OpenSSL vulnerabilities in WLC 7.4.110.0

Similar Messages

• Vulnerabilities from WLC - AIR-CT5508-K9

  Hello, Guys
  The follow vulnerabilities were found in my WLC - AIR-CT5508-K9:
  Somebody knows these errors.
  Port: 22/tcp     Running vulnerable SSH service: OpenSSH 4.0.
  Port: 22/tcp     Running vulnerable SSH service. Vulnerable OS: Linux 2.6.15 - 2.6.27.
  Port: 443/tcp     SSLv2 is supported
  Port: 443/tcp     ip(xx.xx.xx.xx):443 negotiated the SSL_RSA_WITH_DES_CBC_SHA.
  Port: 443/tcp     Running vulnerable HTTPS service.
  Port: 443/tcp     TLS/SSL certificate is self-signed.
  Can you help me?
  Thanks,
  Rodrigo

  The first 2, there's nothing to do about it.
  For support of SSLv2 and weak cipher encryption, there are commands for that.
  config network secureweb cipher-option sslv2 {enable | disable}
  The last one just requires you to install a signed certificate on the WLC management.

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• CSCus42749 - JANUARY 2015 OpenSSL Vulnerabilities

  With reference to above stated bug ID.
  It is stating that certain versions of Cisco Nexus 9000 series are facing the vulnerabilities.
  Would like to find out if any other models from the Nexus family is affected as well?
  (Ie: 7000 series, 5000 series)
  Can anyone from Cisco advise?

  All resolved vulnerabilities are documented for Solaris here:
       Reference Index of CVE IDs and Solaris Patches (Doc ID 1448883.1)
  If you have a vulnerability concern that is not on the list, then please open a SR and our Security team can address it with you.  Oracle policy forbids us from discussing any security issues outside of that format.
  Thanks, Ted

• ISE, WLC Device Profiling

  Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
  My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
  Thanks for any advice/assistance.
  Kenny.

  Kenny,
  For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
  As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
  However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Deauthenticate User on WLC w/ ISE for Testing

  ISE v1.1.1.268
  WLC v7.2.110.0
  We have a wireless deployment using ISE and WLC's configure for LWA. Seeing that CWA has fewer "moving parts" I was trying to migrate to that. When testing my deployment under LWA, I could de-authenticate a user simply by finding the association on the WLC and removing it. Then, when that device would reconnect to the WLAN, it would prompt them for credentials through the WebAuth pages.
  After configuring a WLAN for CWA I noticed that when I remove an association from the WLC in the same manner that the upon reconnecting to the WLNA the user never gets redirected to the WebAuth pages. I'm assuming this is because since the authentication takes places on the ISE server, rather than on the WLC (in LWA mode) that the authentication is still active (since I only removed the association on the WLC).
  I looked around on ISE, but couldn't find a place to view active user authentications let alone remove those authentications. Can this be done? It'd be great for testing to make sure the WebAuth pages function as I need them to.
  I used this guide to set up CWA: https://supportforums.cisco.com/docs/DOC-26442. The only exception to following that guide is that I used an authorization profile that sets the auth timeout to 36000 seconds.

  I don't have profiler.
  I can see all of the profiled endpoints, however. I've tried removing the endpoint I was testing with, but it doesn't help. When the client reassociates, the Policy Manager State goes straight to run even though ISE has only responded with the initial Authorization profile and not the CoA.

• Cisco Prime Infrastructure 2.0 cannot establish connectiont with WLC5508 7.4.110

  I have two wlc 5508 in HA with image version 7.4.110. These two WLC are connected on two 6509 Catalyst Switch VSS system. On the WLC the LAG are enabled for the connection to the VSS. When i am trying to add the WLC to PI 2  once is succsessful. The connection continew working for a wile and after 3 hours or 5 hours or 1 day lost the connection between these two (WLC 5508 & PI.2) . After this trying again to add the WLC to PI.2 with no success . It became unreachable but the ping between the WLC & PI.2 its working fine.
  It realy importand for me to add the WLC to PI.2 becouse it is the eyes for the APs for me.
  Also the image of WLC 7.4.110 is compatible for PI.2 . I check it at cisco matrix files. Cisco also sugest 7.4.110 image for PI.2
  any idea........?

