Bootup order on Cisco Aironet Access Points
Hello folks
Could you please help me in clarifying the bootup order on Cisco Aironet Access Points
Does the SNMP Agent on the device start before the Startup config is copied to Running Config ?
Because everytime the Cisco Aironet Access Point restart , SNMP trap is generated from Admin down WLAN interfaces (Dot11Radio1/Dot11Radio0) mentioning "Administratively down " .
So my best assumption is that
Access point Restarts - > SNMP Engine starts -> Startup Config is copied to Running config -> Interface is made admin down -> SNMP Trap is sent
Is that correct?
Please help !
Anup
The Clean Access Manager (CAM) manages out-of-band Clean Access Servers (CASs) and switches through the admin network. The trusted interface of the CAS connects to the admin/management network, and the untrusted interface of the CAS connects to the managed client network.
When a client connects to a managed port on a managed switch, the port is set to the authentication VLAN and the traffic to/from the client goes through the Clean Access Server. After the client is authenticated and certified through the Clean Access Server, the port connected to the client is changed to the access VLAN. Once on the access VLAN, traffic to and from certified clients bypasses the Clean Access Server.
In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the Access VLAN in the Port profile), the client needs to acquire a different IP address from the Access VLAN after posture assessment.
For Real-IP/NAT-Gateway setup, the client port is bounced to prompt the client to acquire a new IP address from the admin/access VLAN.
The below URL describe the configuration steps needed to set up your OOB deployment:
â¢Configure Your Switches
â¢Configure OOB Switch Management in the CAM
â¢Configure Access to Authentication VLAN Change Detection
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_oob.html#wp1175744
Similar Messages
-
CISCO Aironet access point - not able to connect by user.
Hi,
I have CISCO Aironet access point C1130 in my network , but not able to connect by users, I can see below logs from access point. please help on this.
Jun 13 17:50:10.686: RADIUS: no sg in radius-timers: ctx 0x10653F8 sg 0x0000
Jun 13 17:50:10.686: RADIUS: Retransmit to (20.33.100.11:1645,1646) for id 1645/247
Jun 13 17:50:15.678: RADIUS: no sg in radius-timers: ctx 0x10653F8 sg 0x0000
Jun 13 17:50:15.678: RADIUS: Retransmit to (20.33.100.11:1645,1646) for id 1645/247
Jun 13 17:50:20.544: RADIUS: no sg in radius-timers: ctx 0x10653F8 sg 0x0000
Jun 13 17:50:20.544: RADIUS: Retransmit to (20.33.100.11:1645,1646) for id 1645/247
Jun 13 17:50:24.832: RADIUS: no sg in radius-timers: ctx 0x10653F8 sg 0x0000
Jun 13 17:50:24.832: RADIUS: Retransmit to (20.33.100.11:1645,1646) for id 1645/247
Jun 13 17:50:29.741: RADIUS: no sg in radius-timers: ctx 0x10653F8 sg 0x0000
Jun 13 17:50:29.741: RADIUS: Fail-over denied to (20.33.100.11:1645,1646) for id 1645/247
Jun 13 17:50:29.741: RADIUS: No response from (20.33.100.11:1645,1646) for id 1645/247
Jun 13 17:50:29.741: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jun 13 17:50:29.741: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Jun 13 17:50:29.741: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAILOVER_RETRY
Jun 13 17:50:29.742: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Jun 13 17:50:29.742: Client 5864.6c67.3718 failed: EAP reason 0
Jun 13 17:50:29.742: dot11_auth_dot1x_parse_aaa_resp: Failed client 5894.6b37.3518 with aaa_req_status_detail 0
Jun 13 17:50:29.742: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 5894.6b37.3518
Jun 13 17:50:29.742: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 5894.6b37.3518
Jun 13 17:50:29.742: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Jun 13 17:50:29.743: dot11_auth_dot1x_send_client_fail: Authentication failed for 5894.6b37.3518
Jun 13 17:50:29.743: %DOT11-7-AUTH_FAILED: Station 5894.6b37.3518 Authentication failed
Regards,Hi Niham,
You can try few things to troubleshoot this -
1. check the reachability of Radius server from your wlc (ping).
2. verify the IP address of Raduis server configured on wlc.
3. wlc in the Radius server ?
4. Shared Secret must be same on wlc and in raduis server.
Plz do not forget to rate useful post.
Thanks -
Cisco aironet access-point keep asking username/password
Hi all,
Some of my access-points (Light Weight) just keep asking username/passwords when accessed through web and clicked on any option available there. Any idea why that happens?
Thanks in advance!
GauravSome of my access-points (Light Weight) just keep asking username/passwords when accessed through web and clicked on any option available there.You sure it's LWAP? The reason why I'm asking because you would NOT be able to access an LWAP over HTML because it's LWAP.
