Wireless Client Authentication issues when roaming Access Points (Local)

Similar Messages

• Strange VLAN issue on aironet access points

  I'm setting up some access points for WPA. I've ran into a strange issue. The client VLAN (VLAN that the users will be put into) is 1, and the native VLAN is 10. The RADIUS server is in VLAN 1 (but I have a test RADIUS server in VLAN 10 as well). I can connect from the access point to a RADIUS server in either VLAN, and from the RADIUS servers to the access point as well. When I point to a RADIUS server in VLAN10 authentication works fine. If I point to a RADIUS server that is located in VLAN1, and I put the wireless clients in VLAN10 it works fine. But for some reason when I have the RADIUS server and the clients in VLAN (1) and the native (BVI1) interface in VLAN 10 the authentication packets never seem to get to the RADIUS server. It is as if the authentication is being sources out of the wrong VLAN. I can?t find any docs to say that this isn?t a supported configuration.

  Hi Shannon,
  have a look here:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig
  - - - Snipp - - -
  Significance of Native VLAN
  When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
  Note: If there is a mismatch in the native VLANs, the frames are dropped.
  This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
  - - - Snapp - - -
  Best regards,
  Frank

• AP Client Authentication Issues

  Hello. I have three 1200 series access points running in autonomous mode that need to allow handheld computers to connect. The handhelds need to authenticate using EAP. The AP's are properly listed and configured in the ACS and the handhelds are properly set up as well, but when I do "show dot11 association" it shows them authenticated with aaa instead of eap. As I said, these are autonomous, so there is no WLC. The vlan being used for the AP's is properly trunked all the way back to where the traffic needs to go. Here is a configuration example:
  interface Dot11Radio0
   no ip address
   no shut
   no ip route-cache
   encryption mode wep mandatory
   ssid portableclient
   speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
   channel 2412
   station-role root
   rts threshold 2312
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  aaa new-model
  aaa group server radius rad_eap
   server x.x.x.x auth-port 1645 acct-port 1646
   server x.x.x.x auth-port 1645 acct-port 1646
   server x.x.x.x auth-port 1645 acct-port 1646
  aaa group server radius rad_m
  aaa group server radius rad_a
  aaa group server radius rad_ad
  aaa group server tacacs+ tac_ad
  aaa group server radius rad_p
  aaa group server radius dummy
  ip http authentication aaa
  no ip http secure-server
  ip tacacs source-interface BVI1
  ip radius source-interface BVI1
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key xxxxxxxx
  radius-server attribute 32 include-in-access-req format %h
  radius-server host x.x.x.x auth-port 1645 acct-port 1646
  radius-server host x.x.x.x auth-port 1645 acct-port 1646
  radius-server host x.x.x.x auth-port 1645 acct-port 1646
  radius-server timeout 20
  radius-server deadtime 3
  radius-server key xxxxxxxxx
  radius-server vsa send accounting
  bridge 1 route ip
  The Clients connect to the AP but authenticate with aaa and therefore do not transmit as the Handhelds require radius. Any ideas of what I might be missing?

