating the DHCP process.
I have attached the Microsoft supplicant log indicating the dropped EAP-Success.
We are using catalyst 3750 with IOS 12.2(25)SEE. We have also tried release 12.2(35)xxx but issue persists.
Your suggestions would be appreciated.
Thank You,
ETAn EAP-Failure is by design. This occurs on all failures. The session fails rather normally. After the third (default but configurable) successive failure, the port is conditionally enabled (and placed in the auth-fail-vlan) even though 1X is configured and operating.
At this point, it's up to the supplicant to access the network if it wants to, since the port has been enabled. Without the notion of a controlled port on a supplicant, there's no reason it shouldn't try and access the network ;-).
Once a workstation is authorized on the network, and then subsequently fails for whatever reason, and put on the auth-fail vlan then it's also up to the machine to renew it's IP if it needs to. Optionally, you can configure the auth-fail-vlan to be the same as your default vlan. I guess it's worth pointing out, that you'd have this problem without 802.1X (changing VLANs on the fly for example). Some supplicants can deal with this though.
If an EAPOL-Logoff does not come from a supplicant (and it doesn't by default with Windows-XP) then there's nothing to get the port out of the Auth-Fail-VLAN either (short of link down). You can configure this through registry though. So the answer to your earlier question was no .. it shouldn't.
I'm not sure I understand the "IB" and "OOB" references here though.
Hope this helps, -
I have a Problem with Romming Between SSIDs withing the same WLC but with deferent VLAN .
HI All,
I have a Problem with Romming Between SSIDs withing the same WLC but with deferent VLAN . the WLC are providing the HQ and one of the Branches the Wireless services .
Am using all the available 9 SSIDs at the HQ , and am using only 4 of it at the Brnche.
The problem that i have are happening only at the Branch office as i cant room between the SSIDs within Diferent VLANs but i can do it with the one that pointing to the same VLAN. Once the client ( Laptop/Phone ) connected to one of the SSIDs. it imposiible to have him connected to the other ones with Different VLAN. meanwhile, It says its connected to the other SSID but its not getting IP from that pool.
here is the Show Run-Config from my WLC .. and the Problem happening between the SSID AMOBILE and ASTAFF. i have the Debug while am switching between the SSIDs if needed .
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.04 10:20:47 =~=~=~=~=~=~=~=~=~=~=~=
show run-config
Press Enter to continue...
System Inventory
NAME: "Chassis" , DESCR: "Cisco 5500 Series Wireless LAN Controller"
PID: AIR-CT5508-K9, VID: V01, SN: FCW1535L01G
Burned-in MAC Address............................ 30:E4:DB:1B:99:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 12
Press Enter to continue or <ctrl-z> to abort
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.235.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... WLAN Controller 5508
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.125.18.15
Last Reset....................................... Software reset
System Up Time................................... 41 days 5 hrs 14 mins 42 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... US - United States
--More or (q)uit current module or <ctrl-z> to abort
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +36 C
External Temperature............................. +20 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 10
Number of Active Clients......................... 61
Burned-in MAC Address............................ 30:E4:DB:1B:99:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 12
Press Enter to continue or <ctrl-z> to abort
AP Bundle Information
Primary AP Image Size
ap3g1 5804
ap801 5192
ap802 5232
c1100 3096
c1130 4972
c1140 4992
c1200 3364
c1240 4812
c1250 5512
c1310 3136
c1520 6412
c3201 4324
c602i 3716
Secondary AP Image Size
ap801 4964
c1100 3036
--More or (q)uit current module or <ctrl-z> to abort
c1130 4884
c1140 4492
c1200 3316
c1240 4712
c1250 5064
c1310 3084
c1520 5244
c3201 4264
Press Enter to continue or <ctrl-z> to abort
Switch Configuration
802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Strong Password Check Features:
case-check ...........Enabled
consecutive-check ....Enabled
default-check .......Enabled
username-check ......Enabled
Press Enter to continue or <ctrl-z> to abort
Network Information
RF-Network Name............................. OGR
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Enabled
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
--More or (q)uit current module or <ctrl-z> to abort
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Fast SSID Change ........................... Enabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
Press Enter to continue or <ctrl-z> to abort
Port Summary
STP Admin Physical Physical Link Link