-
Cisco 1230 access point a radio lightweight mode
Will the cisco 1230 access point work in lighweight mode if it is using a radio?
The 1230 can be upgraded to LWAPP with the A Radio model listed below;
Solution Requirements
Migration from autonomous access point mode to lightweight mode is possible on these Cisco Aironet access point platforms:
All 1130AG access points
All 1240 AG access points
For all IOS-based 1200 series modular access point (1200/1220 Cisco IOS Software Upgrade, 1210 and **1230 AP**) platforms, it depends on the radio:
if 802.11G, MP21G and MP31G are supported
if 802.11A, RM21A and RM22A are supported
The 1200 series access points can be upgraded with any combination of supported radios: G only, A only, or both G and A.
All 1310 AG access points
From this good doc;
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html
Hope this helps!
Rob -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
Cisco 2602 Access Point - Support
Dear Team,
Could you please advise, if Cisco 2602 Access Point supports IPS and CleanAir along with Access Point feature or does it need to work as standalone to have these functions enabled ?
Regards,
SIDMight as well add my 2¢
In order to have CleanAir, you need a WLC. In order to do IPS, wireless its called wIPS, you need an MSE and NCS or Prime Infrastructure.
A standalone access point (autonomous) is just a dumb AP and can't perform any of those functions:)
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Problem with Cisco 1240AG Access Points
I have a Cisco 1240AG Access point (P/N ? AIR-LAP1242AG-A-K9).
It has come in the lightweight mode.
I just want to know whether I can put it to the autonomous mode.Hi Indika,
Here is a conversion method (look most of the way down the attached doc);
Reverting the Access Point Back to Autonomous Mode
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
Using a TFTP Server to Return to a Previous Release
Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 5 Disconnect power from the access point.
Step 6 Press and hold MODE while you reconnect power to the access point.
Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
From this doc;
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
Hope this helps!
Rob -
Any new firmware for the Cisco AP541N access points.
Do you know if Cisco has come out with any new firmware for the Cisco AP541N access points.
Latest release is 1.8.0 from Jan 25, 2010:
http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=1.8.0&mdfid=282790482&sftType=Small+Business+Pro+Wireless+Software&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+AP+541N+Wireless+Access+Point&treeMdfId=278875243&treeName=Wireless&modifmdfid=null&imname=&hybrid=null&imst=null&lr=Y -
Cisco 1310 Access Point Rommon Mode
Hello,
So I have a Cisco 1310 Access Point that is in Rommon mode. I have the image on the Access point but I did not use the archive download command to extract it. When I use the
tar -xtract flash://c1310-k9w7-tar[1].124-25d.JA2.tar flash:
command It gets close to the end but doesnt finish saying there isnt enough space. When I try to delete the file using delete flash://
c1310-k9w7-tar[1].124-25d.JA2 it wont allow me saying I do not have permission. I tried the rmdir command as well but had no luck. It wont allow me to use the tags /f /r for forceful and recursive, it doesnt recognize them. Anyone know how to delete a directory in rommon mode on an the 1310 access point?
ThanksThe delete /recursive /force flash:/ is what I use. You might try to delete these files also:
ap:delete flash:private-configap:delete flash:private-multiple-fs
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Configuring N channel on cisco 1252 Access Point
Hi,
Can someone help me for configuring N-Series band on Cisco 1252 Access Point in IOS Mode.
Thanks
TabrezFirstly you need to use WPA2/AES or OPEN authentication.
Cisco 802.11n Design and Deployment Guidelines
http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns767/white_paper_80211n_design_and_deployment_guidelines.html -
I own a Cisco Wap300 access point . there are a pc, a netbook and a smartphone in my house. I want to connect to these devices my line of fiber internet with Cisco Wap300 access point. My modem brand and model is "ZTE - Zxhn H168N". This modem has 300 Mbps wireless connection speed. Which settings of access point should I use to work my all devices .
I'am using Air 2310 wireless adaptor for Pc
I have a netbook and HTC wildfire S smartphoneAre you referring to this?:
http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/300_series_wireless_access...
or this?:
http://support.linksys.com/en-apac/support/accesspoints/WAP300N
It's good if we identify the device first before we get the ball rolling. -
PoE auto switchover with Cisco 1252 Access Point.
Dear All
I have a network for Managed Wireless using Cisco. This is a new network for me.
I am in problem with Cisco Access Point 1252. My AP's are connected to a PoE Switch. And Cisco AP's are also connected Powered with also Power Adapter with UPS backup.
But problem is if I disconnect power source of AP Power Adapter , AP is not getting up with PoE. PoE is up only when POWER PLUG of AP ADAPTER is physically pulled out from Socket.
Question is if it is possible to make automatic Failover by PoE when Power source of AP ADAPTER is down ?? I mean no need to PULL OUT POWER PLUG of AP ADAPTER.
Waiting for your rely.
It is very urgent .