  The subject of the posting shows Prime Infrastructure 2.0 but in the body of the message you've got Prime Infrastructure 1.2
  If it's in fact Prime Infrastructure 1.2 ::: 1.2 and 7.4.110.0 code isn't compatible
  http://www.cisco.com/en/US/partner/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp92761
  1.2.1.12
  7.3.112.0
  7.3.101.0
  7.2.115.2
  7.2.111.3
  7.2.110.0
  7.2.103.0
  7.0.240.0
  7.0.235.3
  7.0.235.0
  7.0.230.0
  7.1.91.0
  7.0.220.0
  7.0.116.0
  7.0.98.218
  7.0.98.0
  7.3.101.0
  7.2.110.0
  7.2.103.0
  7.0.240.0
  7.0.230.0
  7.0.220.0
  7.0.201.204
  7.0.112.0
  7.0.105.0
  ISE 1.0
  ISE 1.1
  IOS12.2(50)SE
  IOS12.2(50)SG
  IOS12.2(33)SXI
  If deploying Prime Infrastructure as a virtual appliance on a customer-supplied server, one of the following versions of VMware ESX or ESXi can be used:
  •VMware ESX or VMware ESXi Version 4.0
  •VMware ESX or VMware ESXi Version 4.1
  •VMware ESXi Version 5.0
  Note VMware Tools Version 4.1 is preinstalled in the Prime Infrastructure virtual appliance.

• WLC not sending AP up/down traps

  Hello guys,
  I am running WLC 7.2.110.0 and i realise that the AP up/down traps are not being sent to my configured Management server.
  The WLC is however able to send other traps such as client disconnect, security alert related and coverage alarm holes.
  can anyone advise or provide any way to have these particular traps sent to a monitroing server? The AP up/down traps seem to me to be one of the most important traps on the CUWN but are not working in this case.
  thanks in advance.

  You can try capturing traffic on the WLC port to make sure that the SNMP packets are being sent. Once you make sure they are sent then you can check the whole path to the management system to see where probably those packets are getting lost.
  If the WLC is not sending the packets then it looks like a bug where the WLC should send the packets but it actually does not.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Security openssl patch 121230-02 looks like has a bug

  SUN exports:
  This is an urgent request, please response ASAP, thanks.
  According the readme of patch 121230-02, this patch also includes 121230-01 and should upgrade OpenSSL to 0.9.7h or 0.9.8a as follow:
  (from 121230-01)
  6332476 CAN-2005-2969 upgrade OpenSSL to 0.9.7h or 0.9.8a
  while after patched our several Solaris10/x86 servers successfully, we checked openssl version as follow, looks like it is not upgrade to 0.9.7h, when we scan these servers, openssl vulnerabilities still exist( CVE-2006-3738, CVE-2006-2940,CVE-2006-2937,CVE-2005-2969).But we checked all files in this patch has been installed into the system. is this a bug exist in patch 121230-02.
  $/usr/sfw/bin/openssl version
  OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
  $uname -a
  SunOS tdc-sun-73.host.tdc.loyalty.com 5.10 Generic_125101-10 i86pc i386 i86pc
  $showrev -p |grep 121230
  Patch: 121230-01 Obsoletes: Requires: Incompatibles: Packages: SUNWopenssl-libraries, SUNWopenssl-include
  Patch: 121230-02 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWopenssl-libraries, SUNWopenssl-include
  Thanks
  Ping

  This forum is exclusively about Java. You need to go somewhere else with your problem.