Pr Type Stat Mode Mode Status Status Trap POE SFPType
1 Normal Forw Enable Auto 1000 Full Up Enable N/A 1000BaseTX
2 Normal Disa Enable Auto Auto Down Enable N/A Not Present
3 Normal Disa Enable Auto Auto Down Enable N/A Not Present
4 Normal Disa Enable Auto Auto Down Enable N/A Not Present
5 Normal Disa Enable Auto Auto Down Enable N/A Not Present
6 Normal Disa Enable Auto Auto Down Enable N/A Not Present
7 Normal Disa Enable Auto Auto Down Enable N/A Not Present
8 Normal Disa Enable Auto Auto Down Enable N/A Not Present
Press Enter to continue or <ctrl-z> to abort
AP Summary
Number of APs.................................... 8
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
KNOWLOGY_DC01 2 AIR-LAP1131AG-A-K9 00:1d:45:86:ed:4e KNOWLOGY_DC_Serv 1 US 1
KNOWLOGY_DC02 2 AIR-LAP1131AG-A-K9 00:21:d8:36:c5:c4 KNOWLOGY_DC_Serv 1 US 1
KN1252_AP01 2 AIR-LAP1252AG-A-K9 00:21:d8:ef:06:50 Knowlogy Confere 1 US 1
KN1252_AP02 2 AIR-LAP1252AG-A-K9 00:22:55:8e:2e:d4 Server Room Side 1 US 1
Anham_AP03 2 AIR-LAP1142N-A-K9 70:81:05:88:15:b5 default location 1 US 1
ANHAM_AP01 2 AIR-LAP1142N-A-K9 70:81:05:b0:e4:62 Small Conference 1 US 1
ANHAM_AP04 2 AIR-LAP1131AG-A-K9 00:1d:45:86:e1:b8 Conference room 1 US 1
ANHAM_AP02 2 AIR-LAP1142N-A-K9 70:81:05:96:7a:49 Copy Room 1 US 1
AP Tcp-Mss-Adjust Info
AP Name TCP State MSS Size
KNOWLOGY_DC01 disabled -
KNOWLOGY_DC02 disabled -
--More or (q)uit current module or <ctrl-z> to abort
KN1252_AP01 disabled -
KN1252_AP02 disabled -
Anham_AP03 disabled -
ANHAM_AP01 disabled -
ANHAM_AP04 disabled -
ANHAM_AP02 disabled -
Press Enter to continue or <ctrl-z> to abort
AP Location
Total Number of AP Groups........................ 3
Site Name........................................ ANHAM8075
Site Description................................. ANHAM 8075 Location
WLAN ID Interface Network Admission Control Radio Policy
1 knowlogy_ogr Disabled None
6 knowlogy_ogr Disabled None
9 knowlogy_ogr Disabled None
7 knowlogy_ogr Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
Anham_AP03 2 AIR-LAP1142N-A-K9 70:81:05:88:15:b5 default location 1 US 1
ANHAM_AP01 2 AIR-LAP1142N-A-K9 70:81:05:b0:e4:62 Small Conference 1 US 1
ANHAM_AP04 2 AIR-LAP1131AG-A-K9 00:1d:45:86:e1:b8 Conference room 1 US 1
ANHAM_AP02 2 AIR-LAP1142N-A-K9 70:81:05:96:7a:49 Copy Room 1 US 1
Site Name........................................ Knowlogy_DC
--More or (q)uit current module or <ctrl-z> to abort
Site Description................................. DC Center Access points
WLAN ID Interface Network Admission Control Radio Policy
2 knowlogy_ogr Disabled None
4 knowlogy_ogr Disabled None
3 knowlogy_ogr Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
KNOWLOGY_DC01 2 AIR-LAP1131AG-A-K9 00:1d:45:86:ed:4e KNOWLOGY_DC_Serv 1 US 1
KNOWLOGY_DC02 2 AIR-LAP1131AG-A-K9 00:21:d8:36:c5:c4 KNOWLOGY_DC_Serv 1 US 1
Site Name........................................ OGR
Site Description................................. 1934 OGR Office
WLAN ID Interface Network Admission Control Radio Policy
1 knowlogy_ogr Disabled None
2 knowlogy_ogr Disabled None
4 knowlogy_ogr Disabled None
6 knowlogy_ogr Disabled None
--More or (q)uit current module or <ctrl-z> to abort
7 knowlogy_ogr Disabled None
9 knowlogy_ogr Disabled None
8 knowlogy_ogr Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
KN1252_AP01 2 AIR-LAP1252AG-A-K9 00:21:d8:ef:06:50 Knowlogy Confere 1 US 1
KN1252_AP02 2 AIR-LAP1252AG-A-K9 00:22:55:8e:2e:d4 Server Room Side 1 US 1
Site Name........................................ default-group
Site Description................................. <none>
WLAN ID Interface Network Admission Control Radio Policy
1 knowlogy_ogr Disabled None
2 knowlogy_ogr Disabled None
3 knowlogy_ogr Disabled None
4 knowlogy_ogr Disabled None
5 knowlogy_ogr Disabled None
6 knowlogy_ogr Disabled None
7 knowlogy_ogr Disabled None
8 knowlogy_ogr Disabled None
--More or (q)uit current module or <ctrl-z> to abort
9 knowlogy_ogr Disabled None
10 management Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
Press Enter to continue or <ctrl-z> to abort
AP Config
Cisco AP Identifier.............................. 6
Cisco AP Name.................................... KNOWLOGY_DC01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:1d:45:86:ed:4e
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.100
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................ wireless.knowlogy.com
Primary Cisco Switch IP Address.................. 10.125.18.15
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
--More or (q)uit current module or <ctrl-z> to abortIP Address.................. 10.125.18.15
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
--More or (q)uit current module or <ctrl-z> to abort
Reset Button..................................... Enabled
AP Serial Number................................. FTX1134T0QG
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 48 days, 20 h 19 m 18 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:33 2013