  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime localtime
  service timestamps log datetime localtime
  service password-encryption
  hostname
  logging buffered 1048576 debugging
  enable secret
  ip subnet-zero
  no ip source-route
  ip domain list
  ip domain list
  ip domain name
  ip name-server
  ip name-server
  ip name-server
  dot11 syslog
  dot11 ssid
     authentication open eap eap_methods
     authentication network-eap eap_methods
     accounting acct_methods
     infrastructure-ssid
  dot11 network-map
  dot1x timeout reauth-period server
  bridge irb
  interface Dot11Radio0
   no ip address
   no shut
   no ip route-cache
   encryption mode wep mandatory
   ssid
   speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
   channel 2412
   station-role root
   rts threshold 2312
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface FastEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  ip default-gateway
  no ip http server
  logging trap notifications
  logging source-interface BVI1
  logging
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  access-list 2 permit
  snmp-server community
  snmp-server ifindex persist
  snmp-server trap-source BVI1
  snmp-server host 1 snmp
  snmp-server host 1 snmp
  snmp-server host 1 snmp
  banner motd  ^
  ^
  line con 0
   exec-timeout 30 0
   transport preferred telnet
   login
   password
   stopbits 1
  line vty 0 4
   exec-timeout 30 0
   transport preferred telnet
   login
   password
  line vty 5 15
   exec-timeout 30 0
   transport preferred telnet
   login
   password
  sntp server
  aaa new-model
  aaa group server radius rad_eap
   server  auth-port 1645 acct-port 1646
   server  auth-port 1645 acct-port 1646
   server  auth-port 1645 acct-port 1646
  aaa group server radius rad_m
  aaa group server radius rad_a
  aaa group server radius rad_ad
  aaa group server tacacs+ tac_ad
  aaa group server radius rad_p
  aaa group server radius dummy
  ip http authentication aaa
  no ip http secure-server
  ip tacacs source-interface BVI1
  ip radius source-interface BVI1
  tacacs-server host
  tacacs-server host
  tacacs-server host
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key
  radius-server attribute 32 include-in-access-req format %h
  radius-server host  auth-port 1645 acct-port 1646
  radius-server host  auth-port 1645 acct-port 1646
  radius-server host  auth-port 1645 acct-port 1646
  radius-server timeout 20
  radius-server deadtime 3
  radius-server key
  radius-server vsa send accounting
  bridge 1 route ip
  aaa authentication attempts login 4
  aaa authentication password-prompt Password(local):
  aaa authentication username-prompt User(local):
  aaa authentication login default group tacacs+ enable
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  end

• ActiveSync issue when roaming

  So far we had five users with BB Z10 and Q10 who were traveling internationally have experienced issue while accessing email. All the users were setup via Active Sync for corporate emails. Once they land to their final destination which has been China, Australia and Colombia. They will receive 4G or 4g connectivity but no emails. They will be receive their personal emails like gmail, yahoo, etc but no corporate emails. It will take about 20 minutes before they start seeing corporate emails. After about an hour or so the device will stop receiving emails. The only fix is to manually remove email corporate email account and re-add it on the device. Once we are resetup the account then everything works normal throughout their stay.  We are running exch 2007. Z10s are running 10.1.0.2006 build and we are on T-Mobile network. Has anyone experience similar issue ?
  Thanks,
  Bhavik

  Hello Bhaviksom, 
  Have a look at the 2 possible causes to this issue along with the 2 possible resolutions. 
  Cause 1
  The Microsoft Exchange ActiveSync Mailbox policy has the value "Allow Direct Push when roaming" set to no
  Cause 2
  The email profile assigned to the BlackBerry smartphone in the BlackBerry Device Service has the value "Manual Sync while Roaming" set to yes
  Resolution 1
  There are two ways to resolve cause one:
  One the BlackBerry smartphone select the settings icon from the home screen
  Select Accounts
  Select the Microsoft Exchange ActiveSync account
  Select Advanced
  Toggle the option for Push off and back on again.
  To avoid all BlackBerry smartphones having to sync manually while roaming, the option will need to be changed in the ActiveSync Mailbox policy on the Microsoft Exchange Server. To perform the action do the following:
  Open the Exchange Management Console
  In the console tree, navigate to Organization Configuration > Client Access
  In the result pane, click the Exchange ActiveSync Mailbox Policies tab, and then select the policy you want to view or configure
  In the action pane, click Properties
  Select the Sync Settings tab
  Change the value for Allow Direct Push when roaming to Yes
  Resolution 2
  If the BlackBerry smartphone has an email profile which is pushed from the BlackBerry Device Service the option "Manual Sync while Roaming" will need to be changed to "No" in the email profile which is assigned to the BlackBerry smartphone.
  Open the BlackBerry Administration console for BlackBerry Device Service
  Expand Email profiles under BlackBerry Solution management
  Select Manage email profiles under Email profiles
  Select the profile and click Edit profile
  Change the option "Manual Sync when roaming" to no
  Let us know if this helps. Have a good day.. 
  -SR
  Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
  Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

