WPA2 on AIR-AP1231G-A-K9

Similar Messages

• Access Point(s) - AIR-AP1231G-A-K9 and others - Spotty Connectivity ...

  Hello,
  We have eighteen Cisco Aironet wireless access points (most of them are AIR-AP1231G-A-K9 with 12.3(2)JA2 IOS loaded) across our campus which people have weird issues with connecting.
  Everywhere, people can associate and get an IP address without any issues. However, they cannot maintain a reliable connection to systems either on our network or off. They will get a web page to load and then it drops them out. In addition, they cannot connect back again for random intervals of time. To make this even more bizarre is that for random intervals they maintain a solid connection until it kicks people out again.
  The vlan itself (60 in the configuration file below) works without issue as we have devices plugged in directly to the vlan via a hardwired port and they are stable.
  Below is the configuration file. Any reason why we would have this issue?
  Thank you for your time.
  Regards,
  Christopher Koeber
  !version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname AP-6!enable secret {authentication information}enable password {authentication information}!username Cisco password {authentication information}username admin password {authentication information}ip subnet-zeroip domain name {Domain Information}!no aaa new-model!dot11 ssid (Secure) Staff/Faculty   vlan 70   authentication open !dot11 ssid Public   vlan 60   authentication open    guest-mode!!!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! ssid (Secure) Staff/Faculty ! ssid Public ! short-slot-time speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable!interface Dot11Radio0.60 encapsulation dot1Q 60 native no ip route-cache no cdp enable bridge-group 60 bridge-group 60 subscriber-loop-control bridge-group 60 block-unknown-source no bridge-group 60 source-learning no bridge-group 60 unicast-flooding bridge-group 60 spanning-disabled!interface Dot11Radio0.70 encapsulation dot1Q 70 no ip route-cache no cdp enable bridge-group 70 bridge-group 70 subscriber-loop-control bridge-group 70 block-unknown-source no bridge-group 70 source-learning no bridge-group 70 unicast-flooding bridge-group 70 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto!interface FastEthernet0.60 encapsulation dot1Q 60 native ip address 10.60.255.6 255.255.0.0 no ip route-cache bridge-group 60 no bridge-group 60 source-learning no bridge-group 60 unicast-flooding bridge-group 60 spanning-disabled!interface FastEthernet0.70 encapsulation dot1Q 70 ip address dhcp no ip route-cache bridge-group 70 no bridge-group 70 source-learning no bridge-group 70 unicast-flooding bridge-group 70 spanning-disabled!interface BVI1 ip address 10.60.255.6 255.255.0.0 no ip route-cache!ip default-gateway 10.60.0.1ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagip radius source-interface BVI1 logging snmp-trap emergencieslogging snmp-trap alertslogging snmp-trap criticallogging snmp-trap errorslogging snmp-trap warnings!!!line con 0 transport preferred all transport output allline vty 0 4 login local transport preferred all transport input all transport output allline vty 5 15 login transport preferred all transport input all transport output all!end

  Hi Christopher,
  Couple of suggestions before moving forward:
  1. I would first secure these WLANs with a least a pre-shared key if possible(WPA/WPA2).  Let me know if you need information on how to do this.
  2. Next, I would remove the 'short-slot-time' on the radio:
  config terminal
  interface do0
  no short-slot-time
  end
  If your users continue to have issues, I would want more information on the types of clients in the environment as well as wireless adapter make/model/driver version. 

• Odd behaviour between 7920 and AIR-AP1231G-A-K9

  To start, I'm running an AIR-AP1231G-A-K9 (12.3(4)JA) with two 7920 phones (one at ) configured using LEAP.
  First issue:
  I originally had my ap interface Dot11Radio0 configured with:
  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
  but the phone didn't like this at all, so I changed the config to:
  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  and everything seems ok with the ap with the speed reconfig.
  Second issue:
  I had to remove broadcast-key vlan 200 change 300 because the phone would lose connection to the ap after 5 minutes and couldn't reconnect. I'm assuming the phone wasn't receiving the new key...
  Third Issue:
  Periodically the phone will drop off the associated ap after sucessful operation and return with Authentication Failed. We receive the message:
  Apr 29 12:45:40.661: Client 0013.1a4c.337b failed: Incorrect BSSID in re-assoc request
  Apr 29 12:45:55.830: Client 0013.1a4c.337b failed: Incorrect BSSID in re-assoc request
  on all the access points within range of the phone as the phone tries to reconnect. Periodically it will reassociate and get a message "Network Busy!!!"
  Any ideas on any of these issues?
  Thanks!
  Stephen

