Access point snmp query

Similar Messages

• Capturing MAC Addresses from an Access Point AP1131 with SNMP

  Hi!
  I'm trying to use SNMP to track information as to whats connected to
  our access points. The purpose is basic security and auditing in case
  of a problem ( virus, technical problem, etc ). We're already able to
  capture what wired devices are connected, but not the MAC addresses of
  the wireless clients.
  We're employing Cisco Aironet APs 1131, and looking around the MIBs, I found
  one object that has what I want, but it's not accessible.
  cDot11ClientAddress OBJECT-TYPE
  SYNTAX MacAddress
  MAX-ACCESS not-accessible
  STATUS current
  DESCRIPTION
  "The MAC address of the client."
  ::= { cDot11ClientConfigInfoEntry 1 }
  Does any one know another way to get this information via SNMP?
  Thanks U by advance!
  Khay

  Up...anybody?... :(

• Snmp over cisco access point

  hi,
  i 'm trinying to manage my cisco 1230 access point via snmp, and i want to know how can i access to the ip adresse of the device connected over , ifound the arp table but it doesn t reflect the exact status of the ip (if this station are connected or not)
  can you help, it s very important for me , thank you in advance

  thank you for your help,
  i am able to check this mib but i didn't found what i want.
  there is no field that specify the ip adress of the active device ( there is a mac adress but the data is contradictory with the iftable : this mac adress doesn 't exist in the iftable).
  the ip adress of active device exists certainly in one of the cisco mib, so can you help me because it is very important for me.
  thank you in advance

• SNMP lightweight access point connected to 4400

  I am trying to monitor 1250 ap's directly via snmp. Is it possible to consolidate the SNMP MIB of the 1250 ap's who are connected to 4400 controller running R 5.2.
  I am wondering if it's possible to monitor access points directly (not via wcs or controller) via snmp?
  Regards, Wim

  If the AP is in LWAPP mode, you cannot directly poll the AP using SNMP. You have to poll the controller to get all the information about the AP. You can download the MIBs for controller v5.2 form the URL below.
  http://tools.cisco.com/support/downloads/go/InterfaceModuleSWT.x?mdfid=279911269&mdfLevel=Model&treeName=Wireless&modelName=Cisco%204404%20Wireless%20LAN%20Controller&treeMdfId=278875243
  Pushkar

• Cisco wIPS access point query

  Dear All,
  I am planning to install Cisco wIPS in our network, kindly advise if I need to install access point with wireless security module to make my wIPS work or one normal cisco 3602 will be enough. I have gone through the below documents, but one says about wireless module where the other one not says about the module. Kindly suggest.
  http://www.cisco.com/c/en/us/products/collateral/wireless/adaptive-wireless-ips-software/data_sheet_c78-501388.html - Says about module
  http://www.cisco.com/c/en/us/products/collateral/wireless/adaptive-wireless-ips-software/qa_67-503875.html - Not says about module.
  Kindly advise that whether the security module is mandatory to go with Cisco wIPS.
  Regards,
  Jubair.S

  If you want to operate AP normally where client can connect & do wIPS then you require the module.
  Otherwise you can configure AP into monitor mode where it will not associate any clients, but do the wIPS function.
  If you require limited wIPS (Enhanced Local mode) then you can have same AP to do everything. 
  Below summarize the options available & read the given link for more details
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• SNMP querying of Meraki devices

  We have several Cisco Meraki devices are part of our network, and the ON100's querying of SNMP for these devices does not seem to work. Is there a way to have the ON100 query a Meraki MS24 as a generic switch, for example? Will support for Meraki's products be built into the OnPlus portal, since Cisco now owns Meraki?

  One of our clients is a school system with around 180 Meraki's.  The Meraki's appear to be web-i-fied so that the only way you can connect to their SNMP mib's is through Meraki's web portal.  i.e. you have to connect your SNMP scanner, management software to a location in the Meraki cloud. 
  The last time I looked at this, which was a bit before Cisco purchased Meraki, there were instructions in the Meraki web portal for the devices.  If I remember correctly the SNMP may have been tunnelled over SSL and used non-default port numbers, which I don't believe OnPlus can connect to.
  In either case, I got the distinct impression that the idea was you connect SNMP to the Meraki portal for your user account, and Meraki connected to its on-site access points in a non-disclosed, proprietary manner.

