Cisco Security Advisory: Access Point Memory Exhaustion from ARP Attacks

Similar Messages

• Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service

  Hello,
  Question regarding the work around for the recent Cisco Security Advisory (cisco-sa-20070124). The link to this advisory is here:http://www.cisco.com/en/US/customer/products/products_security_advisory09186a00807cb0e4.shtml#vuln
  The work around says to create an access-list for example:
  access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
  So trusted_hosts, is that the hosts on my network?
  Infrastructure_addresses, is this my routers
  I'm not sure what they are saying here. If anyone could shed some light, that would be great
  Thanks
  Mike

  Pretty close. Trusted hosts SHOULD be hosts that are A.,trusted and B., require access to those devices. So as an example "TRUSTES_HOSTS" could be management stations, admin desktops, or whatever is required to have access and you is "trusted". Ideally infrastructure address space should only be reachable from trusted users that need access and no one else. Infrastructure space would likely include addresses for routers, firewalls, switches , authentication servers, monitoring servers, basically anything that makes the network run and keeps it alive. Hope this helps.

• Cisco 1142 Wireless access point intermittently will not authenticate

  Hi all,
  We have a Cisco 1142 standalone access point, and from time to time I will come into the office and it will not authenticate any users to either our guest or corporate networks. I then have to go in and reboot the access point. After that, it begins to work. Any advice? Here's my configuration below:
  Current configuration : 6450 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname cisco-chiap01
  logging monitor errors
  enable secret 5 $1$fsD8$CU42/3/Up5AAlL4hQWvvg0
  aaa new-model
  aaa group server radius rad_eap
   server 172.17.16.12 auth-port 1645 acct-port 1646
   server 172.17.21.10 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
   server 172.17.21.10 auth-port 1812 acct-port 1813
  aaa group server radius rad_eap2
   server 172.17.16.12 auth-port 1645 acct-port 1646
   server 172.17.21.10 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication login eap_methods2 group rad_eap2
  aaa authorization exec default local 
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  login on-failure log
  login on-success log
  dot11 syslog
  dot11 vlan-name Admin vlan 100
  dot11 vlan-name DevNetwork vlan 20
  dot11 vlan-name Guest vlan 150
  dot11 vlan-name Network vlan 16
  dot11 ssid DevNetwork
     vlan 20
     authentication open eap eap_methods2 
     authentication network-eap eap_methods2 
     authentication key-management wpa version 2
  dot11 ssid Guest
     vlan 150
     authentication open 
     authentication key-management wpa version 2
     guest-mode
     mbssid guest-mode
     wpa-psk ascii 7 142407060101380B013A3A2670435642
     information-element ssidl advertisement
  dot11 ssid Network
     vlan 16
     authentication open eap eap_methods2 
     authentication network-eap eap_methods2 
     authentication key-management wpa version 2
  username monkeyman privilege 15 secret 5 $1$ZZ7C$rqimu2FNONdfeacMNGAD/.
  bridge irb
  interface Dot11Radio0
   no ip address
   ip helper-address 172.17.19.10
   no ip route-cache
   encryption mode ciphers aes-ccm 
   encryption vlan 16 mode ciphers aes-ccm 
   encryption vlan 150 mode ciphers aes-ccm 
   encryption vlan 20 mode ciphers aes-ccm 
   ssid DevNetwork
   ssid Guest
   ssid Network
   antenna gain 0
   parent timeout 120
   speed  5.5 11.0 basic-6.0 9.0 12.0 36.0 48.0 54.0
   packet retries 128 drop-packet
   channel 2462
   station-role root
   rts threshold 512
   rts retries 128
  interface Dot11Radio0.11
   encapsulation dot1Q 11
   no ip route-cache
  interface Dot11Radio0.16
   encapsulation dot1Q 16 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio0.20
   encapsulation dot1Q 20
   no ip route-cache
   bridge-group 20
   bridge-group 20 subscriber-loop-control
   bridge-group 20 block-unknown-source
   no bridge-group 20 source-learning
   no bridge-group 20 unicast-flooding
   bridge-group 20 spanning-disabled
  interface Dot11Radio0.150
   encapsulation dot1Q 150
   no ip route-cache
   bridge-group 150
   bridge-group 150 subscriber-loop-control
   bridge-group 150 block-unknown-source
   no bridge-group 150 source-learning
   no bridge-group 150 unicast-flooding
   bridge-group 150 spanning-disabled
  interface Dot11Radio1
   no ip address
   ip helper-address 172.17.19.10
   no ip route-cache
   encryption vlan 16 mode ciphers aes-ccm 
   encryption vlan 150 mode ciphers aes-ccm 
   encryption vlan 20 mode ciphers aes-ccm 
   ssid DevNetwork
   ssid Guest
   ssid Network
   antenna gain 0
   traffic-metrics aggregate-report
   dfs band 3 block
   mbssid
   parent timeout 120
   speed  6.0 12.0 basic-24.0 36.0 48.0 54.0
   channel width 40-above
   channel dfs
   station-role root access-point
  interface Dot11Radio1.11
   encapsulation dot1Q 11
   no ip route-cache
  interface Dot11Radio1.16
   encapsulation dot1Q 16 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1.20
   encapsulation dot1Q 20
   no ip route-cache
   bridge-group 20
   bridge-group 20 subscriber-loop-control
   bridge-group 20 block-unknown-source
   no bridge-group 20 source-learning
   no bridge-group 20 unicast-flooding
   bridge-group 20 spanning-disabled
  interface Dot11Radio1.150
   encapsulation dot1Q 150
   no ip route-cache
   bridge-group 150
   bridge-group 150 subscriber-loop-control
   bridge-group 150 block-unknown-source
   no bridge-group 150 source-learning
   no bridge-group 150 unicast-flooding
   bridge-group 150 spanning-disabled
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.11
   encapsulation dot1Q 11
   no ip route-cache
  interface GigabitEthernet0.16
   encapsulation dot1Q 16 native
   no ip route-cache
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0.20
   encapsulation dot1Q 20
   no ip route-cache
   bridge-group 20
   no bridge-group 20 source-learning
   bridge-group 20 spanning-disabled
  interface GigabitEthernet0.100
   encapsulation dot1Q 100
   ip address 192.168.100.3 255.255.255.0
   no ip route-cache
   bridge-group 100
   no bridge-group 100 source-learning
   bridge-group 100 spanning-disabled
  interface GigabitEthernet0.150
   encapsulation dot1Q 150
   no ip route-cache
   bridge-group 150
   no bridge-group 150 source-learning
   bridge-group 150 spanning-disabled
  interface BVI1
   ip address 172.17.16.251 255.255.255.0
   no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface GigabitEthernet0 
  access-list 1 permit 172.17.16.1
  access-list 1 remark Admin network access
  access-list 1 permit 192.168.100.0 0.0.0.255
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 172.17.21.10 auth-port 1812 acct-port 1813 key 7 047958071C3561410D4A44
  radius-server host 172.17.16.12 auth-port 1645 acct-port 1646 key 7 08045E471A48574446
  radius-server host 172.17.21.10 auth-port 1645 acct-port 1646 key 7 1320051B185D56797F
  radius-server timeout 15
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   access-class 1 in
  end

