Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

Hi
All our switchports is configured to validate the connected device with 802.1x
However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

Hi,
The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
Cisco unified APs however supports only EAP-FAST as the EAP method.
Here is a config example, hope it'll be useful.
http://goo.gl/HMbiHL
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Similar Messages

  • ISE 1.2, Supplicant configured for 802.1x but need to MAB

    I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
    If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
    Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
    Thanks in advance

    Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
    Read this doc for best pratices including the timers listed below.  
    I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
    If not goto www.ciscolive365.com (signup if you havn't already) and search for
    "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
    Change the dot1x hold, quiet, and ratelimit-period to 300. 
    held-period seconds
    Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
    quiet-period seconds
    Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
    following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
    ratelimit-period seconds
    Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

  • The iphone has been acting weird. my iphone doesnt charge whenever it is switched On. When I switch OFF the phone, it charges for 2 mins then comes back On and stops charging. I dont know what the problem is. trust me, the problem isnt from d charger

    the iphone has been acting weird. my iphone doesnt charge whenever it is switched On. When I switch OFF the phone, it charges for 2 mins then comes back On and stops charging. I dont know what the problem is. trust me, the problem isnt from d charger. PLS anyone with any solution

    @wetdro
    If your device has been jailbroken during the warranty, Apple will not service it.
    Maybe you missed that in this article:
    Inability to apply future software updates: Some unauthorized modifications have caused damage to iOS that is not repairable. This can result in the hacked iPhone, iPad, or iPod touch becoming permanently inoperable when a future Apple-supplied iOS update is installed.
    Apple strongly cautions against installing any software that hacks iOS. It is also important to note that unauthorized modification of iOS is a violation of the iOS end-user software license agreement and because of this, Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software.
    copied from Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issu…

  • Im using an ipad mini and recently it started to act way wiered than i ever imagined.whenever i switch it on it would open or close apps of its choice and function without my interference.it's like auto touch.what should i do with this?

    im using an ipad mini and recently it started to act way wiered than i ever imagined.whenever i switch it on it would open or close apps of its choice and function without my interference.it's like auto touch.what should i do with this?

    That could be a hardware problem with the screen digitizer but first try these troubleshooting steps in this order:
    Reset: Press the Home and On/Off buttons at the same time and hold them until the Apple logo appears (about 10-15 seconds). No data will be lost.
    Restore: Connect your device to iTunes on your computer, backup, and then select Restore to Factory.
    See here for more details on restore: https://support.apple.com/en-us/HT201252
    If none of these work your device may have developed a hardware problem. Contact Apple Support: http://www.apple.com/contact/

  • LWAPP/CAPWAP Antenna Gain Setting - label only?

    When configuring an AP external antenna gain (from a WLC), is the gain assigned purely a label to show its gain, or does it actually wind down the transmitter output by the dB amount that is input in to the gain field?
    For instance, my Tx power is set to 2 (17dBm), and I attached a 2.2dBi antenna.
    My ERP would now be 19.2dBm.
    Does the antenna gain value I enter (4 x 0.5) actually cause the AP to lower its output power by 2.2dB to cater for the fact that I have attached a 2.2)dB antenna and maintain its 17dBm output? (...OK, I know 4 x 0.5 will give 2dB, but lets talk in round numbers)
    So in summary:
    AP tx pwr = 17dB
    Physical antenna gain = 2.2dBi
    AP configured antenna gain = 4 x 0.5 (2dB).
    What is the effective radiated power? 19.2dBm, or auto-lowered to 17dBm?
    Thanks
    Nigel.

    This setting effects the heat map predictions in WCS. It also comes into play with the RRM calculations and with some AP's will be considered for controlling the RF power.

  • AP1242-ag as a supplicant

    Hi,
    How to configure LAP 1242AG to authenticate it self as a supplicante on the 802.1x interface switch?
    Best regards,
    Emilio

    Hi,
    I think this is what you are looking for:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70lwap.html#wp1366812
    Configuring Authentication for Access Points
    You can configure 802.1X authentication between a lightweight access  point and a Cisco switch. The access point acts as an 802.1X supplicant  and is authenticated by the switch using EAP-FAST with anonymous PAC  provisioning.
    This feature is supported on the following hardware:
    •Cisco Aironet 1130, 1140, 1240, 1250, 1260, and 3500 series access points
    Hope that helps!
    Stefan