Join Taken Time.................................. 0 days, 00 h 10 m 47 s
--More or (q)uit current module or <ctrl-z> to abort
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211b
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:1d:71:09:8f:90
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
11000 Kilo Bits.......................... MANDATORY
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
--More or (q)uit current module or <ctrl-z> to abort
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 11
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 8
Tx Power Level 1 .......................... 20 dBm
Tx Power Level 2 .......................... 17 dBm
Tx Power Level 3 .......................... 14 dBm
Tx Power Level 4 .......................... 11 dBm
Tx Power Level 5 .......................... 8 dBm
Tx Power Level 6 .......................... 5 dBm
Tx Power Level 7 .......................... 2 dBm
Tx Power Level 8 .......................... -1 dBm
--More or (q)uit current module or <ctrl-z> to abort
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Phy DSSS parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 11
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
Current CCA Mode .......................... 0
ED Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 12 dB
--More or (q)uit current module or <ctrl-z> to abort
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Cisco AP Identifier.............................. 6
Cisco AP Name.................................... KNOWLOGY_DC01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:1d:45:86:ed:4e
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.100
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
--More or (q)uit current module or <ctrl-z> to abort
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................ wireless.knowlogy.com
Primary Cisco Switch Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
--More or (q)uit current module or <ctrl-z> to abort
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
Reset Button..................................... Enabled
AP Serial Number................................. FTX1134T0QG
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
--More or (q)uit current module or <ctrl-z> to abort
AP Up Time....................................... 48 days, 20 h 19 m 18 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:33 2013
Join Taken Time.................................. 0 days, 00 h 10 m 47 s
Attributes for Slot 1
Radio Type................................... RADIO_TYPE_80211a
Radio Subband................................ RADIO_SUBBAND_ALL
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:1d:71:09:8f:90
Operation Rate Set
6000 Kilo Bits........................... MANDATORY
--More or (q)uit current module or <ctrl-z> to abort
9000 Kilo Bits........................... SUPPORTED
12000 Kilo Bits.......................... MANDATORY
18000 Kilo Bits.......................... SUPPORTED
24000 Kilo Bits.......................... MANDATORY
36000 Kilo Bits.......................... SUPPORTED
48000 Kilo Bits.......................... SUPPORTED
54000 Kilo Bits.......................... SUPPORTED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 36
Number Of Channels ........................ 20
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
--More or (q)uit current module or <ctrl-z> to abort
Tx Power
Num Of Supported Power Levels ............. 7
Tx Power Level 1 .......................... 15 dBm
Tx Power Level 2 .......................... 14 dBm
Tx Power Level 3 .......................... 11 dBm
Tx Power Level 4 .......................... 8 dBm
Tx Power Level 5 .......................... 5 dBm
Tx Power Level 6 .......................... 2 dBm
Tx Power Level 7 .......................... -1 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Phy OFDM parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 44
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
......................................... 104,108,112,116,132,136,140,
......................................... 149,153,157,161
TI Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
--More or (q)uit current module or <ctrl-z> to abort
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 16 dB
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Press Enter to continue or <ctrl-z> to abort
Cisco AP Identifier.............................. 3
Cisco AP Name.................................... KNOWLOGY_DC02
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:21:d8:36:c5:c4
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.101
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
--More or (q)uit current module or <ctrl-z> to abort
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Enabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
Reset Button..................................... Enabled
--More or (q)uit current module or <ctrl-z> to abort
AP Serial Number................................. FTX1230T24F