  For #1, 7920 is B only, so if you have G (OFDM) ratest set to mandatory then 7920 will not be able to associate. We recommend the following for a G radio as you want to optimize for 11mbps.
  interface dot11radio 0
  speed basic-11.0 18.0 24.0 36.0 48.0 54.0
  For #2, the 7920 does support broadcast vlan change, but ensure you are using wep ciphers not tkip/ckip.
  For #3, sounds like you are running 1.08 code on the 7920 where there is an issue w/ 12.3(4)JA AP code when trying to roam/reassociate. Look at CSCeg33605 at http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/english/wip7920/relnotes/rn109.htm#wp112162. Need to upgrade to 1.09 code, which can be downloaded at http://www.cisco.com/cgi-bin/tablebuild.pl/ip-7900ser-crypto.

• Converting AIR-AP1231G-A-K9 to lightweight mode

  Hi Everyone,
  I have an issue with Cisco AP AIR-AP1231G-A-K9 after converted to Lightweight mode. I am using WLC 2106 with version code of 7.0.98.0 but after successfull conversion from autonomous mode to lightweight mode the, the AP is not getting associated to WLC. It shows up for a one or two seconds under WLC and then again disappers. This AP has raido AIR-MP31G which i think is supported for converting it to lightweight mode.
  Please see below the log of the upgrade utility after convertign to lightweight mode.
  2013/07/02 18:45:38 DEBUG            34.109.56.4            Validating IP address
  2013/07/02 18:45:38 DEBUG            34.109.56.4            Opening a telnet connection to the AP
  2013/07/02 18:45:40 INFO            34.109.56.4            User  has  Full privilege
  2013/07/02 18:45:40 INFO            34.109.56.4            Getting  AP Name
  2013/07/02 18:45:40 DEBUG            34.109.56.4            Verify if APs image is 12.3(07)JA or greater
  2013/07/02 18:45:41 INFO            34.109.56.4            AP  has 12.3(7)JA Image or greater
  2013/07/02 18:45:41 DEBUG            34.109.56.4            Identifying the AP Type
  2013/07/02 18:45:41 INFO            34.109.56.4            Term Length configured.
  2013/07/02 18:45:41 INFO            34.109.56.4            Upgrade Tool supported AP
  2013/07/02 18:45:41 DEBUG            34.109.56.4            Check whether AP has supported Radio
  2013/07/02 18:45:41 INFO            34.109.56.4            AP has Supported Radio
  2013/07/02 18:45:41 DEBUG            34.109.56.4            Verifying Station Role
  2013/07/02 18:45:42 INFO            34.109.56.4            Station role is  Root AP
  2013/07/02 18:45:42 DEBUG            34.109.56.4            Check whether AP has  MIC Certificate
  2013/07/02 18:45:42 INFO            34.109.56.4            MIC is already configured in the AP
  2013/07/02 18:45:42 DEBUG            34.109.56.4            Getting Ethernet MAC address
  2013/07/02 18:45:42 INFO            34.109.56.4     Hardware is PowerPC405GP Ethernet, address is 0007.0e5b.8e9d (bia 0007.0e5b.8e9d) 
  2013/07/02 18:45:42 DEBUG            34.109.56.4            Getting the Radio Status
  2013/07/02 18:45:42 DEBUG            34.109.56.4            Entering Configuration mode
  2013/07/02 18:45:42 INFO            34.109.56.4            Inside Shutdown function
  2013/07/02 18:45:45 INFO            34.109.56.4            Shutdown the Dot11Radio0
  2013/07/02 18:45:45 DEBUG            34.109.56.4            Getting Current System Time
  2013/07/02 18:45:46 INFO            34.109.56.4            Updating the AP with Current System Time
  2013/07/02 18:45:46 DEBUG            34.109.56.4            Entering Configuration mode
  2013/07/02 18:45:47 DEBUG            34.109.56.4            Executing show run
  2013/07/02 18:45:47 INFO            34.109.56.4            Saving the configuration into memory
  2013/07/02 18:45:47 INFO            34.109.56.4            Getting  AP Name
  2013/07/02 18:45:47 DEBUG            34.109.56.4            Loading the LWAPP Recovery Image on to the AP
  2013/07/02 18:48:10 DEBUG            34.109.56.4            Checking the Upload Status
  2013/07/02 18:48:12 INFO            34.109.56.4            Successfully Loaded the LWAPP Recovery Image on to the AP
  2013/07/02 18:48:12 INFO            34.109.56.4            Executing Write Erase Command 
  2013/07/02 18:48:18 INFO            34.109.56.4            Flash contents are logged
  2013/07/02 18:48:20 INFO            34.109.56.4            Logged nvram: contents
  2013/07/02 18:48:22 INFO            34.109.56.4            Logged crypto trust-points
  2013/07/02 18:48:24 INFO            34.109.56.4            Logged crypto certificates
  2013/07/02 18:48:26 INFO            34.109.56.4            Terminal length set to Zero
  2013/07/02 18:48:32 INFO            34.109.56.4            Loading 34.109.56.4env_2July2013_184830.log from 34.108.7.50 (via BVI1): !
  2013/07/02 18:48:32 INFO            34.109.56.4            Reloading the AP 
  2013/07/02 18:48:36 INFO            34.109.56.4            Successfully executed the Reload command 
  2013/07/02 18:48:36 DEBUG            34.109.56.4            Closing the Telnet Session 
  The Command output form WLC please see bellow
  (Cisco Controller) >show ap join stats summary 00:07:0e:5b:8e:9d
  Is the AP currently connected to controller................ Yes
  Time at which the AP joined this controller last time...... Not applicable
  Type of error that occurred last........................... Lwapp configuration                                                                                         request rejected
  Reason for error that occurred last........................ Ignoring config stat                                                                                        us as mac address is not present in database
  Time at which the last join eror occurred.................. Jul 03 02:43:25.677
  (Cisco Controller)