• Prompt never appears in a 2602i access point

  Hello:
  Today I converted an AIR-CAP2602I-A-K9 access point to autonomous using the mode button/tftp method, but no matter what IOS I install (I tried 2 different IOS and also tried entering to Rommon - I am able to change IOS because the procedure I used does not need any command), i never get to see the prompt so that I can introduce commands to configure the AP. It's like it hangs after "succesfully" initializing
  The only thing I can see all the time are "normal" console messages, and It shows no error message at all.  It happened even before the downgrade.
  This is where the AP stops, but it is not really hung because console messages could keep showing up. It just never gets to the promt so I can enter some commands. Would not even acept Enter.
  Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Tue 30-Jul-13 23:12 by prod_rel_team
  Initializing flashfs...
  flashfs[3]: 200 files, 7 directories
  flashfs[3]: 0 orphaned files, 0 orphaned directories
  flashfs[3]: Total bytes: 31739904
  flashfs[3]: Bytes used: 14286848
  flashfs[3]: Bytes available: 17453056
  flashfs[3]: flashfs fsck took 9 seconds.
  flashfs[3]: Initialization complete.
  flashfs[4]: 0 files, 1 directories
  flashfs[4]: 0 orphaned files, 0 orphaned directories
  flashfs[4]: Total bytes: 11999232
  flashfs[4]: Bytes used: 1024
  flashfs[4]: Bytes available: 11998208
  flashfs[4]: flashfs fsck took 0 seconds.
  flashfs[4]: Initialization complete.
  Copying radio files from flash: to ram:
  Copy in progress...CCCCC
  Copy in progress...CCC
  Copy in progress...CCCC
  Copy in progress...CCCC
  Copy in progress...CC
  Uncompressing radio files...
  ...done Initializing flashfs.
  Radio0  present 8764 8000 0 A8000000 A8010000 0
  Rate table has 244 entries (64 SGI/104 BF variants)
  Radio1  present 8764 8000 0 88000000 88010000 4
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-SAP2602I-A-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
  Processor board ID FGL1716S0Q6
  PowerPC CPU at 800Mhz, revision number 0x2151
  Last reset from power-on
  1 Gigabit Ethernet interface
  2 802.11 Radios
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: BC:16:65:95:A7:C3
  Part Number                          : 73-14588-02
  PCA Assembly Number                  : 800-37899-01
  PCA Revision Number                  : A0
  PCB Serial Number                    : FOC17151DSW
  Top Assembly Part Number             : 800-38356-01
  Top Assembly Serial Number           : FGL1716S0Q6
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP2602I-A-K9   
  Press RETURN to get started!
  *Mar  1 00:00:11.819: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
  *Mar  1 00:00:11.935: FIPS IOS test Image Checksum successful
  *Mar  1 00:00:11.935: FIPS IOS test Crypto RNG DEK Key Test successful
  *Mar  1 00:00:11.939: FIPS IOS test SHA-1 successful
  *Mar  1 00:00:11.939: FIPS IOS test HMAC-SHA1 successful
  *Mar  1 00:00:11.939: FIPS IOS test AES CBC 128-bit Encrypt successful
  *Mar  1 00:00:11.939: FIPS IOS test AES CBC 128-bit Decrypt successful
  *Mar  1 00:00:11.939: FIPS IOS test IOS AES CMAC Encrypt successful
  *Mar  1 00:00:11.939: FIPS IOS test IOS CCM Encrypt successful
  *Mar  1 00:00:11.939: FIPS IOS test IOS CCM Decrypt successful
  *Mar  1 00:00:11.939: FIPS IOS test RSA Signature Generation successful
  *Mar  1 00:00:11.939: FIPS IOS test RSA Signature Verification successful
  *Mar  1 00:00:11.939: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
  *Mar  1 00:00:18.863: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 0 successful
  *Mar  1 00:00:18.863: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 0 successful
  *Mar  1 00:00:18.863: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 0 successful
  *Mar  1 00:00:18.863: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 0 successful
  *Mar  1 00:00:18.863: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
  *Mar  1 00:00:24.991: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 1 successful
  *Mar  1 00:00:24.991: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 1 successful
  *Mar  1 00:00:24.991: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 1 successful
  *Mar  1 00:00:24.991: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 1 successful
  *Mar  1 00:00:24.991: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
  *Mar  1 00:00:25.007: initializing dot11 onplus
  *Mar  1 00:00:25.259: not a autoconfig enabled device!!!
  *Mar  1 00:00:27.039: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:28.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Mar  1 00:01:13.383: Starting Ethernet promiscuous mode
  *Apr 12 07:12:42.000: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *Apr 12 07:12:42.000: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
  *Apr 12 07:12:42.003: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
  *Apr 12 07:12:42.011: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Tue 30-Jul-13 23:12 by prod_rel_team
  *Apr 12 07:12:42.011: %SNMP-5-COLDSTART: SNMP agent on host ap is undergoing a cold start
  *Apr 12 07:12:42.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
  *Apr 12 07:12:42.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Apr 12 07:12:42.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Apr 12 07:12:44.651: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed
  *Apr 12 07:12:44.651: DPAA Initialization Complete
  *Apr 12 07:12:44.651: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
  *Apr 12 07:12:44.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up  <--- CURSOR STOPS HERE AND WON'T ACCEPT ENTER OR ANY OTHER  KEYBOARD ACTION
  Any thoughts?
  Best regards and thanks in advance