  When the issue occurs does that affect both 2.4GHz & 5GHz devices ? I would see which band operating devices affected.
  I noticed you have set CH11 under Radio 0 statically.  I would prefer to configure it as below so AP can change the channel depend on the environment.
  int d0
  channel least-congested
  HTH
  Rasika
  **** Pls rate all useful responses ****

• IPhone4 and Cisco Aironet 1141 access point - fail using WPAv2 Personal

  I cannot get my iPhone4 (latest s/w) to connect to a Cisco Aironet 1141 access point if I specify WPAv2 Personal. It is a single access point without radius etc. I have no problems connecting using "no security", WEP or WPAv1. Is there a problem with the iPhone4 implementation of WPA2 as all my other PCs connect just fine on WPAv2?
  With the Aironet 1141 I can switch security between WPAv1 & WPAv2 while keeping all other settings identical. Thus I can clearly demonstrate how the iPhone4 connects when both devices are set to WPAv1 yet will fail to connect when I switch both to WPAv2. As I have said, all other PCs I have connect via WPAv2 without any issues.

  I cannot get my iPhone4 (latest s/w) to connect to a Cisco Aironet 1141 access point if I specify WPAv2 Personal. It is a single access point without radius etc. I have no problems connecting using "no security", WEP or WPAv1. Is there a problem with the iPhone4 implementation of WPA2 as all my other PCs connect just fine on WPAv2?
  With the Aironet 1141 I can switch security between WPAv1 & WPAv2 while keeping all other settings identical. Thus I can clearly demonstrate how the iPhone4 connects when both devices are set to WPAv1 yet will fail to connect when I switch both to WPAv2. As I have said, all other PCs I have connect via WPAv2 without any issues.