  This was the command detailed output from WLC
  (Cisco Controller) >show ap join stats detailed 00:1d:45:eb:f6:80
  Discovery phase statistics
  - Discovery requests received.............................. 114
  - Successful discovery responses sent...................... 76
  - Unsuccessful discovery request processing................ 0
  - Reason for last unsuccessful discovery attempt........... Not applicable
  - Time at last successful discovery attempt................ Jul 03 04:19:19.791
  - Time at last unsuccessful discovery attempt.............. Not applicable
  Join phase statistics
  - Join requests received................................... 37
  - Successful join responses sent........................... 37
  - Unsuccessful join request processing..................... 0
  - Reason for last unsuccessful join attempt................ Not applicable
  - Time at last successful join attempt..................... Jul 03 04:19:18.831
  - Time at last unsuccessful join attempt................... Not applicable
  Configuration phase statistics
  - Configuration requests received.......................... 74
  - Successful configuration responses sent.................. 0
  - Unsuccessful configuration request processing............ 37
  - Reason for last unsuccessful configuration attempt....... Ignoring config status as mac address is not present in database
  - Time at last successful configuration attempt............ Not applicable
  --More-- or (q)uit
  - Time at last unsuccessful configuration attempt.......... Jul 03 04:19:19.638
  Last AP message decryption failure details
  - Reason for last message decryption failure............... Not applicable
  Last AP disconnect details
  - Reason for last AP connection failure.................... Not applicable
  Last join error summary
  - Type of error that occurred last......................... Lwapp configuration request rejected
  - Reason for error that occurred last...................... Ignoring config status as mac address is not present in database
  - Time at which the last join error occurred............... Jul 03 04:19:19.638
                                                                                  Ethernet Mac : 00:07:0e:5b:8e:9d  Ip Address : 34.109.56.10
  (Cisco Controller) >

• Recommendation on AIR-AP1231G-A-K9 replacement in warehouse

  Hello,
  We have a customer with ~15 x AIR-AP1231G-A-K9 that they would like to replace with N capable devices in a warehouse.  The warehouse has ~30 ft ceiling and is ~300' x ~200'.  It's got around twenty 20' tall x 100' long metal shelves with cardboard & metallic content in the middle of the warehouse...
  Currently, it's got some dark spots between some of the shelves.  I'm thinking of the Aironet 3502E with dipole antennas, but I'm wondering if I need a patch antenna like the AIR-ANT5160NP-R to increase the power output...  Also, what are some recommendations on placement of the AP's and antennas?  Would ceiling mount be OK, or would you go with wallmount?
  Thanks in advanced for the community's feedback.
  -Dave