• Authentication Issue, When Profile ReCreate

  Hi,
  i face authentication issue in SQL Server 2012 Evalution after i login in new account.
  Take a look situation and what i did.
  1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
  2). Every Thing i Did i by using AD User name "SP_Farm"
  3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
  Note: during the whole process i only use SP_Farm (AD Admin User)
  Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
  after that i cant access Management Studio. :(
  Please Guide if is there any other way.
  Thanks you 
  Shariq Ayaz
  [email protected]
  www.shariqdon.com
  www.shariqdon.com/itworld
  www.shariqdon.com

  Hi,
  i face authentication issue in SQL Server 2012 Evalution after i login in new account.
  Take a look situation and what i did.
  1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
  2). Every Thing i Did i by using AD User name "SP_Farm"
  3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
  Note: during the whole process i only use SP_Farm (AD Admin User)
  Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
  Creating a user with the same name is
  not the same user :-)
  A user has a unique ID and you did not create the same ID, but a new user with same name.
  after that i cant access Management Studio. :(
  Please Guide if is there any other way.
  Thanks you 
  Shariq Ayaz
  [email protected]
  www.shariqdon.com
  www.shariqdon.com/itworld
  www.shariqdon.com
  You can try to use This solution:
  http://blogs.msdn.com/b/raulga/archive/2007/07/12/disaster-recovery-what-to-do-when-the-sa-account-password-is-lost-in-sql-server-2005.aspx
  * After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication.
  [Personal Site] [Blog] [Facebook]

• Report on Airport Utility when connecting Access Points to Airport Extreme

  I have a plan to upgrade my Access Points for a better bandwidth of speed rate of wireless connection in my local connection.
  There are the lasted model of Airport Extreme, and 2* Airport Express. Both of the Airport Express are connecting to Extreme by CAT5E.
  The speed transfer will always be limited at 100Mbps, due to the limitation of Ethernet port in Airport Express.
  The question is, if I replace Airport Express with other brands that support up to 600Mbps with USB support for printer, what would it be reported in Airport Utility.
  Would I still be able to manage as an Acces Point through the Utility, and use it for printing server.

  Mmmm, if you replace those expresses with 3'rd party routers, you may run into some issues there.

• Macbook Wireless Driver Incompatible with Dual Band Access Points & PPTP VPN with MPPE Enabled.

  Configuration:
  Local Client: Macbook Pro 8,1 (Dual boot 10.8.2 & Windows 7 x64)
  Local WLAN AP: WiFi dual band access points (I do not have admin access to)
  ISP: TWC Road Runner
  External VPN Server: Poptop PPTPD server v1.3.4 (I do have admin access to)
  Problem:
  There is a Macbook BCM4331 driver incompatibility that spans across both OS X and Windows 7 when connecting to a PPTP VPN through a local dual band access point.
  The same Macbook (booted into either OS X 10.8 or Windows 7) cannot maintain a ping/connection to the PPTP server when connected to a local dual band (2.4GHZ/5GHZ) WiFi access point.
  Macbook connects and remains connected to the PPTP server (as shown in connection status,) but no traffic will pass through VPN once the connection has "dropped" internet traffic. Flood ping to the VPN server initially replies with expected <30ms ping time. Once internet traffic is passed across VPN, ping fails and traffic stops completely.
  • Any other wifi client machines & OS using same dual band AP can connect to VPN and maintain flood ping to PPTP server and pass all traffic or even split tunnel. I've tested different computers using Windows XP, Windows 7, Android 4.1, iOS 6.0.1 etc. No problems at all.
  • Macbook can maintain flood ping and pass traffic to PPTP server when connected to a different standard 2.4GHZ access point.
  • Macbook can maintain flood ping and pass traffic to PPTP server when connected via Ethernet on same LAN as dual band AP's.
  • Macbook can maintain connection/ping by disabiling MPPE encryption on the PPTP server. Running an unencrypted VPN is not an option for me however.
  • Macbook can maintain connection/ping whenn booted into Windows 7 natively and disabling 2.4 band through Device Manager > Advanced tab > Disable bands > "Disable 802.11g/b".
  To fix this problem, I would propose that Apple allow OS X users to disable 2.4GHZ in OS X. Doing so should allow PPTP + MPPE when connected via dual band routers as it does in Windows 7. I think asking them to rewrite the driver for OS X & Windows 7 is asking too much.
  Credits:
  I have been through so many forums, reconfigured the Macbook, the PPTP server, reformatted, tested and tweaked until my eyes bled. Here is a collection of threads of others with similar problems:
  https://discussions.apple.com/thread/2778039?start=120&tstart=0
  https://discussions.apple.com/thread/3202997?start=0&tstart=0
  https://discussions.apple.com/thread/2136112?start=15&tstart=0
  http://forums.macrumors.com/showthread.php?t=196438
  https://discussions.apple.com/thread/2132652?start=0&tstart=0
  http://comments.gmane.org/gmane.network.poptop/2373
  https://discussions.apple.com/thread/1623154?start=0&tstart=0
  https://discussions.apple.com/message/12514921?messageID=12514921#12514921
  http://forums.macrumors.com/showthread.php?t=1101053
  http://forums.macrumors.com/showthread.php?t=415087
  https://discussions.apple.com/thread/1346301?start=0&tstart=0
  https://discussions.apple.com/thread/2197122?start=0&tstart=0