• Configuring Cisco Aironet 1100 Access Point. Please help!

  Hi all,
  I have dozens of Cisco Aironet 1100 access points, each is managing its own wi-fi with DHCP.
  I had to disable dhcp on them because they are on a wired subnet where I am using the static IPs and don't want my wired clients to get DHCP addresses, nor someone to be able to plug the wire into own laptop and get on the network.
  It's been working fine with one exception - I need to be able to ping my access points from the central site, and I can't.
  What IOS command would enable ICMP echo on my access points in this case?
  Please help!

  Hi all,
  I have dozens of Cisco Aironet 1100 access points, each is managing its own wi-fi with DHCP.
  I had to disable dhcp on them because they are on a wired subnet where I am using the static IPs and don't want my wired clients to get DHCP addresses, nor someone to be able to plug the wire into own laptop and get on the network.
  It's been working fine with one exception - I need to be able to ping my access points from the central site, and I can't.
  What IOS command would enable ICMP echo on my access points in this case?
  Please help!

• Cisco Security Advisory: OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

  Hello Experts,
  I need to rule out that we have affected openSSL version 1.0.1 running on our devices. I need to know what is the version of openSSL that is current on the following platforms:
  Cisco PIX
  Cisco FWSM
  Cisco ISR
  Cisco VPN Concentrator
  I know ASA runs 0.9.8f and I know that PIX and Concentrator are very old, and they might run an older version, however for a security assessment I need to rule those out too.
  Does anyone know what is the version for these platforms?
  Thanks in advance.

  The definitive source is and will continue to be the Cisco Security Advisory. It has already been updated several times today. Please keep checking back to it at the following URL:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  That said, the Pix and VPN Concentrator development and code release ended prior to the release of openssl with the vulnerability so I would hazard an educated guess that you won't have any problems with respect to this particular vulnerability. THAT said, if you're concerned about security vulnerabilities why are you running products with associated code that has not had other documented bugs and vulnerabilities patched for at least several years?
  The ISR G2 will almost certainly depend on the IOS level and whether you are using any of the ssl-related features.