  • WLC Duplicate IP address detected for AP-Manager Interface

    I am getting an error log in the WLC saying, its IP address is duplicate by another machine with MAC address A.B.C.D
    But this MAC address A.B.C.D is the MAC address of the AP-Manager Interface in the same controller.
    Model No.                   AIR-WLC2106-K9
    Software Version                 7.0.116.0
    %LWAPP-3-DUP_IP: spam_lrad.c:27626 Adding client 58:b0:35:83:72:86 to  exclusion list due to IP Address conflict with AP 'AP_DUXO_3'
    %LWAPP-3-DUP_AP_IP: spam_lrad.c:27612 Duplicate IP address  detected for AP AP_DUXO_3, IP address of AP  10.184.1.224, this is a  duplicate of IP on another machine (MAC address 58:b0:35:83:72:86)
    Cisco AP Identifier.............................. 1
    Cisco AP Name.................................... AP_DUXO_3
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code.................................. US  - United States
    AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N
    Switch Port Number .............................. 1
    MAC Address...................................... cc:ef:48:1a:e4:af
    IP Address Configuration......................... Static IP assigned
    IP Address....................................... 10.184.1.224
    IP NetMask....................................... 255.255.0.0
    Gateway IP Addr.................................. 10.184.20.2
    Domain...........................................
    Name Server......................................
    NAT External IP Address.......................... None
    CAPWAP Path MTU.................................. 1485
    Telnet State..................................... Enabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ DUXO_BOX
    Cisco AP Group Name.............................. default-group
    Does anyone have an issue like this ?

    Are you sure this MAC address 58:b0:35:83:72:86 isn't some type of Apple device?  Its OUI is registered to apple.  How do clients get ip addresses DHCP?  It appears that the IP 10.184.1.224 is statically assigned to your ap-manager and that this client 58:b0:35:83:72:86 is either getting that same IP from DHCP or the client is statically assigning it themselves. 

  • Cisco 3502i AP operation status in downloading...

    Hello folks,
    I have an issue with two APs (3502i) which is associated to controller wism2. Total number of APs are connected to this controller is 422 and once I added two new APs (3502i) to this controller I am unable to see these APs coming up. Getting error messages like wrong primary controller nad secondary controller. When I loggedin to the controller through CLI following are the details I am getting for the APs which is not registering to the  controller:, Also for comparison I am attaching the statistics for the AP which is working good and is able to register.
    Note: I thought the problem with these two APs and will try replacing them but when i connected the other two APs to different switch and different subnet the same errors we are seeing. This is something urgent to fix and need your assitance to fix this at the earliest. Please let me know if more information needed.
    ISSUE with the AP:
    show ap config general AB2-4N-AP11
    Cisco AP Identifier.............................. 440
    Cisco AP Name.................................... AB2-4N-AP11
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code..................................  -
    AP Regulatory Domain............................. Unconfigured
    Switch Port Number .............................. 13
    MAC Address...................................... 28:94:0f:c9:03:3c
    IP Address Configuration......................... DHCP
    IP Address....................................... Disabled
    Telnet State..................................... Disabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ AB 2 - Ctrl1/2
    Cisco AP Group Name.............................. AB2-3-4
    Primary Cisco Switch Name........................ us-ab1-wifi-ctrl1
    Primary Cisco Switch IP Address.................. 10.200.44.102
    Secondary Cisco Switch Name...................... us-cd3-wifi-ctrl1
    Secondary Cisco Switch IP Address................ 10.200.45.102
    Tertiary Cisco Switch Name.......................
    Tertiary Cisco Switch IP Address................. Not Configured
    Administrative State ............................ ADMIN_ENABLED
    --More-- or (q)uit
    Operation State ................................. DOWNLOADING
    Mirroring Mode .................................. Disabled
    AP Mode ......................................... Local
    Public Safety ................................... Disabled
    AP SubMode ...................................... Not Configured
    Remote AP Debug ................................. Disabled
    Logging trap severity level ..................... informational
    Logging syslog facility ......................... kern
    S/W  Version .................................... 7.2.103.0
    Boot  Version ................................... 12.4.23.0
    Mini IOS Version ................................ 0.0.0.0
    Stats Reporting Period .......................... 180