  I haven't heard anything back yet. I will update if I do.
  Being that Apple takes pride in selling their own computers and writing their own drivers & software to match, the Macbook with OS X 10.8 should be a super polished, finely tuned machine. It's aggravating when I can't do relatively simple things which I can do on any other device & OS:
  If you've read the first post, you know it's not possible to pass PPTP + MPPE on the Macbook Pro 8,1 with OS X 10.6+ or Windows 7 when connected to a dual band AP.
  OS X also imposes a 130mbps limit on the 2.4Ghz band. I have no problems connecting @ 450mbps on 2.4Ghz with Windows 7. The range is much better than 5Ghz as expected when there aren't any neighboring AP's for interference. I've also never received interference with Bluetooth devices.
  There have been a couple times where some things don't plain work right and the flexibility to fix them as an "Apple knows better than the user" policy is restricted. In most cases, perhaps Apple does know better. In this case, there is definitely a problem with the BCM4331 driver. If it "just worked" this topic wouldn't have been created.

• Wireless client authentication failed

  hi all,
  I have a problem I have AP 1602i joined to WISM2 controller with IOS version 7.4.121 
  when client try to connect on the SSID, he receive a log "authentication failed" when I tried to rejoin the AP to other controller it work normally and when i back koining to the first controller it joins normally.
  when the problem occure i noticed that the AP led is flashing and on the controller i can see the AP.
  please advice
  thanks in advance

  hi Manannalage ras...,
  I already issue this command and tried to connect on the SSID but there is no output appeared on the controller it seem to be that the client MAC address is not reach to the controller
  note that,
  the AP connected through Modem to the controller and get the controller IP address from DNS by resolving its domain name to the controller IP

• Client Communication Issues when attempting to retire old ADCS Certificate Authority

  Hi,
  SCCM 2012 R2 running on 2008R2. Single site.
  We've been migrating our environment to a new SHA2 Microsoft CA and we're seeing issues when attempting to retire our old SHA1 CA server.
  We've had a fully functioning PKI integrated SCCM environment for some time. No issues. All our clients have client certificates deployed via group policy.
  We've spun up a new CA and installed new SHA2 distribution point and webserver certificates on the SCCM server.
  We have added the new Root CA certificate to the trusted list in the site properties (both are now listed)
  We have confirmed that new machine builds are receiving SHA2 client computer certificates via group policy.
  Everything runs happily with the two CA servers configured and running. We would like to retire the old CA server but when we shut it down we find that all older clients (with the SHA1 cert) stop communicating with the management point.
  Clients with the newer SHA2 computer certs continue to function. We assumed that the old CA server didn't have to be running for the SHA1 certs to still function. Are we incorrect?
  Anyone able to explain what's happening?
  Cheers!