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 48 days, 20 h 24 m 41 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:35 2013
Join Taken Time.................................. 0 days, 00 h 10 m 48 s
--More or (q)uit current module or <ctrl-z> to abort
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211b
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:22:55:a5:0c:30
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
11000 Kilo Bits.......................... MANDATORY
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
--More or (q)uit current module or <ctrl-z> to abort
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 11
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 8
Tx Power Level 1 .......................... 20 dBm
Tx Power Level 2 .......................... 17 dBm
Tx Power Level 3 .......................... 14 dBm
Tx Power Level 4 .......................... 11 dBm
Tx Power Level 5 .......................... 8 dBm
Tx Power Level 6 .......................... 5 dBm
Tx Power Level 7 .......................... 2 dBm
Tx Power Level 8 .......................... -1 dBm
Tx Power Configuration .................... AUTOMATIC
--More or (q)uit current module or <ctrl-z> to abort
Current Tx Power Level .................... 1
Phy DSSS parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 1
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
Current CCA Mode .......................... 0
ED Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 12 dB
Coverage exception level................... 25 %
--More or (q)uit current module or <ctrl-z> to abort
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Cisco AP Identifier.............................. 3
Cisco AP Name.................................... KNOWLOGY_DC02
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:21:d8:36:c5:c4
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.101
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
--More or (q)uit current module or <ctrl-z> to abort
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Enabled
PoE Power Injector MAC Addr...................... Disabled
--More or (q)uit current module or <ctrl-z> to abort
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
Reset Button..................................... Enabled
AP Serial Number................................. FTX1230T24F
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
--More or (q)uit current module or <ctrl-z> to abort
AP Up Time....................................... 48 days, 20 h 24 m 41 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:35 2013
Join Taken Time.................................. 0 days, 00 h 10 m 48 s
Attributes for Slot 1
Radio Type................................... RADIO_TYPE_80211a
Radio Subband................................ RADIO_SUBBAND_ALL
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:22:55:a5:0c:30
Operation Rate Set
6000 Kilo Bits........................... MANDATORY
--More or (q)uit current module or <ctrl-z> to abort
9000 Kilo Bits........................... SUPPORTED
12000 Kilo Bits.......................... MANDATORY
18000 Kilo Bits.......................... SUPPORTED
24000 Kilo Bits.......................... MANDATORY
36000 Kilo Bits.......................... SUPPORTED
48000 Kilo Bits.......................... SUPPORTED
54000 Kilo Bits.......................... SUPPORTED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 36
Number Of Channels ........................ 20
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
--More or (q)uit current module or <ctrl-z> to abort
Tx Power
Num Of Supported Power Levels ............. 7
Tx Power Level 1 .......................... 15 dBm
Tx Power Level 2 .......................... 14 dBm
Tx Power Level 3 .......................... 11 dBm
Tx Power Level 4 .......................... 8 dBm
Tx Power Level 5 .......................... 5 dBm
Tx Power Level 6 .......................... 2 dBm
Tx Power Level 7 .......................... -1 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Phy OFDM parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 36
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
......................................... 104,108,112,116,132,136,140,
......................................... 149,153,157,161
TI Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
--More or (q)uit current module or <ctrl-z> to abort
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 16 dB
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Press Enter to continue or <ctrl-z> to abort
Cisco AP Identifier.............................. 5
Cisco AP Name.................................... KN1252_AP01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:21:d8:ef:06:50
IP Address Configuration......................... DHCP
IP Address....................................... 10.125.18.101
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 10.125.18.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Disabled