    LED State........................................ Disabled
    PoE Pre-Standard Switch.......................... Enabled
    PoE Power Injector MAC Addr...................... Disabled
    Power Type/Mode.................................. Power injector / Normal mode
    Number Of Slots.................................. 2
    AP Model......................................... AIR-CAP3502I-A-K9  
    AP Serial Number................................. FTX1602K7LT
    AP Certificate Type.............................. Manufacture Installed
    AP User Mode..................................... Not Configured
    AP User Name..................................... Not Configured
    AP Dot1x User Mode............................... Not Configured
    --More-- or (q)uit
    AP Dot1x User Name............................... Not Configured
    Cisco AP system logging host..................... 255.255.255.255
    Ethernet Port Duplex............................. Auto
    Ethernet Port Speed.............................. Auto
    AP Link Latency.................................. Disabled
    Rogue Detection.................................. Enabled
    AP TCP MSS Adjust................................ Disabled
    Good AP for comparison:
    show ap config general IL2-4N-AP10
    Cisco AP Identifier.............................. 260
    Cisco AP Name.................................... AB2-4N-AP10
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code.................................. US  - United States
    AP Regulatory Domain............................. 802.11bg:-A    802.11a:-A
    Switch Port Number .............................. 13
    MAC Address...................................... f8:66:f2:67:69:e5
    IP Address Configuration......................... DHCP
    IP Address....................................... 10.36.2.70
    IP NetMask....................................... 255.255.255.0
    Gateway IP Addr.................................. 10.36.2.1
    NAT External IP Address.......................... None
    CAPWAP Path MTU.................................. 1485
    Telnet State..................................... Disabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ AB 2 - Ctrl1/2
    Cisco AP Group Name.............................. AB2-3-4
    Primary Cisco Switch Name........................ us-ab1-wifi-ctrl1
    Primary Cisco Switch IP Address.................. 10.200.44.102
    Secondary Cisco Switch Name...................... us-cd3-wifi-ctrl1
    --More-- or (q)uit
    Secondary Cisco Switch IP Address................ 10.200.45.102
    Tertiary Cisco Switch Name.......................
    Tertiary Cisco Switch IP Address................. Not Configured
    Administrative State ............................ ADMIN_ENABLED
    Operation State ................................. REGISTERED
    Mirroring Mode .................................. Disabled
    AP Mode ......................................... Local
    Public Safety ................................... Disabled
    AP SubMode ...................................... Not Configured
    Remote AP Debug ................................. Disabled
    Logging trap severity level ..................... informational
    Logging syslog facility ......................... kern
    S/W  Version .................................... 7.0.116.0
    Boot  Version ................................... 12.4.23.0
    Mini IOS Version ................................ 7.0.94.21
    Stats Reporting Period .......................... 180
    LED State........................................ Enabled
    PoE Pre-Standard Switch.......................... Disabled
    PoE Power Injector MAC Addr...................... Disabled
    Power Type/Mode.................................. Power injector / Normal mode
    Number Of Slots.................................. 2
    AP Model......................................... AIR-CAP3502I-A-K9  
    AP Image......................................... C3500-K9W8-M
    --More-- or (q)uit
    IOS Version...................................... 12.4(23c)JA2
    Reset Button..................................... Enabled
    AP Serial Number................................. FTX1432S2F5
    AP Certificate Type.............................. Manufacture Installed
    AP User Mode..................................... AUTOMATIC
    AP User Name..................................... Not Configured
    AP Dot1x User Mode............................... Not Configured
    AP Dot1x User Name............................... Not Configured
    Cisco AP system logging host..................... 255.255.255.255
    AP Up Time....................................... 31 days, 04 h 58 m 37 s
    AP LWAPP Up Time................................. 4 days, 11 h 24 m 23 s
    Join Date and Time............................... Wed Jun 20 23:36:59 2012
    Join Taken Time.................................. 0 days, 00 h 00 m 11 s
    Ethernet Port Duplex............................. Auto
    Ethernet Port Speed.............................. Auto
    AP Link Latency.................................. Disabled
    Rogue Detection.................................. Enabled
    AP TCP MSS Adjust................................ Disabled
    Thanks,
    Ahmed

