Cisco 1310 problem

First, i want to apologize for my English.
I have a wireless network, which connects areas isolated by the sea.
One of the repeaters have connection problems.
There is a picture that illustrates my problem.
The repeater in red, was installed recently. Because of the distances are added to each output TNC an amplifier of 1 watt.
The problem arises when the bridge that connects to the repeater, it begins to traffic on the network.
The repeater is disconnected, leaving the bridge and repeater offline.
We believe that the problem is caused by the fact that this link is at 12 meters above sea level. And we think that we could solve that problem by adding two amplifiers to the Master AP.
Any suggestion.

You did not include the config files for the 1310's, did you set the distsnce prameter for the radio on the root bridge. for longer distances the AP needs to adjust the time out values.
http://cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/command/reference/cr38main.html#wp2481270
Hope this helps.
Bill

Similar Messages

Connection loss of cisco 1310 bridge.

Hi Experts,
I have cisco 1310 bridge with IOS version Version 12.3(7)JA5. Sometimes bridges are disconnecting by showing the following error message.
*Mar 1 01:22:21.856: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 003a.99eb.cc00 Reason: Previous authentication no longer valid
*Mar 1 01:22:22.115: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:26.414: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:26.484: %DOT11-6-ASSOC: Interface Dot11Radio0, Station SNUDH1BRIDGE 003a.99eb.cc00 Associated KEY_MGMT[NONE]
*Mar 1 01:22:27.386: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:27.388: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 003a.99eb.cc00 Reason: Previous authentication no longer valid
*Mar 1 01:22:30.831: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:31.170: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:31.786: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:31.854: %DOT11-6-ASSOC: Interface Dot11Radio0, Station SNUDH1BRIDGE 003a.99eb.cc00 Associated KEY_MGMT[NONE]
*Mar 1 01:22:33.277: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:33.279: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 003a.99eb.cc00 Reason: Previous authentication no longer valid
*Mar 1 01:22:35.760: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:36.456: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:37.264: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:37.356: %DOT11-6-ASSOC: Interface Dot11Radio0, Station SNUDH1BRIDGE 003a.99eb.cc00 Associated KEY_MGMT[NONE]
*Mar 1 01:22:39.198: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:39.200: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 003a.99eb.cc00 Reason: Previous authentication no longer valid
*Mar 1 01:22:39.518: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:39.771: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:42.093: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
*Mar 1 01:22:43.580: %DOT11-4-MAXRETRIES: Packet to client 003a.99eb.cc00 reached max retries, removing the client
Once it is deassossiated, ihave to manually restart the bridges. How can avoid manual restarting so it would automatically associate after some time.
Also time is getting changed after restarting. Please help me to solve this problems.
Regards,
naisam

Hi,
Following are the answers for your questions.
How often does this happen ?
This is happnenig two or three times in a day and mostly at eavening when the data traffic is high.
What is the distance between the bridges and RSSI ?
Distance is near to 600 mtr and RSSI is continously keep on changing between -51 dBM to -75dBM
Did this ever work without this issue or is this a new install ?
This installed one year before as a back up to my fiber link. This problem started recently only.
Thanks,
Naisam

Firmware crash on cisco 1310 Bridge while upgrade to higher version

Dear experts,
My cisco 1310 Bridge old firmware C1310-K9W7-tar.123-8.jea3 is crash while i try to upgarade to the higher version C1310.K9W7-tar.124.10b.jda2 via HTTP service upgrade, any advise to get back the firmware.
rgds,
woo.

It appears that you are assigning IP address properly. For some reason we are not getting a response from TFTP server. This is typically one of 2 things:
1. Firewall on the TFTP server workstation
2. Connectivity issue between AP and TFTP server
I would check firewall settings on the TFTP workstation. Are you connecting the AP to the workstation directly or through a switch? If it is through a switch, you could plugin a different workstation to the AP switchport to make sure it could reach the server as well.
-Pat

Cisco 1310 point to point encryption?

Howdy.
We have two Cisco 1310 devices working currently in point to point mode. I have a couple of questions regards this..
1. What is the best method to encrypt the point to point links between the two? We would like to use local passwords for this.
2. We have two point to point links on each device. Would we be able to configure one link for encryption without dropping our connection to that device and then configure the second one?
3. Is there any sample guide for point to point encryption?
Many thanks..
Taff.