Cisco AP Location................................ Knowlogy Conference Rooms Side
Cisco AP Group Name.............................. OGR
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
--More or (q)uit current module or <ctrl-z> to abort
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.4.10.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. PoE/Medium Power (15.4 W)
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1252AG-A-K9
AP Image......................................... C1250-K9W8-M
IOS Version...................................... 12.4(23c)JA5
--More or (q)uit current module or <ctrl-z> to abort
Reset Button..................................... Enabled
AP Serial Number................................. FTX122990L5
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 118
WLAN 1 :........................................ 111
WLAN 2 :........................................ 111
WLAN 4 :........................................ 112
WLAN 6 :........................................ 112
WLAN 7 :........................................ 111
WLAN 9 :........................................ 112
WLAN 8 :........................................ 112
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 26 days, 00 h 24 m 39 s
--More or (q)uit current module or <ctrl-z> to abort
AP LWAPP Up Time................................. 26 days, 00 h 23 m 48 s
Join Date and Time............................... Wed Oct 9 10:59:07 2013
Join Taken Time.................................. 0 days, 00 h 00 m 50 s
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211n-2.4
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 7
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:22:55:df:a5:90
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
--More or (q)uit current module or <ctrl-z> to abort
11000 Kilo Bits.......................... MANDATORY
MCS Set
MCS 0.................................... SUPPORTED
MCS 1.................................... SUPPORTED
MCS 2.................................... SUPPORTED
MCS 3.................................... SUPPORTED
MCS 4.................................... SUPPORTED
MCS 5.................................... SUPPORTED
MCS 6.................................... SUPPORTED
MCS 7.................................... SUPPORTED
MCS 8.................................... SUPPORTED
MCS 9.................................... SUPPORTED
MCS 10................................... SUPPORTED
MCS 11................................... SUPPORTED
MCS 12................................... SUPPORTED
MCS 13................................... SUPPORTED
MCS 14................................... SUPPORTED
MCS 15................................... SUPPORTED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
--More or (q)uit current module or <ctrl-z> to abort
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 11
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 8
Tx Power Level 1 .......................... 20 dBm
Tx Power Level 2 .......................... 17 dBm
Tx Power Level 3 .......................... 14 dBm
Tx Power Level 4 ..........Well you need to understand the behavior of h-reap or what it's called now, FlexConnect. In this mode, the clients are still remembers on the WLC until the session timer/idle timer expires. So switching between SSID's in h-reap will not be the same when switching when the AP's are in local mode.
Take a look at the client when connected in FlexConnect in the WLC GUI monitor tab. Thus will show you what ssid and vlan the client is on. Now switch to a different ssid and compare this. It's probably the same because the client has not timed out. Now go back to the other ssid and look again. Now on the WLC, remove or delete the client and then switch to the other ssid at the same time. Or switch SSID's and then remove the client. The client will join the new ssid and in the monitor tab, you should see the info.
There is no need to have clients have multiple SSID's unless your testing. Devices should only have one ssid profile configured to eliminate any connectivity issues from the device wanting to switch SSID's.
Sent from Cisco Technical Support iPhone App -
Auth-fail vlan won't support re-authentication
We're using ACS 1113 Appliance with ACS version 4.1.4.13. via the RADIUS attributes, clients are re-authenticated every 16 hours. The machine cache is set to 12 hours. This means that, if the user doesn't log off within 16 hours, he will be denied network access because of Machine Access Restriction (which is normal).
The problem is, at this point, the SSC client keeps trying and trying to authenticate. It never stops trying until the user logs off or reboots (sometimes this can takes days to weeks (f.e. on vacation). This results in a log entry, every 4 seconds (because of timeout tx-period settings), for every user that is in the MAR. Now you can imagine that, in an environment with 4000 users that the loggings become unusable because of the enormous amount of (unnecessary) failed attempts logs.