  Leo, I'm usign SecureCrt, so I disabled XON/XOFF and DTR/DSR as usual, but was not disabling RTS/CTS, so I did and now it is working. Thank you very much!
   

• How do I find the MAC address of a CLIENT ACCESS POINT created from the FILE SERVICES ROLE

  I have several Client Access Points created within the clustered File Services Role.  The only way I seem to be able to determine the MAC address of each of these, is by visiting the DHCP server.
  Does anyone know if there is a way of reporting on this from the server (active node) itself?  I have tried ipconfig all, checked the properties of the CAP in the FCS console etc.
  Many thanks.
  Kathleen Hayhurst Senior IT Support Analyst

  Hi,
  As far as I know there have no original option for query all the CAP MAC address, may you can create a PowerShell command then filter the configuration result, you can ask
  in PowerShell forum for the further help.
  More information:
  PowerShell forum:
  http://social.technet.microsoft.com/Forums/en-US/bf0e249b-a9f3-4bef-a536-c210b3f09340/powershell-script-to-alert-on-failed-system-state-backups?forum=winserverpowershell
  The related KB:
  Failover Clusters Cmdlets in Windows PowerShell
  http://technet.microsoft.com/en-us/library/hh847239.aspx
  The related article:
  PowerShell for Failover Clustering: Frequently Asked Questions &amp; Enabling CSV
  http://blogs.msdn.com/b/clustering/archive/2009/05/23/9636665.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Access points settings Lumia 820

  I just want to know if it is possible to have both MMS and GPRS active at the same time in windows 8 phones. That was possible with Symbian but not possible on my Lumia 820.

  Hi ddt1,
  Welcome to Nokia Support Discussions! 
  Regarding your query, the access point that you have on the Lumia 820 will be used as one. If you have both MMS and GPRS, you can use them both at the same time. You don't need to choose between the two ( 2 ) access point anymore. Your statement "not possible on my Lumia 820" means that you are having trouble with the phone. Can you tell us what exactly is happening on the phone? Is there any error happening on it? If there is, can you tell us what the error is?
  We're looking forward to your response for us to further assist you.

• Access Point(s) - AIR-AP1231G-A-K9 and others - Spotty Connectivity ...

  Hello,
  We have eighteen Cisco Aironet wireless access points (most of them are AIR-AP1231G-A-K9 with 12.3(2)JA2 IOS loaded) across our campus which people have weird issues with connecting.
  Everywhere, people can associate and get an IP address without any issues. However, they cannot maintain a reliable connection to systems either on our network or off. They will get a web page to load and then it drops them out. In addition, they cannot connect back again for random intervals of time. To make this even more bizarre is that for random intervals they maintain a solid connection until it kicks people out again.
  The vlan itself (60 in the configuration file below) works without issue as we have devices plugged in directly to the vlan via a hardwired port and they are stable.
  Below is the configuration file. Any reason why we would have this issue?
  Thank you for your time.
  Regards,
  Christopher Koeber
  !version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname AP-6!enable secret {authentication information}enable password {authentication information}!username Cisco password {authentication information}username admin password {authentication information}ip subnet-zeroip domain name {Domain Information}!no aaa new-model!dot11 ssid (Secure) Staff/Faculty   vlan 70   authentication open !dot11 ssid Public   vlan 60   authentication open    guest-mode!!!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! ssid (Secure) Staff/Faculty ! ssid Public ! short-slot-time speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable!interface Dot11Radio0.60 encapsulation dot1Q 60 native no ip route-cache no cdp enable bridge-group 60 bridge-group 60 subscriber-loop-control bridge-group 60 block-unknown-source no bridge-group 60 source-learning no bridge-group 60 unicast-flooding bridge-group 60 spanning-disabled!interface Dot11Radio0.70 encapsulation dot1Q 70 no ip route-cache no cdp enable bridge-group 70 bridge-group 70 subscriber-loop-control bridge-group 70 block-unknown-source no bridge-group 70 source-learning no bridge-group 70 unicast-flooding bridge-group 70 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto!interface FastEthernet0.60 encapsulation dot1Q 60 native ip address 10.60.255.6 255.255.0.0 no ip route-cache bridge-group 60 no bridge-group 60 source-learning no bridge-group 60 unicast-flooding bridge-group 60 spanning-disabled!interface FastEthernet0.70 encapsulation dot1Q 70 ip address dhcp no ip route-cache bridge-group 70 no bridge-group 70 source-learning no bridge-group 70 unicast-flooding bridge-group 70 spanning-disabled!interface BVI1 ip address 10.60.255.6 255.255.0.0 no ip route-cache!ip default-gateway 10.60.0.1ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagip radius source-interface BVI1 logging snmp-trap emergencieslogging snmp-trap alertslogging snmp-trap criticallogging snmp-trap errorslogging snmp-trap warnings!!!line con 0 transport preferred all transport output allline vty 0 4 login local transport preferred all transport input all transport output allline vty 5 15 login transport preferred all transport input all transport output all!end