• Openssl vulnerability -- Adobe Connect 8.2

  What is the supported patch / fix for Adobe Connect 8.2 and Openssl vulnerabilities discovered over the last few months?  I'm assuming it is due to an old stunnel implementation.
  The remote service accepted an SSL ChangeCipherSpec message at an incorrect point in the handshake 
leading to weak keys being used, and then attempted to decrypt an SSL record using those weak keys.
  CVE-2010-5298

  CVE-2014-0076

  CVE-2014-0195
  
CVE-2014-0198

  CVE-2014-0221
  
CVE-2014-0224
  CVE-2014-3470

  You should go and download the Stunnel application and replace the version included with Connect 8.2. stunnel: Downloads
  So you are aware, Connect 9 and newer installers no longer come with Stunnel, So you will need to go to Stunnel's site to download the latest version when upgrading (unless you are already on the latest version).

• How to share an ipad by allowing the end users to sign in and sign out through Secure Sign-In.

  First user(on ipad) is successful in logging in via Mobile Iron Secure Sign-In.  First user logs out.
  Second user logs in.  Second user is quarantined, shows not compliant. 
  WLC and ISE shows first user instead of the Second user.  To resolve this issue we have to manually "force device check in" in Mobile Iron. 
  After ipad is compliant with second user, WLC still shows the old user id under client details.
  Is WLC still looking at old certificate? 
  Mobile Iron Core 7.5.0.0 Build 140
  ISE 1.2.0.899
  WLC 7.2.110.0

  I had done this before with a customer that was using Airwatch. I only handled the ISE side of the configuration but the customer had iPads that were shared between users. So the customer configured the MDM to check-in and check-out the devices. It sounds like you are trying to do the same thing but it is not working?
  Thank you for rating helpful posts!

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• MSE wIPS services - NMSP Connection active/not active