    Duplicate post. 

  • Cisco 3502i AP operation status in downloading in controller wism2

    Hello folks,
    I have an issue with two APs (3502i) which is associated to controller wism2. Total number of APs are connected to this controller is 422 and once I added two new APs (3502i) to this controller I am unable to see these APs coming up. Getting error messages like wrong primary controller nad secondary controller. When I loggedin to the controller through CLI following are the details I am getting for the APs which is not registering to the  controller:, Also for comparison I am attaching the statistics for the AP which is working good and is able to register.
    Note: I thought the problem with these two APs and will try replacing them but when i connected the other two APs to different switch and different subnet the same errors we are seeing. This is something urgent to fix and need your assitance to fix this at the earliest. Please let me know if more information needed.
    ISSUE with the AP:
    show ap config general AB2-4N-AP11
    Cisco AP Identifier.............................. 440
    Cisco AP Name.................................... AB2-4N-AP11
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code..................................  -
    AP Regulatory Domain............................. Unconfigured
    Switch Port Number .............................. 13
    MAC Address...................................... 28:94:0f:c9:03:3c
    IP Address Configuration......................... DHCP
    IP Address....................................... Disabled
    Telnet State..................................... Disabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ AB 2 - Ctrl1/2
    Cisco AP Group Name.............................. AB2-3-4
    Primary Cisco Switch Name........................ us-ab1-wifi-ctrl1
    Primary Cisco Switch IP Address.................. 10.200.44.102
    Secondary Cisco Switch Name...................... us-cd3-wifi-ctrl1
    Secondary Cisco Switch IP Address................ 10.200.45.102
    Tertiary Cisco Switch Name.......................
    Tertiary Cisco Switch IP Address................. Not Configured
    Administrative State ............................ ADMIN_ENABLED
    --More-- or (q)uit
    Operation State ................................. DOWNLOADING
    Mirroring Mode .................................. Disabled
    AP Mode ......................................... Local
    Public Safety ................................... Disabled
    AP SubMode ...................................... Not Configured
    Remote AP Debug ................................. Disabled
    Logging trap severity level ..................... informational
    Logging syslog facility ......................... kern
    S/W  Version .................................... 7.2.103.0
    Boot  Version ................................... 12.4.23.0
    Mini IOS Version ................................ 0.0.0.0
    Stats Reporting Period .......................... 180
    LED State........................................ Disabled
    PoE Pre-Standard Switch.......................... Enabled
    PoE Power Injector MAC Addr...................... Disabled
    Power Type/Mode.................................. Power injector / Normal mode
    Number Of Slots.................................. 2
    AP Model......................................... AIR-CAP3502I-A-K9 
    AP Serial Number................................. FTX1602K7LT
    AP Certificate Type.............................. Manufacture Installed
    AP User Mode..................................... Not Configured
    AP User Name..................................... Not Configured
    AP Dot1x User Mode............................... Not Configured
    --More-- or (q)uit
    AP Dot1x User Name............................... Not Configured
    Cisco AP system logging host..................... 255.255.255.255
    Ethernet Port Duplex............................. Auto
    Ethernet Port Speed.............................. Auto
    AP Link Latency.................................. Disabled
    Rogue Detection.................................. Enabled
    AP TCP MSS Adjust................................ Disabled
    Good AP for comparison:
    show ap config general IL2-4N-AP10
    Cisco AP Identifier.............................. 260
    Cisco AP Name.................................... AB2-4N-AP10
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code.................................. US  - United States
    AP Regulatory Domain............................. 802.11bg:-A    802.11a:-A
    Switch Port Number .............................. 13
    MAC Address...................................... f8:66:f2:67:69:e5
    IP Address Configuration......................... DHCP
    IP Address....................................... 10.36.2.70
    IP NetMask....................................... 255.255.255.0
    Gateway IP Addr.................................. 10.36.2.1
    NAT External IP Address.......................... None
    CAPWAP Path MTU.................................. 1485
    Telnet State..................................... Disabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ AB 2 - Ctrl1/2
    Cisco AP Group Name.............................. AB2-3-4
    Primary Cisco Switch Name........................ us-ab1-wifi-ctrl1
    Primary Cisco Switch IP Address.................. 10.200.44.102
    Secondary Cisco Switch Name...................... us-cd3-wifi-ctrl1
    --More-- or (q)uit
    Secondary Cisco Switch IP Address................ 10.200.45.102
    Tertiary Cisco Switch Name.......................
    Tertiary Cisco Switch IP Address................. Not Configured
    Administrative State ............................ ADMIN_ENABLED
    Operation State ................................. REGISTERED
    Mirroring Mode .................................. Disabled
    AP Mode ......................................... Local
    Public Safety ................................... Disabled
    AP SubMode ...................................... Not Configured
    Remote AP Debug ................................. Disabled
    Logging trap severity level ..................... informational
    Logging syslog facility ......................... kern
    S/W  Version .................................... 7.0.116.0
    Boot  Version ................................... 12.4.23.0
    Mini IOS Version ................................ 7.0.94.21
    Stats Reporting Period .......................... 180
    LED State........................................ Enabled
    PoE Pre-Standard Switch.......................... Disabled
    PoE Power Injector MAC Addr...................... Disabled
    Power Type/Mode.................................. Power injector / Normal mode
    Number Of Slots.................................. 2
    AP Model......................................... AIR-CAP3502I-A-K9 
    AP Image......................................... C3500-K9W8-M
    --More-- or (q)uit
    IOS Version...................................... 12.4(23c)JA2
    Reset Button..................................... Enabled
    AP Serial Number................................. FTX1432S2F5
    AP Certificate Type.............................. Manufacture Installed
    AP User Mode..................................... AUTOMATIC
    AP User Name..................................... Not Configured
    AP Dot1x User Mode............................... Not Configured
    AP Dot1x User Name............................... Not Configured
    Cisco AP system logging host..................... 255.255.255.255
    AP Up Time....................................... 31 days, 04 h 58 m 37 s
    AP LWAPP Up Time................................. 4 days, 11 h 24 m 23 s
    Join Date and Time............................... Wed Jun 20 23:36:59 2012
    Join Taken Time.................................. 0 days, 00 h 00 m 11 s
    Ethernet Port Duplex............................. Auto
    Ethernet Port Speed.............................. Auto
    AP Link Latency.................................. Disabled
    Rogue Detection.................................. Enabled
    AP TCP MSS Adjust................................ Disabled
    Thanks,
    Ahmed

    The new Cisco 3500 WAP (S/N:  FTX1602K7LT) is running WLC version 7.2.103.0 but the older one (S/N:  FTX1432S2F5) is running WLC version 7.0.116.0.
    You could try by consoling into the new WAP and deleting the CAPWAP image and leave the RCV image alone.