  Hi Christopher,
  Couple of suggestions before moving forward:
  1. I would first secure these WLANs with a least a pre-shared key if possible(WPA/WPA2).  Let me know if you need information on how to do this.
  2. Next, I would remove the 'short-slot-time' on the radio:
  config terminal
  interface do0
  no short-slot-time
  end
  If your users continue to have issues, I would want more information on the types of clients in the environment as well as wireless adapter make/model/driver version. 

• Access Point - AIR-AP1231G-A-K9 - PCs can connect but Apple Macs Cannot ...

  Hello,
  This is a sort of follow up to a post I made a few days ago. I made changes to my access points and on Windows computers everything works but on Apple products (Macs, iPads, iPhones) the strangest things happen.
  (1). About 90% of the time nothing works in that we get NO connection to the Access Point. In the client association logs we see the Mac Address show up but there is a 0.0.0 address where it seems like the device is trying to get an DHCP lease. After a while, the device gets the IPPA address of 169.X.X.X.
  (2) After a extended period of time (an hour or more) the Apple device eventually gets an IP address from the network and then is able to successfully connect to the network. However, the connection is short lived and drops after about 30 minutes to an hour.
  Is there a problem with the way Apple products encapsulates their network traffic versus Windows or other products?
  Again, this not affect any Windows or Andriod based devices (laptops, phones, etc.) They can connect right away and never drop out.
  Below is the configuration file for the AP in question, although this is affecting all of our APs:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP-5
  enable {Authentication Information}
  enable {Authentication Information}
  username {Authentication Information}
  username {Authentication Information}
  ip subnet-zero
  ip domain name {Domain here}
  no aaa new-model
  dot11 ssid (Secure) Staff/Faculty
     vlan 70
     authentication open
  dot11 ssid Public
     vlan 60
     authentication open
     guest-mode
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid (Secure) Staff/Faculty
  ssid Public
  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  no cdp enable
  interface Dot11Radio0.60
  encapsulation dot1Q 60 native
  no ip route-cache
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.70
  encapsulation dot1Q 70
  no ip route-cache
  no cdp enable
  bridge-group 70
  bridge-group 70 subscriber-loop-control
  no bridge-group 70 source-learning
  bridge-group 70 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface FastEthernet0.60
  encapsulation dot1Q 60 native
  ip address 10.60.255.5 255.255.0.0
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.70
  encapsulation dot1Q 70
  ip address dhcp
  no ip route-cache
  bridge-group 70
  no bridge-group 70 unicast-flooding
  bridge-group 70 spanning-disabled
  interface BVI1
  ip address 10.60.255.5 255.255.0.0
  no ip route-cache
  ip default-gateway 10.60.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  logging snmp-trap emergencies
  logging snmp-trap alerts
  logging snmp-trap critical
  logging snmp-trap errors
  logging snmp-trap warnings
  bridge 1 route ip
  line con 0
  transport preferred all
  transport output all
  line vty 0 4
  login local
  transport preferred all
  transport input all
  transport output all
  line vty 5 15
  login
  transport preferred all
  transport input all
  transport output all
  end