I've tried the following dot1x attributes on the switchport but they don't seem to work:
dot1x max-req 3
dot1x max-reauth-req 3
I was hoping they would stop the authentication attempts after 3 unsuccesfull tries, but it doesn't help.
Then I thought I found a solution: the auth-fail vlan. Then we have only 3 logs before the port falls into auth-fail, which is much better.
But, once he is into the auth-fail vlan, he never gets out! I tought that, if the user logs off, the network connection is closed, so at that point the machine authentication would be triggered. But he just stays in the auth-fail vlan until rebooted or the cable is removed. Isn't there any way to trigger the authentication when the user is logged off?Check if the "Default connection timeout" and "Default Association Timeout" values are configured properly in the client policy. Also check for the "max start" value in the connection settings for 802.1x. http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1/administration/guide/C2_SetupSSC.html#wp1056892
-
802.1X Authentication failed without 802.1X authentication enabled
Hi,
we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
When they lost the connection we can see the following error:
Message:
Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
Message:
Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
I also attach an output of the troubleshoot mac address...
Can some help me with this?
Thank you.
Best regards,Hi Kirbus,
we open a TAC and we were advised for now to do the following changes:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
1. please make sure to disable Aironet extensions (if present) , on the WLAN advanced configuration
2. disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
3. on the WLC general configuration , can you please disable aggressive load balancing
4. on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
5. on the AP network configuration please disable short preamble the original standard was long preambles
6. Wireless -> disable auto-RRM channel & power assignment & try "on demand"
7. apply these modification on the WLC CLI
Config advanced eap identity-request-timeout 20
Config advanced eap identity-request-retries 10
Config advanced eap request-timeout 20
Config advanced eap request-retries 10
Save config, and see if you still face the problem.
We are still monitoring the solution, but until now we didn't face the problem again.
Let me now how it goes for you.
Thank you.
Best regards, -
802.1x Auth Error After Installing AirPort Update 2007-002 and 10.4.9
After installing the AirPort Extreme Update 2007-002 (and 10.4.9, but I doubt that update did it), I am unable to log into my campus's wireless network. I get the message "802.1x Authentication has failed. (Error: 1001 on port en1)"
I've double-checked the settings, and all looks good. Other Macs are able to log in fine but they do not have this update applied.
Other wireless connections from this computer work fine, including using another SSID on this wireless network using WPA/TKIP. Only the 802.1x auth is failing.
I'm a systems admin for the college, and I can see in the radius logs that an error is generated:
"Unexpected error. Possible error in server or client configuration."
I'm the only one getting this error. Anyone have any ideas about this?
Thanks in advance.
trukI finally discovered what was going on. When doing either the 10.4.9 update or the Airport update, my /System/Library/Keychains/X509Anchors file was either corrupted or completely emptied. The file did remain with 0K size.
I started noticing that all SSL connections from the computer were failing (Safari, iChat, whatever) that depended on the Mac OS X components to do the SSL validation. (Firefox continued to work fine, as it has its own SSL stack.) I then ran the Keychain file check in Keychain, which alerted me to the exact file problem.
My wife also has a MacBook with the same version of Mac OS X, so I was able to copy her X509Anchors file to my computer and everything worked perfectly after that. SSL came back, iChat works, Safari works with SSL, and 802.1x works again.
Hope that helps someone else... -
Term41.default auth failed error on 7941 after factory reset - UCM 8.0
I am having an issue with a 7941 phone. After performing a factory reset on the 7941 phone that was having issues it now is stuck in a continuous loop where it powers on, tries to download term41.default, says auth failed, and the reboots. I have tried setting a static dhcp entry forcing it to point to my UCM 8.0 server but it continues to loop. I have tried multiple factory resets on the same phone with the same results. Other phones, even other 7941 phones register without a problem. I have verified the term41.default.loads file exists on the UCM 8.0 server. Any ideas on what I can do to fix this problem. I am about ready to smash it into a billion pieces. :-)
Thanks in advance!Okay, I got it. I went through and deleted the files stored on the UCM tftp server for the 7941 phone, reinstalled SCCP41.8-4-1SR1S and it seems to be upgrading now. Then I will have to go through and upgrade to 8.5.2 and then 8.5.3 then eventually get my way back up to 9.0.3. Thanks Michael for pointing me in the right direction!!!!!! I appreciate your help!