  • Anyconnect 3 NAM Profile user authentication failure

    Hello,
    I use Cisco Anyconnect as a supplicant for my 802.1x enabled network, we use EAP-TLS. I created a wired profile with the standalone profile manager and deployed it to my clients. Machine authentication works fine, but as soon as i log in to the device the user authentication is not working and the anyconnect falls back to an open wired network.
    I don't see any logs in my ACS.
    But when i create a profile on the device itself the EAP-TLS authentication works without any issues.
    any ideas?
    regards
    alex

    Hello Luke-
    I have faced the same issue with MAR (Machine Access Restriction) in the past. It all worked great while we had wireless authentication only but things went out of control once we started to roll out wired
    I have been working with ISE for a little bit now and I can tell you that the same issue is still present. It would be pretty nice if they can "fix" this but as of right now you would face the same exact issue. So if you want to do user+machine authentication, you have a couple of options that were recently discussed in this thread:
    https://supportforums.cisco.com/message/3775027#3775027
    To answer your other question:
    So is there a trick to get NAM to trigger machine re-authentication without having to reboot?
    Back when I had this issue I was able to "trick" the native windows client to perform machine authentication again by going to "Start Menu > Shut Down > Switch User." In the new window it is important not to click on the already logged user but to select "New/Different User." There you can still type the same credentials for the already logged user. This seemed to force the machine to pass its machine credentials again without having to reboot the machine which is till not ideal and not user friendly at all but that is all I have Also, do keep in mind that I have not tested this with the AnyConnect client so results may vary.
    Thank you for rating!

  • Wireless AP with 802.1x

    Does anyone have experience, and is willing to share, on setting up access points where the connected users are authenticated through 802.1x?
    Here is my setup. Cisco 1240AG and 1131AG connected to an 802.1x enabled switch. The switch gets puts users on different VLANS depending on access (wired authentication already works). MS Server 2008 acting as RADIUS.
    My goal is to have one SSID.  When guests connects, they do not authenticate and are put on a guest VLAN. Authenticated users are put on a different VLAN.
    Thank you in advance for any help on this subject.

    Hi,
    I am trying to implement 802.1X authentication in enterprise environment with access switch WS-C3750-48TS-E (C3750 Software (C3750-IPSERVICES-M), Version 12.2(50)SE3).
    I am using dynamic VLAN assignments, like guest VLAN, restricted(critical) VLAN, unauthorized VLAN for wired clients.Everything if fine for them.
    I want to use only one SSID for wireless clients. Is it possible to use "authentication host-mode multi-auth" command for configuring switch port with connected Cisco AP 1242G to it ?
    Example configuration:
    description Cisco 1242G AP
    switchport access vlan 2223
    switchport mode access
    switchport voice vlan 998
    authentication event fail retry 1 action authorize vlan 2226
    authentication event server dead action authorize vlan 2227
    authentication event no-response action authorize vlan 2224
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate 300
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 1
    dot1x max-reauth-req 1
    spanning-tree portfast
    spanning-tree bpduguard enable
    Do I have to enable 802.1X auth on the AP or it has to be pass-through for wireless clients and be the client of the switch itself (with its MAC address) ?
    Thank you in advance !

  • Vlan Interface on a 2691 router

    Hi,
    I am trying to create an vlan interface on a 2691 router but can't do it. What switch module do I need and what code. Argh!! I've searcehed all over cisco but I can't find it. What am I mmissing??
    Thanks,
    Lee