  Hi Jason,
  No, we don't have CRL checking enabled in the SCCM site settings. As I understand it that tells the clients to check the site server against the CRL?
  We think the issue is due to IIS attempting to check the client certificates against the CRL on the old CA (which is currently turned off)
  For now we've temporarily disabled CRL checking in IIS while we attempt to migrate the old CRL to the new CA. All our clients are now talking happily to the management point.
  All good. Cheers.

• G4  (10.4.11) airport (9.52) wifi connectivity issue w WPA access point

  I am struggling to resolve a wi-fi connectivity issue between a G4 imac with airport card and a netgear wireless-n access point.
  The set up is as follows - the broadband comes into a Netgear router (DG834Gv5)which my Intel imac connects wirelessly to. Two daughter's den is away downstairs so I run an ethernet cable from the main netgear router to a netgear Pro-safe wireless access point (WNAP210) as an extender (we live on a houseboat so there are metal bulkheads and the like inbetween.
  In the den older daughters G5 wirelessly connects to the Netgear access point easily through a WPA-PSK connection.
  Younger daughters G4 running 10.4.11, with original airport card running firmware 9.52 (airport admin utility 4.2) refuses with the 'wrong password' error (it isn't - I have checked 50x) or sometimes just 'there was an error joining'.
  It can see the network strongly (the airport menubar icon goes full, then cuts, then flashes on, then drops) but refuses any traffic.
  This G4 can however connect, weakly, with my upstairs router which is also WPA-PSK protected (same password)!
  I have read all the forums on this and despite some non-expert posts muddling the issue I believe that this SHOULD be possible. Not WPA2 I know but basic WPA.
  In addition the options in the netgear extender are b&g (like upstairs which works), g or n. So I have selected b&g - no difference.
  Currently I have had to set a separate channel for her and leave it unsecured which isn't a long term option (I am just hoping that even the cleverest war-driver cant sneak in through the extender, back up to the traffic between my Intel and the main router !!?)
  Can anyone suggest what I might be missing in the conjuration (sic, ahem) configuration settings either on the G4 or the Netgear box ?
  Is it enough to turn the broadcasting of the open channel name off and so render it invisible ?
  Thanks in advance for any expert person's attention

  hi kathryn
  did it have to be the Telekom, by all means??
  anyway, first of all a link to a video where a german comedian writes a letter to steve jobs demanding he chose any carrier but the DTAG for the iPhone distribution in germany - really funny!
  http://bit.ly/4B4OdQ
  OK, I´m currently downloading the speedport manual from their website and will look through it, in order to see if there´s something in there..
  as a first guess I´d try looking at the wireless prefs of that speedport box. I guess it supports by default 802.11a/b/g, whereas the G4 only does 802.11b (the "normal" airport). Try selecting only the 802.11b portion from the speedport (that makes networking somewhat slower for airport express computers, but shoudn´t be a problem since it´s still at least as fast as basic DSL service (11MBit vs 2 or 6 MBit)
  cheers
  Matt
  (german in spain)

• SmartConnect fails when GPRS access point configur...

  I am trying to configure SmartConnect to cycle between a Wi-Fi and a GPRS access point.
  The GPRS access point allows only HTTP/HTTPS traffic through a proxy server (this is a limitation of my service package through the mobile operator; direct Internet connectivity is much more expensive).
  When using an HTTP application (e.g. Opera, Gmail) directly with the GPRS access point, everything works fine.
  However, if I use the application with the SmartConnect access point, the connection fails.
  Just for testing, I replaced the GPRS access point with one that allows direct internet connectivity without a proxy server (at a much higher cost) -  everything worked fine.
  So, I concluded that this is a bug in SmartConnect - they didn't take into account the fact that the access point may work only through a proxy server, and maybe they do some kind of connectivity check that is not HTTP and that fails. I tried to look everywhere support contact information for Birdstep but couldn't find any.
  Has anybody encountered this? Or does anyone have contact information for Birdstep's support? I am guessing the fix probably super-simple.
  ==============================================
  Summary of my settings:
  Device: Nokia E51
  Access Points under Connection settings:
      1 - "Home WLAN" - WiFi, my home WLAN network
      2 - "IL Orange WAP" - GPRS with Proxy Server that allows HTTP/HTTPS to the Internet (and unlimited WAP)
      3 - "IL Orange Internet" - GPRS without proxy server that allows direct Internet connectivity without limitations
  SmartConnect configuration that doesn't work:
      Priority 1: "Home WLAN"
      Priority 2: "IL Orange WAP"
  SmartConnect configuration that does work:
      Priority 1: "Home WLAN"
      Priority 2: "IL Orange Internet"
  Does SmartConnect perform some connectivity check prior to "releasing" the connection to the applications?
  ===================================================