  For initial configuration you can access AP from the Console port.
  Following are the guides you need to look at for configuring you 1600 AP :
  Cisco Aironet 1600/2600/3600 Series Access Point Deployment Guide
  Getting Started Guide: Cisco Aironet 1600 Series Access Points
  Moreover you can check the configuration guide from cisco.com/google, based on the Actual software image your AP is running. Some of the newer IOS for AP you can check here.
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• 6600 access point - pain / help me

  I've just got me hands on a 6600 and it keeps asking me to select an access point (ie: GPRS or my provider) if I say yes it dials up the number - if I say no (cancel) it go's away for about a minute then "pops" back up - can anbody tell me how to STOP it poping back up!!! its driving me round the bend
  ps - I have looked in the providers manual (not a Nokia manual) and its no help.
  Thanks

  Does this help: http://discussions.nokia.co.uk/discussions/board/message?board.id=messaging&message.id=89&query.id=0...

• Cisco 1524 Aironet Outdoor Wi Fi Access Points

  I am using Cisco 1524 Aironet Outdoor Wi Fi Access Points for outdoor Wi-Fi Coverage with WiSM Controller. I want to cascade Bridge them with UTP/STP Cables instead of using MESH using the Ethernet Bridging Function inside the controller. But I cannot have a cascaded Bridge chain of more than 2 AP's. Can
  anybody advice & help me in this scenario?

  Hello Mohammed,
  As per your query please refer to the link-
  http://www.cisco.com/en/US/docs/wireless/access_point/1524/installation/guide/1524SB_addendum.html and it supports
  Fiber (SFP) and Gigabit Ethernet interfaces
  Hope this will help you.

• Wireless Client Authentication issues when roaming Access Points (Local)

  I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
  There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
  From Cisco ISE
  Event
  5400 Authentication failed
  Failure Reason
  11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Resolution
  Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
  Root cause
  While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
  I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
  Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
  I also had this from Splunk for the same client:
  Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
   FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
  Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
  Thanks

  Further detail From ISE for the failure:
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  11507
  Extracted EAP-Response/Identity
  12500
  Prepared EAP-Request proposing EAP-TLS with challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12301
  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300
  Prepared EAP-Request proposing PEAP with challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12302
  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318
  Successfully negotiated PEAP version 0
  12800
  Extracted first TLS record; TLS handshake started
  12805
  Extracted TLS ClientHello message
  12806
  Prepared TLS ServerHello message
  12807
  Prepared TLS Certificate message
  12810
  Prepared TLS ServerDone message
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11514
  Unexpectedly received empty TLS message; treating as a rejection by the client
  12512
  Treat the unexpected TLS acknowledge message as a rejection from the client
  11504
  Prepared EAP-Failure
  11003
  Returned RADIUS Access-Reject

• Help me find the required Wireless Access point

  Dear Friends,
  I am in search of a access point with below specification, so please let me know that which model has this functionalities.
  . Wireless Access Point:
  * No of port should be 10Base-T/100Base-TX Ethernet
  * Standard should be IEEE 802.11g, IEEE802.11b, IEEE 802.3, IEEE 802.3u, IEEE 802.3af(PoE), 802.1q(VLAN) , 802.1X(Security authentication), 802.11i ready (Security WPA2), 802.11e ready (wireless QoS), 802.11F(Wireless roaming)
  * LEDs should be power, PoE, Wireless, Ethernet
  * Web Management should be built-in web user interface for easy browser-based configuration (HTTP/HTTPS)
  * SNMP Support should be SNMP version 1, 2c, 3
  * Operation modes should be access point made, point to point bridge mode, point to point multipoint bridge mode, repeater mode
  * External antennas should be 2 (omni directional) SMA detachable
  * Security should be WEP 64-bit/128-bit, WPA-PSK, WPA2-PSK, WPA-ENT, WPA2-ENT
  * Access Control should be wireless connection control: MAC-based
  * Wireless Security monitor should be Intrusion alarms(e.g. rogue client detected, spoofed MAC address) Denial-of-service alarms (e.g. duration attack, association table full) vulnerability alarms (e.g. access point is not using encryption, access point is broadcasting SSID)
  * Power should be 12V 1A DC input, and IEEE 802.3af compliant PoE. Maximum power draw should be 3.36W

  Hello Shekib,
  All you did was describe the WAP200.
  It fully fits in your description.
  Please check it and see with your eyes.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10047/ps10048/data_sheet_c78-501966.html
  I hope i helped you.
  Regards.
  Andrey Cassemiro.