    Can you give us more information about what is it that you're trying to do?
    Your IOS is the latest and greatest in the 12.3 line as of the date of this posting. And your Feature Set is Advanced Enterprise Services, which is the fullest Feature Set you can get. (The "Plus" capabilities were folded into Enterprise Services when Cisco reorganized the Feature Sets they offer.)
    Going back to your original situation. I may have misunderstood exactly what you are trying to do.
    RE: "I am trying to create an vlan interface on a 2691 router but can't do it."
    If by this you mean you are tring to create an "interface Vlan2" or "interface Vlan10" or "interface Vlan18" like you can do on the Cisco Catalyst switches, and then put interface-specific commands underneath it, then I don't think you can. Even though you can enter "interface ?" and it shows Vlan as one of the options, it is my understanding that you do it as I outlined above in my previous post.
    If you are going to carry multiple VLANs on a single router port connected to an 802.1Q trunking switch port, then if you need IPX capabilities on a particular sub-interface, just add the IPX network address and IPX frame/encapsulation type under the sub-interface.
    If you're just trying to dedicate one router LAN port to act as a default gateway for a particular VLAN, then connect the router to a switch port that is defined as an access port for that VLAN. Assign the appropriate IP and IPX addressing under the router's LAN interface and you're done. No need for sub-interfaces, or bothering to configure the router with any Layer 2 VLAN information, except maybe a description assigned to the port that tells you what VLAN on the switch you're connecting it to.
    RE: "What switch module do I need and what code."
    If you're trying to host multiple 10/100 switching ports within the router, then you are looking for some version of Cisco's 16-port EtherSwitch Network Module. The model number NM-16ESW-something, where the "something" designates support for inline power or an optional Gigabit Ethernet interface. This should run on the code you have.
    The NM-16ESW supports 802.1Q, according to the documentation. But I have never worked with one, so I couldn't tell you how the interfaces are numbered (Fa1/0 through Fa1/15?). Also, I have no idea how the router communicates with the switching network module internally: are there 16 separate FastEthernet ports now, each one configurable as the router's own LAN ports are? Or is there some common, internal backplane-type connection between the network module and the router's CPU, configured like a Gigabit Ethernet VLAN trunk port when you implement multiple access VLANs on the 10/100 ports?
    Rather than use an NM-16ESW in a router to handle multiple VLANs, I would just use a Cisco Layer 3 switch if it were only for routing IP. 3550 or 3750 would be fine. But if you need IPX routing, then in Cisco's line you either need routers or chassis switches running Enterprise code. Other manufacturers support IPX and IP in a stackable size: Foundry, HP, and Extreme Networks, for example. In fact, Foundry and HP (who OEMs some product from Foundry) use a CLI very much like Cisco's. I've even seen HP switches show up as CDP neighbors to a Cisco router.
    There are times to use routers and times to use Layer 3 switches. And times when you need both. It all depends on what you're doing, and what you're trying to do it with...

  • Autonomous 1252 converted to CAPWAP will not join 5508 WLC

    WLC 5508 firmware is v6.0.188.0
    I've tried updating the autonomous 1252 via both the upgrade tool 3.4 and 'archive download-sw' from the CLI
    I've tried multiple recovery images
    c1250-rcvk9w8-tar.124-21a.JA2.tar
    c1250-rcvk9w8-tar.124-10b.JDA.tar
    After AP reboots with recovery image it joins WLC and downloads new CAPWAP image then reboots again
    AP will not rejoin WLC with updated CAPWAP firmware
    Any help with this is greatly appreciated!
    Thanks in advance and happy holidays,
    Scott
    Error Msg from 1252 console
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    Additional info
    WLC Debugs Enabled:
    MAC address ................................ c4:7d:4f:39:31:e2
    Debug Flags Enabled:
      aaa detail enabled.
      capwap error enabled.
      capwap critical enabled.
      capwap events enabled.
      capwap state enabled.
      dtls event enabled.
      lwapp events enabled.
      lwapp errors enabled.
      pm pki enabled.
    WLC Debug Output:
    *Dec 18 10:51:51.575: dtls_conn_hash_search: Connection not found in hash table - Table empty.
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: called to get cert for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: called to get key for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: match in row 2
    *Dec 18 10:51:51.692: acDtlsCallback: Certificate installed for PKI based authentication.
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=0
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect:   msg=ClientHello len=44 seq=0 frag_off=0 frag_len=44
    *Dec 18 10:51:51.693: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.693: local_openssl_dtls_send: Sending 60 bytes
    *Dec 18 10:51:51.694: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=1
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect:   msg=ClientHello len=76 seq=1 frag_off=0 frag_len=76
    *Dec 18 10:51:51.695: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.696: local_openssl_dtls_send: Sending 314 bytes
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=2
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=0 frag_len=519
    *Dec 18 10:51:51.712: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=3
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=519 frag_len=519
    *Dec 18 10:51:51.713: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.713: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=4
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: locking ca cert table
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_alloc() for user cert
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_decode()
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1250-c47d4f3931e2, [email protected]
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <issuer>  O=Cisco Systems, CN=Cisco Manufacturing CA
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Mac Address in subject is c4:7d:4f:39:31:e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert Name in subject is C1250-c47d4f3931e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
    *Dec 18 10:51:51.719: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: called to get cert for CID 2ab15c0a
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: ssphmUserCertVerify: calling x509_decode()
    *Dec 18 10:51:51.730: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (current): 2009/12/18/15:51:51
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotBefore): 2009/11/03/00:47:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotAfter): 2019/11/03/00:57:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: getting cisco ID cert handle...
    *Dec 18 10:51:51.730: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: called with 0x1f1f3b8c
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: freeing public key
    *Dec 18 10:51:51.731: openssl_shim_cert_verify_callback: Certificate verification - passed!
    *Dec 18 10:51:51.732: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.155: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=5
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect:   msg=ClientKeyExchange len=258 seq=3 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.269: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=6
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=CertificateVerify len=258 seq=4 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=ChangeCipherSpec epoch=0 seq=7
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=1 seq=0
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=Unknown or Encrypted
    *Dec 18 10:51:52.273: openssl_dtls_process_packet: Connection established!
    *Dec 18 10:51:52.273: acDtlsCallback: DTLS Connection 0x167c5c00 established
    *Dec 18 10:51:52.273: openssl_dtls_mtu_update: Setting DTLS MTU for link to peer 192.168.100.54:62227
    *Dec 18 10:51:52.273: local_openssl_dtls_send: Sending 91 bytes
    *Dec 18 10:53:06.183: sshpmLscTask: LSC Task received a message 4
    Aironet 1252 Console Debug:
    *Dec 16 11:07:12.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:51:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:40.999: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:51:41.695: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:41.699: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:39.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Dec 18 15:52:40.059: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 18 15:52:40.063: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Dec 18 15:52:40.079: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 18 15:52:40.079: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Dec 18 15:52:50.059: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:52:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.1