1. What is the best method to encrypt the point to point links between the two? We would like to use local passwords for this.
ANS - We can use Ciphers TKIP as the encryption and WPA-PSK as the authentication.
2. We have two point to point links on each device. Would we be able to configure one link for encryption without dropping our connection to that device and then configure the second one?
ANS - I request you to brief me out on "we have 2 P2P on each device" does this mean we have 2 SSID configured??
3. Is there any sample guide for point to point encryption?
https://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#pers
Regards
Surendra

Cisco 1310 Access Point Rommon Mode

Hello,
So I have a Cisco 1310 Access Point that is in Rommon mode. I have the image on the Access point but I did not use the archive download command to extract it. When I use the
tar -xtract flash://c1310-k9w7-tar[1].124-25d.JA2.tar flash:
command It gets close to the end but doesnt finish saying there isnt enough space. When I try to delete the file using delete flash://
c1310-k9w7-tar[1].124-25d.JA2 it wont allow me saying I do not have permission. I tried the rmdir command as well but had no luck. It wont allow me to use the tags /f /r for forceful and recursive, it doesnt recognize them. Anyone know how to delete a directory in rommon mode on an the 1310 access point?
Thanks

The delete /recursive /force flash:/ is what I use. You might try to delete these files also:
ap:delete flash:private-configap:delete flash:private-multiple-fs
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Cisco 1310

Greetings...
I am trying to setup two Cisco 1310 bridges (AIR-BR1310G-A-K9-R) for connectivity between two buildings. No external antennas have been setup yet and I am just setting the basic configuration.
One is running c1310-k9w7-mx.123-8.JEA3, the other c1310-k9w7-mx.123-7.JA1…
I have one setup as a root-bridge, the other as a non-root bridge.
However, even after disabling authentication and encryption, both units are still not talking to each other. Arghhh....
Maybe a second set of eyes can see an issue? Thanks in advance.
Root Bridge:
no aaa new-model
dot11 ssid GPRM
   authentication open
   infrastructure-ssid
username Cisco password 7 096F471A1A0A
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid GPRM
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local cck 20
power local ofdm 20
power client 20
station-role root bridge
distance 1
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.31 255.255.255.0
no ip route-cache
control-plane
bridge 1 route ip
Non-Root Bridge:
no aaa new-model
dot11 ssid GPRM
   authentication open
   infrastructure-ssid
username Cisco password 7 02250D480809
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid GPRM
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 20
power local cck 20
power local ofdm 20
station-role non-root bridge
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
hold-queue 80 in
interface BVI1
ip address 192.168.0.32 255.255.255.0
no ip route-cache
control-plane
bridge 1 route ip
Thanks for any suggestions....
Joe

Joe:
The no response in the logs mean that the non-root bridge did not reply to the root at all.
Try to remove "distance 1" command as well. this 1 means 1 Km. it should not have big effect anyway but remove it if you are not using the bridges with 1+ Km distance.
try to use Dot11radio1 (802.11a) to test bridging if it works or not.
Also, you can try exchange the roles (root, non root) between two devices and check further.
successful assocaition should be seen by the command:
show dot11 associations.
I hope that after you get both bridges on same version they will sucessfully assocaited.
Good luck.
Amjad

Cisco 1310 Roam Settings

I am trying to optimize my roam settings on a Cisco 1310 operating in WGB mode. The WGB will roam around and connect to various 1310s configured in LAP mode.
There are some optional settings that can be set including changing the beacon retries, data retries and also the RSSI level to force the WGB to roam if the RSSI reaches a certain level.
Does anyone know of any issues with these settings? For instance, I run my network at 9Mbps and want to force a roam when the RSSI reaches -77dB or worse.
Is it better to force this parameter or to just use default Cisco settings?
Thanks for any help you can provide. Cisco does detail the changes you can make but they don't go into much detail about the reasons for making changes to these options.
James

It depends a lot on the moving speed of the device. We've seen 10km/h WGBs and 80km/h WGBs mounted on trains.
It also depends on the coverage density. I never saw 2 situations where the same settings would work. It's more like a "try and see if it gives good results".

Cisco 1310 used as Bridge: Option for integration to WLC or WCS

What is the best management option for the Cisco 1310 being used as an Autonomous Bridge (pairs: Root and Non-Root). We want to manage and have some reporting back into the WCS.