• Java.security.AccessControlException: access denied when loading from a jar

  Hello!
  I am trying to deploy an applet into a browser but I have encountered a security problem.
  The name of the applet is SWTInBrowser(not exactly mine, it's an example from the web).
  package my.applet;
  import org.eclipse.swt.awt.SWT_AWT;
  import java.applet.Applet;
  import java.awt.event.ActionListener;
  import java.awt.event.ActionEvent;
  import java.awt.Canvas;
  import org.eclipse.swt.widgets.Shell;
  import org.eclipse.swt.widgets.Display;
  import org.eclipse.swt.SWT;
  import org.eclipse.swt.widgets.Listener;
  import org.eclipse.swt.widgets.Event;
  import org.eclipse.swt.graphics.Point;
  import org.eclipse.swt.layout.FillLayout;
  public class SWTInBrowser extends Applet implements Runnable{
       public void init () {
             /* Create Example AWT and Swing widgets */
             java.awt.Button awtButton = new java.awt.Button("AWT Button");
             add(awtButton);
             awtButton.addActionListener(new ActionListener () {
              public void actionPerformed (ActionEvent event) {
               showStatus ("AWT Button Selected");
             javax.swing.JButton jButton = new javax.swing.JButton("Swing Button");
             add(jButton);
             jButton.addActionListener(new ActionListener () {
              public void actionPerformed (ActionEvent event) {
               showStatus ("Swing Button Selected");
             Thread swtUIThread = new Thread (this);
             swtUIThread.start ();
            public void run() {
             /* Create an SWT Composite from an AWT canvas to be the parent of the SWT
            widgets.
              * The AWT Canvas will be layed out by the Applet layout manager.  The
            layout of the
              * SWT widgets is handled by the application (see below).
             Canvas awtParent = new Canvas();
             add(awtParent);
             Display display = new Display();
             Shell swtParent = SWT_AWT.new_Shell(display, awtParent);
  //           Display display = swtParent.getDisplay();
             swtParent.setLayout(new FillLayout());
             /* Create SWT widget */
             org.eclipse.swt.widgets.Button swtButton = new
            org.eclipse.swt.widgets.Button(swtParent, SWT.PUSH);
             swtButton.setText("SWT Button");
             swtButton.addListener(SWT.Selection, new Listener() {
              public void handleEvent(Event event){
               showStatus("SWT Button selected.");
             swtButton.addListener(SWT.Dispose, new Listener() {
              public void handleEvent(Event event){
               System.out.println("Button was disposed.");
             // Size AWT Panel so that it is big enough to hold the SWT widgets
             Point size = swtParent.computeSize (SWT.DEFAULT, SWT.DEFAULT);
             awtParent.setSize(size.x + 2, size.y + 2);
             // Need to invoke the AWT layout manager or AWT and Swing
             // widgets will not be visible
             validate();
             // The SWT widget(s) require an event loop
             while (!swtParent.isDisposed()) {
              if (!display.readAndDispatch()) display.sleep ();
  }It works perfectly in the Applet Viewer, but not in the browser. In the browser, I only get two buttons working, the SWT button doesn't appear, because of this error:
  Exception in thread "Thread-21" java.lang.ExceptionInInitializerError
       at org.eclipse.swt.widgets.Display.<clinit>(Display.java:130)
       at my.applet.SWTInBrowser.run(SWTInBrowser.java:52)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission sun.arch.data.model read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
       at java.lang.System.getProperty(Unknown Source)
       at org.eclipse.swt.internal.Library.loadLibrary(Library.java:167)
       at org.eclipse.swt.internal.Library.loadLibrary(Library.java:151)
       at org.eclipse.swt.internal.C.<clinit>(C.java:21)
       ... 3 moreI have exported the application in a jar, and in that jar I have put the swt.jar that the application need for the displaying of the third button, swt button.
  Here is also the HTML file:
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <html>
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=Cp1252"/>
      <title>
        Test
      </title>
    </head>
    <body>
      <p>
            <applet code="my.applet.SWTInBrowser"
                      archive="Test.jar"
                      width="1400" height="800">
            </applet>
      </p>
    </body>
  </html>Could anyone please help me solve this problem?

  This is in reply to the first post. I don't know what happened after.
  Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission sun.arch.data.model read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
       at java.lang.System.getProperty(Unknown Source)
       at org.eclipse.swt.internal.Library.loadLibrary(Library.java:167)
       at org.eclipse.swt.internal.Library.loadLibrary(Library.java:151)
       at org.eclipse.swt.internal.C.<clinit>(C.java:21)
  If you read the above trace from bottom to top, it shows none of you classes, only classes from that Eclipse library, which seems to loadLibrary() a native DLL. In order to do this, it needs to call System.getProperty( "sun.arch.data.model" ). This call is not allowed from un unsigned applet. So I guess you need to sign the applet and this problem will go away. Many other problems may follow. Just read very very carefully all the related documentation, which I did not.

• Configuring Cisco Air 1142N Access point.

  Hi Guys
  I have been struggling to configure a cisco airnet AIR-LAP1142N-E-K9 access point.
  this is not my first time as I have configured similar accesspoints before.
  the access point gets an IP from the dhcp server. I can ping the access point over the network.
  However, when I type in the ip in the web browser, nothing comes up. there is no proxy issue.
  the console(hyperterminal, connected through serial cable) shows the following error message:
  %CAPWAP-3-ERRORLOG: COULD NOT RESOLVE CISCO-LWAPP-CONTROLLER
  Many thanks
  Mo

  Hi,
  2106/12/25 will support 7.0.xx code. It will also support all existing APs including 3500,1140,1040.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html
  I don't think it is EOS atleast does not say on the website :
  http://www.cisco.com/en/US/products/ps7206/prod_eol_notices_list.html
  Deciding on whether you need a WLC or not is upto your budget and what features you need on your Wireless Infrastructure.. If you have $$ to spend I would recommend going in for 2504. If not you can configure them in standalone and you can always buy a WLC based system in future given you only have 3 APs.
  If you need IOS code, you can either approach
  1) Your reseller or
  2) Cisco SE
  3) Call TAC support and ask CIN agent to grant access to CCO code based on what you purchased. Also explain your situation.
  Link: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  You can also follow this thread to upgrade :
  https://supportforums.cisco.com/message/3477595#3477595
  Thanks..salil

• Cisco AIR-CAP3602I access point conversion

                     Hello Group,
  I have a 3602i access point and have been looking to see if it was possible to load a Mesh AP image on the AP?