    Nathan and Leo are alluding to CSCte01087. Basically the caveat is that DTLS fails on a non-00:xx:xx:xx:xx:xx L2 first hop. e.g. if the APs are on the same VLAN as the management interface, they must have 00 MACs; if they are on a different VLAN, the WLC/AP gateway must have a 00 MAC. If the workaround below does not suit your environment, open a TAC case for an image with the fix.
      Symptom:
    An access point running 6.0.188.0 code may be unable to join a WLC5508.
    Messages similar to the following will be seen on the AP.
       %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
       %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
    Conditions:
    At least one of the following conditions pertains:
    - The high order byte of the AP's MAC address is nonzero, and the AP is in
    the same subnet as the WLC5508's management (or AP manager) interface
    - The WLC's management (or AP manager) interface's default gateway's
    MAC address' high order byte is nonzero.
    Workaround:
    If the MAC address of the WLC's default gateway does not begin with 00,
    and if all of the APs' MAC addresses begin with 00, then: you can put
    the APs into the same subnet as the WLC's management (or AP manager)
    interface.
    In the general case, for the situation where the WLC's default gateway's
    MAC does not begin with 00, you can address this by changing it to begin
    with 00. Some methods for doing this include:
    -- use the "mac-address" command on the gateway, to set a MAC address
    that begins with 00
    -- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
    IP as the WLC's gateway.
    For the case where the APs' MAC addresses do not begin with 00, then make
    sure that they are *not* in the same subnet as the WLC's management
    (AP manager) interface, but are behind a router.
    Another workaround is to downgrade to 6.0.182.0.  However, after
    downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
    (i.e. 12.4(21a)JA2) still installed on them will be unable to join.
    Therefore, after downgrading the WLC, the APs will need to have a
    pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.

  • Capwap layer 3 question

    Hello all,
    I have a question about the capwap. Here http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70ovrv.html#wp1069102
    I read, that 'CAPWAP communications between the controller and lightweight access points are conducted at Layer 3. Layer 2 mode does not support CAPWAP' and also 'The requirement for Layer 3 CAPWAP communications across subnets is that the controller and lightweight access points are connected through Layer 3 devices'. I cannot understand what's meaning the Layer 3 for CAPWAP? Maybe that the controller and capwap AP must be on the different subnets and connected across the subnets? But, now my controller and APs are on the same subnet and all are working. Example, if I connect a controller and capwap APs to Catalyst 2960s, and all are in same VLAN, I think that it also will work? I see the guide deploy 2500 controller and some scenarios there, where controller and APs are connected to Catalyst 3560 and Catalyst 3560 have only switchport trunk or switcport access settings. I can do this on the Catalyst 2960S too. Where is difference?
    Thanks a lot.   

    Layer 3 CAPWAP has nothing to do with AP being able on the same subnet of the WLC or not. AP and WLC can be on the same subent and operate at Layer 3.
    When we say L2 LWAPP it means that it operates with native L2 ethernet frames.
    The LWAPP Control and Data messages are encapsulated in Ethernet
    frames using Ethertype "0xBBBB". In Layer 2 LWAPP mode, although the access points may get an IP
    address via DHCP, all LWAPP communications between the access point and WLC are in Ethernet
    encapsulated frames, not IP packets. The access points must be on the same Ethernet network as the
    WLC. For this reason, Layer 2 LWAPP mode may not be suitable for scalability purposes in most
    deployments. Furthermore, Layer 2 mode is supported only by the Cisco 410x and 440x series of WLCs
    and the Cisco 1000 series access points. Layer 2 LWAPP is not supported by lightweight Cisco Aironet
    1200, 1130AG, or 1240AG access points, or the Cisco 2006, WiSM, or WLCM series WLCs and ofcourse the new stuff.
    In L3 mode LWAPP/CAPWAP are encapsulated in UDP packets instead of ethernet frames.
    Please make sure to rate correct answers

  • 1250AP's with 4400 Controllers - LWAPP WAN Bandwidth consumption

    Does anyone know and, preferably, have a link on how much bandwidth a Lightweight AP consumes when deployed across a WAN link? I know Cisco keeps saying no more then 8 across a WAN managed by a centralized controller, but I can't find anything specific. Thanks so much in advance.