WCS 6.0 configuration guide says that only AP1130, 1200, 1240, 1310
Bridge are supported.
The autonomous to lightweight migration support feature provides a
common application (WCS) from
which you can perform basic monitoring of autonomous access points along
with current lightweight
access points. The following autonomous access points are supported:
* Cisco Aironet 1130 Access Point
* Cisco Aironet 1200 Access Point
* Cisco Aironet 1240 Access Point
* Cisco Aironet 1310 Bridge

Remote Access VPN on Cisco ASA Problem

Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
          0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
       10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
     10.1.200.100 255.255.255.255         On-link      10.1.200.100    276
     10.1.200.255 255.255.255.255         On-link      10.1.200.100    276
    10.110.10.150 255.255.255.255       10.1.200.1     10.1.200.100    100
      10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
          0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
       10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
     10.1.200.100 255.255.255.255         On-link      10.1.200.100    276
     10.1.200.255 255.255.255.255         On-link      10.1.200.100    276
    10.110.10.150 255.255.255.255       10.1.200.1     10.1.200.100    100
      10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

Cisco 3905 problem / remote site

Hi all!
Information:
I have CUCM 8.6.2.20000-2 and many Cisco IP Phone 3905 (SIP). Some of them deployed in central office and some in remote sites.
Phone information:
Boot Version: 3905.0-0-0-01-01
DSP Version: 12.0.0.8
Application: 3905.9-2-2-0
Symptoms:
In remote sites only!
The phone is registered and working fine. However, after few hours idle state I lift the handset, dial any number and nothing happens. Drop the call and try again 2-3 times. After that either call passed or get permanent busy tone (need to reboot the phone to work again).
The phone is marked as registered on CUCM and I hear dial tone when lifted the handset.
I cannot collect debug messages from phones, because as soon as I login via telnet it going work fine.
There is no such problem in central office.
Phones print following messages in terminal all the time:
17:07:10:302 x [CENTRAL] CDP/LLDP-MED CB function is called
17:07:26:491   [sip] 03:58:24.490    pjsua_acc.c SIP outbound status for acc 0 is not active
17:07:26:495   [sip] 03:58:24.494    pjsua_acc.c "п°п╦я┘п╟п╦п╩ п я┐пЇя▄п╪п╦пҐ"<sip:[email protected]:5060>: registration success, status=200 (OK              ), will re-register in 120 seconds
17:07:26:502   [sip] 03:58:24.500         pjcu.c pjcu_on_reg_state2(), Account["п°п╦я┘п╟п╦п╩ п я┐пЇя▄п╪п╦пҐ"<sip:[email protected]:5060>] : OK,               status=200
17:07:26:506 x [pcu] pcuRcvHandler(CALL), SRV_EV, eid=0, cid=65535,
17:07:26:510 x [pcu] [pcux_insrv_cb():7071] CUCM_DateTime:Mon, 27 May 2013 11:07:26 GMT
17:07:26:511 x [pcu] Sync time from server: Mon, 27 May 2013 11:07:26 GMT
17:07:26:515 x [pcu] [set_svr_type][1599] Bfe active_server_idx=0, serverType=0
17:07:26:515 x [pcu] [set_svr_type][1602] Aft serverType=0, Server Number=2
17:07:26:531   [ipps] ----- PCU: CC_SRV, pid=0, eid=0, cid=65535 -----
17:07:26:532   [ipps] In func: remoteNtyEvtProcess(), lib = 0, cid = 65535, ntyEv = 0
17:07:26:533 f [ipps] In func: remoteNtyEvtProcess(), recv inservice nty, svrType = 0, cause = 0
17:07:26:534 f [MMI] <RCV>: In func: ui_nty(), lid = 0, cid = 65535, ntyEv = 0
17:07:26:535 x [CENTRAL] IPPS CB function(RegStatus) is called (1) with Line (0)
17:07:26:536 f [ipps] In func: mlcu_isKpmlEnabled(), KPML value = 3, blRet = 1
17:07:26:537 x [CENTRAL] Enter FSM: State(STANDBY) | Event(REGISTER_OK) | Cause(0)
17:07:26:540 x [CENTRAL] Unexpected event REGISTER_OK (cause=0) at STANDBY state
17:07:26:541 x [CENTRAL] Waiting event in STANDBY
17:07:58:990 x [CENTRAL] CDP/LLDP-MED CB function is called
17:08:39:022   [sip] 03:59:37.021         pjcu.c pjcuRcvHandler(KA), KA_REQUEST, eid=-1, p1=192.168.70.1:5060
17:08:39:040   [sip] 03:59:37.036         pjcu.c pjcu_rpt_ka_status(), target(192.168.70.1:5060): status=1, id=27
17:08:39:044 x [pcu] pcuRcvHandler(KA), KA_RESPONSE, eid=0, addr=192.168.70.1:5060, status=1
17:08:39:050 x [pcu] [pcu_polling_sipserver_thread():1478] mark!
17:08:54:130 x [CENTRAL] CDP/LLDP-MED CB function is called
Thanks for your help.