  Hi all,
  Recently deployed Prime Infra 1.3.0.20, MSE 7.4.110.0 and WLC 7.4.110.x.
  The CAS and wIPS services are up but wIPS Profiles can't be push to controller.
  Though when using GUI, NMSP is active..
  ..but when using CLI via /opt/mse/wips/bin/wips_cli, sometimes it will display no WLC found then seconds later  it will display Pending donwload to controller, NMSP connection -> No response
  wIPS>show wlc all
  No WLC found
  wIPS>
  wIPS>
  wIPS>show wlc all
  WLC MAC              Profile                        Profile Status                           IP                   NMSP Connection Status       
  XX:XX:XX:XX:XX:E0    Default                        Pending download to controller           xx.xxx.xx.68         No Response                  
  wIPS>show wlc all
  WLC MAC              Profile                        Profile Status                           IP                   NMSP Connection Status       
  XX:XX:XX:XX:XX:E0     Default                        Pending download to controller           xx.xxx.xx.68          No Response                  
  wIPS>show wlc all
  No WLC found
  Screenshot in wIPS Profile Assignment
  MSE output command using /etc/init.d/msed status
  STATUS:
  Health Monitor is running
  Starting MSE Platform, Waiting to check the status.
  MSE services are up, getting the status
  Server Config
  Product name: Cisco Mobility Service Engine
  Version: 7.4.110.0
  Health Monitor Ip Address: 1.1.1.1
  High Availability Role: 1
  Hw Version: V01
  Hw Product Identifier: AIR-MSE-VA-K9
  Hw Serial Number: XXXXXX
  Use HTTP: false
  Legacy HTTPS: false
  Legacy Port: 8001
  Log Modules: -1
  Log Level: INFO
  Days to keep events: 2
  Session timeout in mins: 30
  DB backup in days: 2
  Services
  Service Name: Context Aware Service
  Service Version: 7.4.0.45
  Admin Status: Enabled
  Operation Status: Up
  Service Name: WIPS
  Service Version: 1.0.4041.0
  Admin Status: Enabled
  Operation Status: Up
  Service Name: Mobile Concierge Service
  Service Version: 2.0.0.37
  Admin Status: Disabled
  Operation Status: Down
  Service Name: Location Analytics Service
  Service Version: 1.0.0.12
  Admin Status: Disabled
  Operation Status: Down
  Server Monitor
  Server start time: Mon Sep 30 22:57:16 PHT 2013
  Server current time: Tue Oct 01 15:09:26 PHT 2013
  Server timezone: Asia/Manila
  Server timezone offset: 28800000
  Restarts: 3
  Used Memory (bytes): 613409344
  Allocated Memory (bytes): 1328349184
  Max Memory (bytes): 1908932608
  DB virtual memory (kbytes): 0
  DB virtual memory limit (bytes): 0
  DB disk memory (bytes): 18164721280
  DB free size (kbytes): 0
  Active Sessions
  Session ID: 30483
  Session User ID: 1
  Session IP Address: 1x.xx.xx.5
  Session start time: Mon Sep 30 22:58:39 PHT 2013
  Session last access time: Tue Oct 01 15:09:19 PHT 2013
  Default Trap Destinations
  Trap Destination - 1
  IP Address: xx.xx.xx.4
  Last Updated: Mon Sep 30 22:58:42 PHT 2013
  Context Aware Service
  Total Active Elements(Wireless Clients, Tags, Rogue APs, Rogue Clients, Interferers, Wired Clients): 4069
  Active Wireless Clients: 3800
  Active Tags: 0
  Active Rogue APs: 218
  Active Rogue Clients: 0
  Active Interferers: 51
  Active Wired Clients: 0
  Active Elements(Wireless Clients, Rogue APs, Rogue Clients, Interferers, Wired Clients, Tags) Limit: 6000
  Active Sessions: 1
  Wireless Clients Not Tracked due to the limiting: 0
  Tags Not Tracked due to the limiting: 0
  Rogue APs Not Tracked due to the limiting: 0
  Rogue Clients Not Tracked due to the limiting: 0
  Interferers Not Tracked due to the limiting: 0
  Wired Clients Not Tracked due to the limiting: 0
  Total Elements(Wireless Clients, Rogue APs, Rogue Clients, Interferers, Wired Clients) Not Tracked due to the limiting: 0
  Context Aware Sub Services
  Subservice Name: Aeroscout Tag Engine
  Admin Status: Disabled
  Operation Status: Down
  Subservice Name: Cisco Tag Engine
  Admin Status: Enabled
  Operation Status: Up
  +++++++++++++++++++++++++
  Could this be the results of DB free size (kbytes): 0?  means I don't enough space for my database?
  Regards,
  Dave

  Hello Rasmus,
  I got NMSP issue while configuration so i did troubleshoot and root cause i found is please synchronize your appliances clock with NTP Server:
  Thanks.

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• Bridge Connection

  Hi
  I have setup a RAP and MAP with AIR-CAP1602E-E-K9 all working fine.
  I need to bridge the connection so that i can attach an switch on the MAP AP
  Both AP's Ethernet connections are set to bridge but i cannot reach the switch on the MAP AP i can reach the MAP AP.
  The MAP AP Ethernet set to trunk mode allowing VLANS transparent VLAN set to off, switches connections set to trunk mode on both AP's
  current version WLC
  7.4.110.0
  think I am doing something wrong on the trunk link on the switch side

  We've upgraded two days ago from 7.2 to 7.4.110.0. After that VLAN trunking wasn't working anymore. Like you described, I only could reach the MAP on the other side via the native VLAN.
  RAP is a AIR-LAP1262N-E-K9
  MAP is a AIR-CAP3502I-E-K9
  After a bit debugging and logging in into the MAP via SSH I've seen that the bridge group config was missing on the APs ethernet interface. Adding the bridge group commands did fix the issue. However the commands don't survive a reboot of the AP.
  interface GigabitEthernet0
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
  So this is more some kind of a workaround. It would be interesting to know if you ran into the same issue.
  Best regards,
  Jochen