-
Hi All,
What criteria is used to determine whether to use the auth-fail VLAN or the guest VLAN?
What if a non-802.1x client connects to the port, say a Vendor.... 802.1x doesn't occur, so does it then transition to guest vlan?
What if a vendor brings in an 802.1x capable PC and connects it... the auth fails, but I'd want the vendor to go into the guest VLAN anyway, Could I give them a temporary username / PW maybe to authenticate with? hmmm...
Thanks in advance.Hello,
The Auth-Fail VLAN is invoked if an Access-Reject is received from the Radius server for the
user or machine authentication. The Auth-Fail VLAN will be invoked after a number of failures
not after the first authentication failure. This is a configurable value.
The Guest VLAN is invoked if not EAPoL traffic is received from the connecting client.
You can set the Auth-Fail VLAN and the Guest VLAN to the same VLAN ID if you want
users who come in with the supplicant disabled or someone with invalid credentials (or no credentials).
--Jesse -
Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
or someone is entering the wrong logon ... But check your radius log it will point you in the right direction. -
As of 1:30 yesterday, no clients can authenticate to my LWAPP Access points. I'm getting this message in the trap logs on my 4404:
Client Excluded: MACAddress:00:90:4b:86:23:94 Base Radio MAC :00:17:df:7f:c8:60 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3
And my (MS IAS) RADIUS server has an entry:
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
The previous successful entries all refer to PEAP. We restored our WCS server from tape yesterday, but why would that affect the authentication on the 4404? Does anyone have any idea what's going wrong?There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
http://support.microsoft.com/kb/883619 -
Bootp through WLC 4400 - out of ideas
We use several (80) wireless bootp devices in our network. They of course have been running great on autonomous APs but refuse to work on our WLC wlans. I did a packet capture on the vlan only to find that the wlc 4404 is retagging the bootp packet source as it's own IP instead of 0.0.0.0 This of course causes the bootp server to send out a bootp reply specifically to that IP instead of a broadcast (where I hope the WLC would behave normally since broadcast forwarding has been enabled).
I'm running version 4.1.185.0 and the results are identical on our 4404 and 4402. I'm out of ideas guys any advice?
proper.pdf shows the process on an autonomous AP at packet 1 and 5. Other packets show the same process through a WLC.
.254 is the bootp server, .240 is WLCOkay, well if your DHCP Server doesn't like proxied requests, you've got three options;
1 - Use a DHCP server that will accept proxied requests like a Cisco Switch, the WLC it's self, a Microsoft Server, etc...
2 - Scrap lightweight and go back to IOS
3 - Employ H-REAP, which will then bridge traffic straight on to a VLAN from the AP. This means it won't go via the WLC, and the requests will therefore go un-altered. H-REAP requires 1030, 1130, 1240 or 1250 APs, and the switchport to be altered to a Trunk port.
Regards,
Richard.
Maybe you are looking for
-
Report to check the valued GR block stock
Hi, I used movement type 107 to receive the PO with indicator 'Origin Accept', and would like to check how many stock I have received to the valued GR block stock. Anyone tell me which report I can use? I've checked the stock report under IM, but hav
-
Software update hangs after upgrading to Lion
Just recently upgraded to Lion, mostly without any glitches but upon starting up iTunes I was presented with a dialog box indicating that the version of iTunes was "too new" (I think) and suggested I used Software Update to install a Lion compatible
-
How can I use my itunes on another computer?
I am visiting my parents, who have itunes, and I want to access my itunes on their computer. How can I do this without disturbing their account. I'm also scared that if I plug my ipod in that it will sync with my Dad's itunes (that would be awful).
-
How can I get CS3 to open on new iMac with 10.6.4?
Just bought a new iMac and am trying to get everything moved over to it. I use Dreamweaver, Fireworks & Contribute from CS3. When I try to open any of them (newly installed from the Adobe downloads) I get this error message: file://localhost/Users/
-
Songs cutting short, play for 1st few seconds and s
Hi, I noticed some of my songs that I've transferred into my muvo v00 are cutting short and would only play for the first 0 or so seconds. I've got the latest firmware and I know that there isn't anything wrong with these songs when I play it on my o