Thanking You
Subrun.Hi Suburn,
1- yes it is possible to do failover without unlupping the cable of AC adapter. When power on ACS adapter is off, then the faiolver happens.
2- with regards to POE, if your switch supporting enhanced POE?
Powering the Aironet 1250 Series Access Point with Cisco Enhanced PoE
Cisco Enhanced PoE was designed for customers who want to install new PoE-enabled technologies that require greater than 15.4W per port to function at full capability, such as wireless technology based on the IEEE 802.11n standard. Cisco Enhanced PoE provides the full power requirements for dual-radio modules and eliminates the need to run an additional cabling drop or insert a separate power injector. Support for Enhanced PoE is currently available on a variety of Cisco Catalyst® switching platforms. For more information on Enhanced PoE, visit http://www.cisco.com/en/US/prod/switches/epoe.html.
Serge -
Strange VLAN issue on aironet access points
I'm setting up some access points for WPA. I've ran into a strange issue. The client VLAN (VLAN that the users will be put into) is 1, and the native VLAN is 10. The RADIUS server is in VLAN 1 (but I have a test RADIUS server in VLAN 10 as well). I can connect from the access point to a RADIUS server in either VLAN, and from the RADIUS servers to the access point as well. When I point to a RADIUS server in VLAN10 authentication works fine. If I point to a RADIUS server that is located in VLAN1, and I put the wireless clients in VLAN10 it works fine. But for some reason when I have the RADIUS server and the clients in VLAN (1) and the native (BVI1) interface in VLAN 10 the authentication packets never seem to get to the RADIUS server. It is as if the authentication is being sources out of the wrong VLAN. I can?t find any docs to say that this isn?t a supported configuration.
Hi Shannon,
have a look here:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig
- - - Snipp - - -
Significance of Native VLAN
When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
Note: If there is a mismatch in the native VLANs, the frames are dropped.
This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
- - - Snapp - - -
Best regards,
Frank -
Mac mini not keeping connection with Cisco wireless access point
I am trying to get my wife's Mac Mini to keep it's connection with the wireless network at her school. They are using a Cisco access point (not sure of the model) which works fine with my G4 Powerbook and the numerous Macbooks being used there, but for some reason her Mac Mini drops the connection after 4 or 5 minutes, at which point she needs to log right off for it to reconnect (as opposed to just turning the card off and on again). I have already gone through the deletion of the Networkinterfaces.plist file, and recreation of the Airport card profile process, but this only kept the interface active for about 36 hours, then it was back to the same old problem. At this point I am thinking "flakey card"...before I ship it off to Apple, can anyone offer any other possible solutions?
After spending time on the phone with a Apple support technician, he indicated that the Iphone has a compatibility problem with the wep key encryption that the Cisco appliance uses. I find this disturbing being that Cisco is the biggest in network gear. What's UP Apple? We need SP1 for the IPHONE!!!
-
IPhone will not sync with Cisco Wireless Access Point
This is unbelievable, i just bought a $1000 phone and it wont sync with a Cisco AP. I can sync it with a DLINK? I there a specific list of Access Points it will connect to. If so thats complete bullsh*(. Also, is there going to be a firmware update soon to fix these problems. Can you tell that im a little upset. I just saying that if someone spends $1000 dollars on a phone it should be working pretty dam good. Anyway can someone offer any suggestions?
Upset Iphone user.After spending time on the phone with a Apple support technician, he indicated that the Iphone has a compatibility problem with the wep key encryption that the Cisco appliance uses. I find this disturbing being that Cisco is the biggest in network gear. What's UP Apple? We need SP1 for the IPHONE!!!
Maybe you are looking for
-
Trying to connect to serve message for over 10 minutes trying to install creative cloud
The Adobe installer window says "trying to connect to server"...... I cannot get Creative Cloud to install
-
Is there a way for EDI 820 (remittance advice) to identify proforma invoice
Hi, We have certain customers who pay by proforma invoices. These customers send remittances through EDI 820 which we create as payment advice in SAP. When the cash comes in, the payment advice is not being applied since the document number has the
-
"TNS: Protocol adapter error" while creating a database
Hi All, I´m new to Oracle and trying to create a database. We use Oracle 8.1.7 I´m using the Database Configuration Assistant. The problem is when creating the database I get the error: TNS-12560 TNS: Protocol adapter error Any help will be really ap
-
Access class' properties (in _root) from movieclip timeline?
I'm trying to follow the advice "class properties are better then _global variables", but how could I access a class' properties (imported in the main timeline) from a movie Clip timeline? this code in the main timeline works (and trace the value of
-
Webpage error in BPS running on IE8
Dear all, I am trying to find out why the BPS planning tool doesn't open the graphical layout in IE8. In IE7 it works properly, but in IE8 (also compatibility mode) doesn't show anything, only an error-sign in the left bottom of IE8. After clicking o