  Hello,
  Agree with George. You can set the ap to mesh by changing its mode to bridge. you can change the mode from gui:
  Wireless -> your ap -> ap mode.
  HTH
  Amjad
  Sent from Cisco Technical Support iPad App

• Multiple Cisco Aironet 1131AG access points and same SSID?

  We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560)  who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11).  They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
  So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.
  Many thanks...

  Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.
  As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.
  And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.
  Merry Christmas!
  Jeff

• RE: How to secure an access point signal.

  Hi everyone,
  I have difficulty making my access point wireless signal secure. My network setup is simple, Modem to Router to Homeplug 1st floor, (secure wireless signal),
  2nd floor (secure signal). Problem when comes to 3rd floor, signal too weak, so I place Homeplug to Access Point. (wireless works well but not secured).
  Tried calling D-link support but was told that I need to fix static IP address before things can work. What the **** is that? Was told many technical issue about sub-net different, etc. Lastly the setup disc don't work with a Mac. (HaHa).
  Thank you all in advance for the solution.

  How are you going to connect them?  cat5 or coax?
  cat5 instructions:
  Can I use my wireless or an extra router along with the Verizon provided router?
  coax instructions:
  Can I get an ethernet connection in a room with only coax?

• Symbol Netvision Phone w/Cisco 1200 series Access Point

  I am running 802.11b access point my phone can associate and get an ip address from my call manager but I keep getting "not registered" "registered". I and then I lose association to the access point. I have 2 vlans on one access point one for voice and one for data. Please let me know if someone has a work around or a fix.
  Stan

  Stan,
  Sounds like you have an interference problem.
  What did your site survey show up in terms of other AP's and overlapping coverage areas ? Try a new channel that has the 2 channel separation from other busy channels and maybe even try a new/better placement of the AP
  effectivly what you have now is the equivalent of pulling out the cable and plugging it back in constantly on a standard IP phone this means you will not be able to make calls
  What firmware you running on the AP ?

• Cisco AIR-AP521 Access Point Disconnects Frequently

  Dear All,
  I have a problem in my environment. My Cisco Access Point AIR-AP521 disconnets every few days and I have to restart the access point to make it work. The System Software Version is 12.4(21a)JA1 and it is acting as a access point. The lastest event logs does not show any critical logs. I am sure that there is no electricity or switch related problem.
  Please help me in fixing our this problem.
  Tks,
  Usman

  Upgrade the software to 12.4(21a)JY and see if the issue reoccurs!!
  Regards
  Surendra

• Regulary disconect at CISCO Wi-Fi access point

  We use CISCO access point in out office (AIR-LAP1142N-E-K9). All apple devices which use WI-FI regulary drop connection.
  We have addressed this issue to CISCO support with system logs and remote access to device. The found out that Apple devices are sending disconnect command to router, so CISCO support claims that problem is in apple devices compatibility with CISCO AIR-LAP1142N-E-K9.
  Did anyone had this issue before? And what would you advice to solve this?

  hi Max, we are having something similiar yet disssimilar - we use 2 factor authentication using an RSA token
  Our issue is that wifi does not resume if you go to sleep mode (lid closed) for like 30 sec to a few minutes and we are forced to re-authenticate.  It used to work fine on OSX 10.6.
  .... on 10.6, the wifi "resumes" fine after coming out of sleep.
  ... we lose the connection after going to sleep mode on 10.7 and 10.8 and forced to re-enter RSA credentials....
  Did you resolve your issue?

• Replacement for Cisco AIR-AP1120B Access Point.

  Since the AIR-AP1120B is no longer available (new) what replaces it?

  The 1120 was replaced by the 1130.  The 1130 will be replaced by the 1140.  You can still purchase the 1130 and 1140 has been available since mid-2009.  The main difference for the two is the latter, the 1140, supports 802.11n.
  Cisco Aironet 1130AG 802.11 A/B/G Series Access Point
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6087/product_data_sheet0900aecd801b9058.html
  Cisco Aironet 1140 802.11 N Series Access Point
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10092/datasheet_c78-502793.html
  If you find my post helpful in any way, please feel free to rate.  Thank you.