  Since the release of 802.11n, its been great for warehouses. Warehouses often suffer from multipath. 802.11n needs multipath. It also allows for beam forming to non-802.11n clients. Good choice and the 3500 will give you clean air.
  I've had great success with warehouse deployments by shaping the signal to the area of coverage and not so much with the omni or dipoles. Especially, if you ceiling mount them.
  Ive fixed a lot of deployments where dipole and omni's were all mounted to ceiling. However when you go up on a lift truck and get above the racks you will see all the APs see each other.
  Thus why i like directions for warehouses. Cuts down on exsessive bleed.
  Thats just my 2 pennys

• Configure AIR-AP1231G-A-K9 for WGB (IOS 12.4(13d)JA

  Hello,
  I am trying to configure one of our extra 1231 AP as a work group bridge. The AP was configured as a lightweight AP so I think that might be part of my issue.
  This was the documentation I found to do the config: http://cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43hot.html
  However I do not have the commands available that they list.
  Here is sh ver info:
  Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2008 by Cisco Systems, Inc.
  Compiled Fri 08-Feb-08 17:24 by prod_rel_team
  swn-e9-wh-01-SWAP#config t
  Enter configuration commands, one per line. End with CNTL/Z.
  swn-e9-wh-01-SWAP(config)#int dot
  swn-e9-wh-01-SWAP(config)#int dot11Radio 0
  swn-e9-wh-01-SWAP(config-if)#stati?
  % Unrecognized command
  Is this not possible with the IOS and AP that I have?

  Hi Eric,
  I'm just curious, did you convert the AP back to IOS already?
  This can be converted to an Autonomous/stand-alone AP that you desire;
  Here is a conversion method;
  Reverting the Access Point Back to Autonomous Mode
  You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
  Using a TFTP Server to Return to a Previous Release
  Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
  Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
  Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
  Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
  Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
  Step 5 Disconnect power from the access point.
  Step 6 Press and hold MODE while you reconnect power to the access point.
  Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
  Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
  Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
  Hope this helps!
  Rob

• Access Point - AIR-AP1231G-A-K9 - PCs can connect but Apple Macs Cannot ...

  Hello,
  This is a sort of follow up to a post I made a few days ago. I made changes to my access points and on Windows computers everything works but on Apple products (Macs, iPads, iPhones) the strangest things happen.
  (1). About 90% of the time nothing works in that we get NO connection to the Access Point. In the client association logs we see the Mac Address show up but there is a 0.0.0 address where it seems like the device is trying to get an DHCP lease. After a while, the device gets the IPPA address of 169.X.X.X.
  (2) After a extended period of time (an hour or more) the Apple device eventually gets an IP address from the network and then is able to successfully connect to the network. However, the connection is short lived and drops after about 30 minutes to an hour.
  Is there a problem with the way Apple products encapsulates their network traffic versus Windows or other products?
  Again, this not affect any Windows or Andriod based devices (laptops, phones, etc.) They can connect right away and never drop out.
  Below is the configuration file for the AP in question, although this is affecting all of our APs:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP-5
  enable {Authentication Information}
  enable {Authentication Information}
  username {Authentication Information}
  username {Authentication Information}
  ip subnet-zero
  ip domain name {Domain here}
  no aaa new-model
  dot11 ssid (Secure) Staff/Faculty
     vlan 70
     authentication open
  dot11 ssid Public
     vlan 60
     authentication open
     guest-mode
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid (Secure) Staff/Faculty
  ssid Public
  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  no cdp enable
  interface Dot11Radio0.60
  encapsulation dot1Q 60 native
  no ip route-cache
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.70
  encapsulation dot1Q 70
  no ip route-cache
  no cdp enable
  bridge-group 70
  bridge-group 70 subscriber-loop-control
  no bridge-group 70 source-learning
  bridge-group 70 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface FastEthernet0.60
  encapsulation dot1Q 60 native
  ip address 10.60.255.5 255.255.0.0
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.70
  encapsulation dot1Q 70
  ip address dhcp
  no ip route-cache
  bridge-group 70
  no bridge-group 70 unicast-flooding
  bridge-group 70 spanning-disabled
  interface BVI1
  ip address 10.60.255.5 255.255.0.0
  no ip route-cache
  ip default-gateway 10.60.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  logging snmp-trap emergencies
  logging snmp-trap alerts
  logging snmp-trap critical
  logging snmp-trap errors
  logging snmp-trap warnings
  bridge 1 route ip
  line con 0
  transport preferred all
  transport output all
  line vty 0 4
  login local
  transport preferred all
  transport input all
  transport output all
  line vty 5 15
  login
  transport preferred all
  transport input all
  transport output all
  end