  Just got this from Birdstep's support:
  "SmartConnect is not using the proxy setting of the connection. This is known problem with SmartConnect. Currently there is no fix or workaround for it".
  So that seems to be the end of it, for now at least.

• Wireless sporatically stop. List your access point please.

  After some testing I have come to the conclusion that this problem is access point dependent. Not by brand but by model. So in an effort to try and determine the common denomenator could you please list your access point (Model/Brand), what type of encryption, if your channel is set to auto, what version of Mac OS 10 you are running, and if works or not.
  I will keep a compiled list at: http://bluefixed.com/random/waps.html
  Feel free to email me the information at jcanady --- at --- gmail

  An E3200 in bridge mode...........
  http://homecommunity.cisco.com/t5/Wireless-Routers/2-E3200-with-the-same-SSID/td-p/510158

• Some wireless clients can't discover or connection to local wired systems

  Hi,
  I've just upgraded my home wireless from an NetComm NB5540 + modem to a LinkSys X3000.
  Internet access works fine for all devices, but some wireless devices can't "see" my Win7 desktop system that's on a wired connections to the router. 
  I've tried three devices...
  Galaxy Note phone (running ICS 4.0.4) can discover and connect to file shares on my desktop system without any problems.
  Asus Transformer Prime tablet (running JellyBean 4.1.1) can see the router on the local network, but can't see my desktop. Even if I manually type in the IP address it can't connect to it
  Likewise my old WinXP laptop can see the router but can't see or connect to any other devices.
  Any suggestions welcome.
  Hugh
  ps. I tried connecting the NetComm router with just Wifi configured to one of the ethernet ports on the X3000, so I've got two Wifi networks running in parallel. If I connect to this second WiFi network with any of the above devices then they can all discover and connect to my desktop system on the wired connection to  the X3000.

  Just to test network connectivity, why don't you ping the wired client from the wireless devices that are not able access it? Do post your results so we can further analyze this scenario. By the way, when you cascaded another access point (using the NetComm router) to the X3000, was it via LAN- LAN? Was the X3000 still the DHCP server for the wireless clients?

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• Apple wireless clients authenticated but show no username in WLC

  Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)
  (mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a
  Client MAC Address............................... 60:c5:47:07:b6:5a
  Client Username ................................. N/A
  AP MAC Address................................... 00:1e:13:42:16:a0
  AP Name.......................................... mcm-208dorm-wap1
  Client State..................................... Associated
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 1
  BSSID............................................ 00:1e:13:42:16:a0
  Connected For ................................... 599 secs
  Channel.......................................... 11
  Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS.
  Any ideas for debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?
  Thanks
  Kyle Morrison

  Kyle:
  I suppose you are using PEAP or some EAP that utilizes TLS tunnel.
  The username that appears is what cold "outer identity" username. This is sent to the AAA server outside the TLS channel and need not to be the correct username although it can be the same. So I think with macBooks the outer identity is empty. But I don't remember if it appears on the WLC as unknown.
  For ipad I can see my username explicitly appearing on my WLC which means the outer identity is same asthe correct username.
  What mac devices that you use?
  You need no debugs. Wireless packet capture while the client is trying to authenticate should be enough to show what outer identity is used.
  HTH
  Amjad
  p.s: with windows it depends on the supplicant software if an outer identity can be configured or not.
  Sent from Cisco Technical Support iPad App