    There's a lot of components in LWAPP packets which will vary according to different situation.check this for LWAPP detail: http://tools.ietf.org/html/draft-ohara-capwap-lwapp-02
    actually, A discovery request packet is 97 bytes (including the 4 byte FCS),A discovery response packet is 106 bytes (including the 4 byte FCS), Packet sizes for the join request and response messages will vary based on the MTU supported by the transport(1596 or 1596+1500),The initial exchange between the AP and the WLC (ap-manager interface) is approximately 6,000 bytes and a one-time configuration change averages 360 bytes and involves 2 packets each from the AP and the
    WLC's ap-manager interface.An RRM-related information exchange takes place once the AP has been provisioned. A typical exchange
    between the AP and the WLC (ap-manager interface) is approximately 1400 bytes. In the event of an RRM-related configuration change, there is a four-packet exchange between the AP and the WLC's apmanager
    interface. This exchange averages 375 bytes.The system heartbeat, coupled with fallback mechanism, is 4 packets every 30
    seconds and comprises of the following packets:
    LWAPP ECHO_REQUEST from AP (78 bytes)
    LWAPP Echo-Response to AP (64 bytes)
    LWAPP PRIMARY_DISCOVERY_REQ from AP (93 bytes)
    LWAPP Primary Discovery-Response to AP (97 bytes).
    There are two ongoing RRM exchanges. The first one, at every 60-second interval is the load and signal
    measurement and consists of 4 packets. This exchange always adds up to 396 bytes, as following:
    LWAPP RRM_DATA_REQ from AP (107 bytes)
    LWAPP Airewave-Director-Data Response to AP (64 bytes)
    LWAPP RRM_DATA_REQ from AP (161 bytes)
    LWAPP Airewave-Director-Data Response to AP (64 bytes)
    The second sequence of packets is the noise measurement (including a statistics information request and
    response sequence) done every 180 seconds. This is a short (0.01 seconds typically) exchange of packets
    and averages 2,660 bytes approximately. It consists of the following packets:
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP STATISTICS_INFO from AP
    LWAPP Statistics-Info Response to AP
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP RRM_DATA_REQ from AP 00:14:1b:59:41:80
    LWAPP Airewave-Director-Data Response to AP
    LWAPP RRM_DATA_REQ from AP
    LWAPP Airewave-Director-Data Response to AP
    LWAPP STATISTICS_INFO from AP
    LWAPP Statistics-Info Response to AP.
    Rogue measurements are done as a part of the scanning mechanism (for more details, refer to the Auto RF
    and Rogue Detection whitepapers) and included in the above RRM exchange every 180 seconds.
    The LWAPP data frame header adds 6 bytes to the existing 802.11 packets.
    Since LWAPP frames can be fragmented, a Fragment ID field is included and the total packet size can be
    determined by adding the original frame and the IP Fragment that follows (It is important to note that the IP
    Fragment that follows is not encapsulated in any LWAPP headers).
    In conclusion, operation of LWAPP does not introduce heavy bandwidth requirements on the infrastructure and in most typical deployments, there would be no such need to add extra capacity to the infrastructure to accommodate Cisco's Unified Wireless Architecture.

Maybe you are looking for

  • Moving music from my iPod to my music library on computer

    I've searched for a tutorial as to how to move my iPod's music onto my new computer, and I've either missed it, or it doesn't exist... or I'm just ********. Regardless, all I did find was stuff on how to move an existing library between computers, bu

  • 1.0.3 :: Share Your Experiences

    I'm on my 3rd iPod Classic 160GB & was smart; I left the firmware v1.0fc1 on it that it came with out of the box due to the MANY well known issues we've all experienced with 1.0.2. Anyways, I just noticed 2 threads talking about the available 1.0.3.

  • Can MediaSource display MP3 file name instead of MP3 tag information? ; Playlist default locat

    ?I am using Creative MediaSource Player 5.0.38 as an MP3 player on my computer:?. Can we get MediaSource to display mp3 file names instead of mp3 tag information when file is being played as part of a Playlist???2. Playlists are stored in this locati

  • Problem in BDC For Actions

    Hi All, I am making a BDC for IT0000. I have done the recording and developed a program for that. IT0105 is also there in info grouping for action.When I am executing the bdc in Foreground Processing the error is coming "No batch input data for scree

  • Deploying Factless Fact Tables in 10G

    Hello - We are trying to deploy the same factless fact tables we used for OWB 9i to 10G and we are receiving validation errors saying that every cube must have a measure. We do not want to create a null column just to get around something that worked