  For initial configuration you can access AP from the Console port.
  Following are the guides you need to look at for configuring you 1600 AP :
  Cisco Aironet 1600/2600/3600 Series Access Point Deployment Guide
  Getting Started Guide: Cisco Aironet 1600 Series Access Points
  Moreover you can check the configuration guide from cisco.com/google, based on the Actual software image your AP is running. Some of the newer IOS for AP you can check here.
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• Need a solution for the following error code on AIR-AP1231G-A-K9

  Dec 1 10:05:46.243: %DOT11-7-AUTH_FAILED: Station 0018.de89.d720 Authentication failed

  Hi
  Here you are the explanation:
  The specified station has failed authentication.
  The most common reasons are the user has entered the wrong password or the radius server maybe unavailable.
  Hope this helps

• WPA2 Enterprise and autonomous 1231

  I have a bunch of standalone AIR-AP1231G-A-K9 running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2 which is currently setup for guest and company ssid. The guest I don't care but for company, it goes back to a Microsoft IAS radious Certificate Authority using WEP. I want to migrate to WPA2 Enterprise without effecting the current setup so want to create some type of testing. Can I do so or do I need to blow away wavenet with WEP altogether. If so, any sample configs out there?

  Since you'll have to touch all the clients in order to change your security/encryption, why not add another SSID and define it as WPA2/Enterprise and point it to the same IAS server? I'm pretty sure that IAS will support that (I know your AP's will). Try it on one AP, then configure the others, then migrate your clients (kill the old SSID when you're done).

• WPA2-PSK

  Greetings -
  I currently have a Cisco AIR-AP1231G-A-K9 that is running IOS version 12.3(8)JEA1. I am trying to setup WPA2 "Personal" (WPA2-PSK) with a client running Windows XP SP2. The WLAN Nic is a Cisco a/b/g PCMCIA, driver version 2.5.0.22. I have configured the PSK on both the AP and the client and verified that I did not make a typing mistake. I have installed the Microsoft WPA2 hotfix to see if that was causing the problem but it is not. The actual problem is that the client says it's "Authenticated" but will not allow any traffic to pass through. Whenever I created an SSID NOT using WPA2-PSK, the client can ge an IP address and things function normally. Here is the current AP configuration:
  sh run
  Building configuration...
  Current configuration : 4170 bytes
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP1
  enable secret ****
  ip subnet-zero
  no aaa new-model
  dot11 vlan-name Joes-VLANofFUN vlan 237
  dot11 vlan-name Joes-VLANofFUN-PartII vlan 238
  dot11 ssid -=b0Gg$=-
  vlan 237
  authentication open
  --More-- authentication key-management wpa
  wpa-psk ascii ****
  username Cisco password ****
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 237 mode ciphers aes-ccm
  ssid -=b0Gg$=-
  --More-- speed basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  no power client local
  power client 50
  power local cck 50
  power local ofdm 30
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.237
  encapsulation dot1Q 237
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  no cdp enable
  bridge-group 237
  bridge-group 237 subscriber-loop-control
  bridge-group 237 block-unknown-source
  --More-- no bridge-group 237 source-learning
  no bridge-group 237 unicast-flooding
  bridge-group 237 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  speed 100
  full-duplex
  hold-queue 160 in
  interface FastEthernet0.237
  encapsulation dot1Q 237
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  no cdp enable
  bridge-group 237
  --More-- bridge-group 237 subscriber-loop-control
  bridge-group 237 block-unknown-source
  no bridge-group 237 source-learning
  no bridge-group 237 unicast-flooding
  bridge-group 237 spanning-disabled
  interface FastEthernet0.238
  encapsulation dot1Q 238 native
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.238.1.100 255.255.0.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  --More-- ip default-gateway 10.238.1.10
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  control-plane
  bridge 1 route ip
  line con 0
  privilege level 15
  logging synchronous
  line vty 0 4
  login local
  end
  I have tried upgrading the WLAN NIC drivers to the latest version (3.5 I believe) but it does not help. If I run the troubleshooting task of the Aironet Desktop Utility is sasys that the Authentication tests failed, even though the status shows me as "Authenticated". Perhaps there is something in the above config that I am missing.
  Any help would be greatly appreciated.
  Joe