There are 2 versions of firmware on cisco.com. cmterm-3905.9-2-1-0 is the default firmware going with CUCM 8.6.2.20000-2 for 3905 phones and cmterm-3905.9-2-2-0 I've installed recently. Both versions of firmware with same problems.
       Some new information. I get traffic dump with wireshark.
INVITE sip:[email protected]:5060;transport=tcp SIP/2.0
Via: SIP/2.0/TCP 192.168.70.86:3457;rport;branch=z9hG4bKPjdp3HjFLs7Dy03RL9ce.16qung.tOq5O3
Max-Forwards: 70
From: "............ .............." ;tag=5a25b465-747b-4c31-a020-1a9636827427
To: sip:[email protected]
Contact: ;+sip.instance="";+u.sip!devicename.ccm.cisco.com="SEP10BD18DD3F59";+u.sip!model.ccm.cisco.com="592"
Call-ID: e9edcc43-6a9b-42b8-8efc-99f702b313d1
CSeq: 28324 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
User-Agent: Cisco-CP3905/9.2.1
Supported: replaces,join,sdp-anat,norefersub,extended-refer,X-cisco-callinfo,X-cisco-serviceuri,X-cisco-escapecodes,X-cisco-service-control,X-cisco-monrec,X-cisco-config,X-cisco-sis-4.0.0,X-cisco-xsi-7.0.1
Expires: 900
Accept: application/sdp
Allow-Events: kpml,dialog
Remote-Party-ID: "............ ..............";privacy=off
Content-Type: application/sdp
Content-Length:   294
As you can see phone trying to invite [email protected]:5060, BUT I dial 7103 DN from 7102. So where are other numbers? Bug?

10.4.8 and Cisco/VPN problem solved

Hi,
This and related issues have arisen in threads on the past month, regarding the Cisco VPN v 4.9005 (and perhaps other VPN software) not working the same after the 10.4.8 upgrade. The problems relate to either not making a VPN connection, or data transfer after the successful connection is made, once the upgrade happened.
The workaround was to run the Network Setup Assistant every time to do the connection properly before launching the VPN. But this is a pain.
The eventual solution was simple, although effecting it was not straightforward. It was necessary to do a clean install of the VPN client. This is something that I could not accomplish manually, despite suggestions from the discussion group as to which files to remove, because it was difficult to find all the files that the install put it. But, at least on my machines, it could be done by command line in Terminal - cd to /usr/local/bin, ls vpn_uninstall to see if it is there, and if so, sudo ./vpn_uninstall.
I don't know if other machines can do this or if this was part of our local IT install, but IT WORKED. I AM FREE!
Wayne

that's odd....
I'm running cisco client 4.6.04 on OS X 10.4.8 and VNC without any problems...
the only difference is my radius server is an NT box, but I can AFP and VNC to my Mac on that network.

New 2.4 Macbook and Cisco VPN problems?

Is anyone else using the new MacBook Pro's with Cisco VPN? I cannot get the software to work, I get an error 51 "unable to connect to VPN subsystem" at every launch. I've ininstalled and reinstalled the cisco software, I'm using the latest VPN 4.9. I've got a 2.3 macbook pro sitting right next to it, and it runs the cisco software fine. Something with the Santa Rosa set? Any help would be greatly appreciated. I have no other network issues. All the software is up to date, system, cisco, etc. Thanks...

Fixed my own problem, appears it's Parallels related, after I reinstalled the new parallels 3.0, cisco started working fine. Whew....;-) Hope this helps others.

AD Machine Authentication with Cisco ISE problem

Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,

You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

Cisco 3550 Problem

I have a number of C3550 switches in the field and one of them seems to have a problem showing Interface statistics on some fast Ethernet ports.
Most ports are running at 100Meg Full-duplex, but some fail to show any "5 minute rate" stats when I do a show interface command. You can only determine the data rate throughput by doing succesive show int commands at set time intervals and counting the difeerence in the total packets received/transmitted sections.
Has anyone seen this elsewhere? Is this a known problem as I can't see any reference to this as a problem on TAC
The IOS version is 12.1(13)EA1a

There was a known issue for interfaces with low rate of pps(<40 pps) because of the way the counter is implemented. Look at the following bug which is in a Closed state(not resolved)
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdz06305
Change the load-interval to 30 seconds and see if this makes any difference.

Cisco IOS problem

I have this error when I start my router
System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
Copyright (c) 2003 by cisco Systems, Inc.
Bad RAM at location 0x00000000: wrote 0x00000000, read 0x00000400
Which is the problem? How can I fix it?

RAM is creating problem or you can say that not compatable just change your RAM ( If 2 RAMS are placed in Router then unplugged ram 1 by 1 like unplug 1st RAM and check then place 1st RAM back and unplug 2nd RAM and then check
i m sure your problem will solve
Hope this will help you
if yes then rate this article

Cisco 1310 problem

Similar Messages

Maybe you are looking for