  Check the hardware version of your AP radio(S).
  Earlier versions (ending in "20") do not support AES (used for WPA2 / 802.11i).
  You should have at least a "Radio AIR-MP31G " for your 802.11G and "Radio AIR-RM21A" for your 802.11a radio.
  THe (probably) easiest way to check this is the Web GUI ... go to INterfaces, select each band, then the "Detailed Status" tab.
  If your radios are older than this, the CLI and GUI will accept your configuration for WPA2/802.11i, but will not operate in that mode (and usually fail).
  Either radio is independently upgradeable for ~US$100.00 through someplace like www.cdw.com.
  Good Luck
  Scott

• AP1200 and WPA2

  Hi all,
  I need to analyse options for starting using WPA2 with our Wireless network. I have been looking around Cisco web site, but can not find definite answer if our kit can be upgraded (hardware and/or software) to support this.
  We have mixture of following two APs:
  Cisco AIR-AP1220-IOS-UPGRD (PowerPC405GP) processor with 15038K/1336K bytes of memory.
  Product/Model Number: AIR-AP1220-IOS-UPGRD
  System Software Filename: c1200-k9w7-tar.123-8.JA2
  System Software Version: 12.3(8)JA2
  Cisco AIR-AP1231G-E-K9 (PowerPC405GP) processor (revision A0) with 15038K/1336K bytes of memory.
  Product/Model Number: AIR-AP1231G-E-K9
  System Software Filename: c1200-k9w7-tar.123-8.JA2
  System Software Version: 12.3(8)JA2
  Additionally all APs have radio upgraded to 802.11g by by replacing original radio cards with AIR-MP21G-E-K9 cards.
  The main questions I need answered are:
  1) Will our current 1200 Aironets support WPA2 with upgrade (hardware and/or software)?
  2) If yes, what needs to be upgraded?
  I would appreciate help with this.
  Regards,
  Sasa

  My understanding from Cisco was that, if you have 802.11g radios, you can use WPA2 via a software upgrade. But I'd still do as Scott says and either post or research your model numbers to find out for sure.
  The 1231s aren't a concern - they can certainly use WPA2 with an IOS update. The 1220s are the concern for whether the upraded radios can support such a software upgrade or not.

• Upgraded AP1231G still has old MGMT interface - issues connecting

  Hi, I have a stand alone AP (Air-AP1231G-E-K9) which is not lightweight, or connected to a WLC, its a simple config with a Radio and Management interface.
  The IOS was previously running c1200-k9w7-mx.122-13.JA1, so I upgraded the IOS to c1200-k9w7-mx.123-8.JA2 (Similar to some other working AP's I have), however there are problems with clients connecting to the AP, they doesn't see the AP.The configs on working and non-working AP's are identical (apart from IP's) and the only difference I can find is the web management interface screen which is different.There are more options on the newer working AP's with the new version of code and newer management interface,,, the AP I've upgraded has an older looking web management interface.
  If i want to upgrade the files on the new AP to have the new Management interface over http working, what do I need to do, where do I get the files from, and what do I need to replace on the new AP along with the latest IOS to be able to configue this and hopefully get it working?
  Thanks,
  Brian

  Hi Steve,
  Thanks for that,so there must be another problem if the web mgmt interface did not upgrade during the new ios install (which was through the cli).is there a quick way to flush the old code + other directories on the AP's so I can try the IOS upgrade again from my tftp server?
  Regards,
  Brian

• Cisco AP1231G failed to flash the interface on failed boot

  Hello,
  I have an issue with Cisco AIR-AP1231G-E-K9 since I have rebooted it to reload startup conf :
  Now, radio is disabled. On web interface, Radio mac address is 0000.0000.0000
  I tried a no shut on Dot11radio0 but didn't work.
  I tried to upload a new firmware but didn't solve the issue.
  Here you can find result of sh log :
  POZAPA-0004#sh log
  Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,
                  0 flushes, 0 overruns, xml disabled, filtering disabled)
      Console logging: level debugging, 38 messages logged, xml disabled,
                       filtering disabled
      Monitor logging: level debugging, 0 messages logged, xml disabled,
                       filtering disabled
      Buffer logging: level debugging, 40 messages logged, xml disabled,
                      filtering disabled
      Logging Exception size (4096 bytes)
      Count and timestamp logging messages: disabled
      Trap logging: level notifications, 34 message lines logged
          Logging to 10.128.2.12, 34 message lines logged, xml disabled,
                 filtering disabled
  Log Buffer (4096 bytes):
  101.img)
  *Mar  1 00:00:11.895: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
  k9w7-mx.123-7.JA3/5101.img)
  *Mar  1 00:00:19.202: Failed to flash the interface on failed boot
  *Mar  1 00:00:19.205: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
  k9w7-mx.123-7.JA3/5101.img)
  *Mar  1 00:00:19.264: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
  k9w7-mx.123-7.JA3/5101.img)
  *Mar  1 00:00:26.574: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
  k9w7-mx.123-7.JA3/5101.img)
  *Mar  1 00:00:34.181: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
  k9w7-mx.123-7.JA3/5101.img)
  *Mar  1 00:00:34.241: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
  k9w7-mx.123-7.JA3/5101.img)
  *Mar  1 00:00:41.548: Failed to flash the interface on failed boot
  *Mar  1 00:00:41.548: Tried to send command 0229 while the MAC not running
  *Mar  1 00:00:41.549: Tried to send command 0229 while the MAC not running
  *Mar  1 00:00:41.549: Unable to read RID_CHAN_POWER
  *Mar  1 00:00:41.549: %DOT11-3-POWERS_INVALID: Interface Dot11Radio0, no valid power levels available
  *Mar  1 00:00:41.549: %DOT11-3-POWERS_INVALID: Interface Dot11Radio0, no valid power levels available
  *Mar  1 00:00:43.640: %SYS-6-LOGGERSTART: Logger process started
  *Mar  1 00:00:43.642: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
  *Mar  1 01:00:43.768 GMT: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:00:43 UTC Fri Mar 1 2002 t
  o 01:00:43 GMT Fri Mar 1 2002, configured from console by console.
  *Mar  1 01:00:44.703 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
  *Mar  1 01:00:45.270 GMT: %SYS-5-CONFIG_I: Configured from memory by console
  *Mar  1 01:00:45.270 GMT: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2006 by Cisco Systems, Inc.
  Compiled Tue 21-Mar-06 14:18 by ccai
  *Mar  1 01:00:45.270 GMT: %SNMP-5-COLDSTART: SNMP agent on host POZAPA-0004 is undergoing a cold start
  *Mar  1 01:00:45.286 GMT: %SSH-5-ENABLED: SSH 1.99 has been enabled
  *Mar  1 01:00:45.296 GMT: Writing radio coredump to 'flash:/r0_00_0000_E6177677.rcore'
  *Mar  1 01:00:46.151 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
  Sep 23 10:05:02.004 GMT: Writing radio coredump to 'flash:/r0_00_0000_BA624BBC.rcore'
  Sep 23 10:05:05.015 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:05:06.073 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  Sep 23 10:05:38.648 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:05:38.708 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:06:12.048 GMT: Failed to flash the interface on failed boot
  Sep 23 10:06:12.050 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:06:12.111 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:06:45.463 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:07:20.311 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:07:20.371 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
  00-k9w7-mx.123-7.JA3/5101.img)
  Sep 23 10:07:54.989 GMT: Failed to flash the interface on failed boot
  As you can see , I have multiples line saying that radio is loading firmware but at the end we have "Failed to flash the interface on failed boot"
   Did someone had this issue already ?
  tanks for your answer.

  Sep 23 10:06:12.111 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-k9w7-mx.123-7.JA3/5101.img)
  This is the reason why your 802.11b radio won't come up.  The radio-specific firmware is either missing or corrupted.
  Most effective way is to overwrite and unpack the entire TAR file.  So let the AP boot normally.  Don't worry about the radio for the time being. 
  Make sure you have the TAR file located in the correct folder of your TFTP server.  Use the command "archive download-sw /over /force tftp://<TFTP IP address>/filename.tar".  
  Once the process is complete the AP will reboot.

• Difference between AP1232AG & AP1231G

  What is the difference between AIR-AP1232AG-E-K9 802.11g IOS AP w/Avail CBus Slot, ETSI Cnfg AND AIR-AP1231G-E-K9 802.11a/g dual radio IOS AP, ETSI cfg ?
  Both part numbers need to order Antenna separetly ?
  Regards
  Mohamed

  Refer this document for more information on the difference between the two Access points
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a0080610b71.shtml

• AP 1231G-a-k9 " wants to use wpa2 " kindly suggest if this AP model will support after upgrading IOS 12.3 (8) JEE

  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.07.16 21:01:53 =~=~=~=~=~=~=~=~=~=~=~=
  sh ver
  NACNSHRTCAP10#sh version
  Cisco Internetwork Operating System Software
  IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Fri 16-Apr-04 12:22 by cmong
  Image text-base: 0x00003000, data-base: 0x0053CF74
  ROM: Bootstrap program is C1200 boot loader
  BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  NACNSHRTCAP10 uptime is 6 hours, 37 minutes
  System returned to ROM by power-on
  System image file is "flash:/c1200-k9w7-mx.122-13.JA4/c1200-k9w7-mx.122-13.JA4"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  --More-- agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-AP1231G-A-K9 (PowerPC405GP) processor (revision B0) with 14326K/2048K bytes of memory.
  Processor board ID FOC084102J0
  PowerPC405GP CPU at 196Mhz, revision number 0x0145
  Last reset from power-on
  Bridging software.
  1 FastEthernet/IEEE 802.3 interface(s)
  1 802.11 Radio(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:12:43:95:C8:ED
  Part Number : 73-8704-07
  PCA Assembly Number : 800-23211-08
  PCA Revision Number : A0
  --More-- PCB Serial Number : FOC084102J0
  Top Assembly Part Number : 800-23304-07
  Top Assembly Serial Number : FTX0844J2WV
  Top Revision Number : B0
  Product/Model Number : AIR-AP1231G-A-K9
  Configuration register is 0xF
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#sh dot
  NACNSHRTCAP10#sh dot11 ro
  NACNSHRTCAP10#sh dot11 ro inter
  NACNSHRTCAP10#sh interfaces dot
  NACNSHRTCAP10#sh interfaces dot11Radio 0
  Dot11Radio0 is up, line protocol is up
  Hardware is 802.11G Radio, address is 0011.bbd5.9db0 (bia 0011.bbd5.9db0)
  MTU 1500 bytes, BW 54000 Kbit, DLY 1000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 05:02:04, output 05:00:51, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/3/0 (size/max/drops/flushes); Total output drops: 10422
  Queueing strategy: fifo
  Output queue: 0/30 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  82030 packets input, 27550308 bytes, 0 no buffer
  Received 1724 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 input packets with dribble condition detected
  62722 packets output, 32205820 bytes, 0 underruns
  1276 output errors, 0 collisions, 3 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier
  0 output buffer failures, 0 output buffers swapped out
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#sh har
  NACNSHRTCAP10#sh harwa
  NACNSHRTCAP10#sh harware
  ^
  % Invalid input detected at '^' marker.
  NACNSHRTCAP10#sh harware dware
  Cisco Internetwork Operating System Software
  IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Fri 16-Apr-04 12:22 by cmong
  Image text-base: 0x00003000, data-base: 0x0053CF74
  ROM: Bootstrap program is C1200 boot loader
  BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  NACNSHRTCAP10 uptime is 6 hours, 38 minutes
  System returned to ROM by power-on
  System image file is "flash:/c1200-k9w7-mx.122-13.JA4/c1200-k9w7-mx.122-13.JA4"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  --More-- agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-AP1231G-A-K9 (PowerPC405GP) processor (revision B0) with 14326K/2048K bytes of memory.
  Processor board ID FOC084102J0
  PowerPC405GP CPU at 196Mhz, revision number 0x0145
  Last reset from power-on
  Bridging software.
  1 FastEthernet/IEEE 802.3 interface(s)
  1 802.11 Radio(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:12:43:95:C8:ED
  Part Number : 73-8704-07
  PCA Assembly Number : 800-23211-08
  PCA Revision Number : A0
  --More-- PCB Serial Number : FOC084102J0
  Top Assembly Part Number : 800-23304-07
  Top Assembly Serial Number : FTX0844J2WV
  Top Revision Number : B0
  Product/Model Number : AIR-AP1231G-A-K9
  Configuration register is 0xF
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#
  NACNSHRTCAP10#

  It should be able to per:
  http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-access-point/product_data_sheet09186a00800937a6.html
  but take a look at the radio module in a show controller dot11radio 0
  you can also try to enable :
  encryption mode ciphers aes-ccm 
  under the radio.
  That being said, those AP are EOL/EOS
  http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-series/eol_c51-506611.html
  HTH,
  Steve