WPA2 on AIR-AP1231G-A-K9
I am trying to setup WPA2 on some 1231 access points which are running IOS version Version 12.3(8)JED
The configuration is something like this:
dot11 ssid WLAN999
vlan 999
authentication open
authentication key-management wpa
wpa-psk ascii password
Int Dot11Radio0
encryption vlan 999 mode ciphers aes-ccm
ssid WLAN999
This was setup using this example:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
Now on my newer APs (1242s, 1252s, 1141s) the WPA2 configuration looks like this:
dot11 ssid WLAN999
vlan 999
authentication open
authentication key-management wpa version 2
wpa-psk ascii password
Int Dot11Radio0
encryption vlan 999 mode ciphers aes-ccm
ssid WLAN999
The 1231s will not support the version 2 option at the end of the authentication key-managment command. Is the 1231 doing WPA2 by virtue of the fact that the ciphers are set to aes-ccm?
Thanks
Mike
in older code... the WPA 2 option is not der.. but when we configure AES it will act as WPA 2... in latest IOS and all we have the option to select WPA 2
Similar Messages
-
Hello,
We have eighteen Cisco Aironet wireless access points (most of them are AIR-AP1231G-A-K9 with 12.3(2)JA2 IOS loaded) across our campus which people have weird issues with connecting.
Everywhere, people can associate and get an IP address without any issues. However, they cannot maintain a reliable connection to systems either on our network or off. They will get a web page to load and then it drops them out. In addition, they cannot connect back again for random intervals of time. To make this even more bizarre is that for random intervals they maintain a solid connection until it kicks people out again.
The vlan itself (60 in the configuration file below) works without issue as we have devices plugged in directly to the vlan via a hardwired port and they are stable.
Below is the configuration file. Any reason why we would have this issue?
Thank you for your time.
Regards,
Christopher Koeber
!version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname AP-6!enable secret {authentication information}enable password {authentication information}!username Cisco password {authentication information}username admin password {authentication information}ip subnet-zeroip domain name {Domain Information}!no aaa new-model!dot11 ssid (Secure) Staff/Faculty vlan 70 authentication open !dot11 ssid Public vlan 60 authentication open guest-mode!!!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! ssid (Secure) Staff/Faculty ! ssid Public ! short-slot-time speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable!interface Dot11Radio0.60 encapsulation dot1Q 60 native no ip route-cache no cdp enable bridge-group 60 bridge-group 60 subscriber-loop-control bridge-group 60 block-unknown-source no bridge-group 60 source-learning no bridge-group 60 unicast-flooding bridge-group 60 spanning-disabled!interface Dot11Radio0.70 encapsulation dot1Q 70 no ip route-cache no cdp enable bridge-group 70 bridge-group 70 subscriber-loop-control bridge-group 70 block-unknown-source no bridge-group 70 source-learning no bridge-group 70 unicast-flooding bridge-group 70 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto!interface FastEthernet0.60 encapsulation dot1Q 60 native ip address 10.60.255.6 255.255.0.0 no ip route-cache bridge-group 60 no bridge-group 60 source-learning no bridge-group 60 unicast-flooding bridge-group 60 spanning-disabled!interface FastEthernet0.70 encapsulation dot1Q 70 ip address dhcp no ip route-cache bridge-group 70 no bridge-group 70 source-learning no bridge-group 70 unicast-flooding bridge-group 70 spanning-disabled!interface BVI1 ip address 10.60.255.6 255.255.0.0 no ip route-cache!ip default-gateway 10.60.0.1ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagip radius source-interface BVI1 logging snmp-trap emergencieslogging snmp-trap alertslogging snmp-trap criticallogging snmp-trap errorslogging snmp-trap warnings!!!line con 0 transport preferred all transport output allline vty 0 4 login local transport preferred all transport input all transport output allline vty 5 15 login transport preferred all transport input all transport output all!endHi Christopher,
Couple of suggestions before moving forward:
1. I would first secure these WLANs with a least a pre-shared key if possible(WPA/WPA2). Let me know if you need information on how to do this.
2. Next, I would remove the 'short-slot-time' on the radio:
config terminal
interface do0
no short-slot-time
end
If your users continue to have issues, I would want more information on the types of clients in the environment as well as wireless adapter make/model/driver version. -
Odd behaviour between 7920 and AIR-AP1231G-A-K9
To start, I'm running an AIR-AP1231G-A-K9 (12.3(4)JA) with two 7920 phones (one at ) configured using LEAP.
First issue:
I originally had my ap interface Dot11Radio0 configured with:
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
but the phone didn't like this at all, so I changed the config to:
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
and everything seems ok with the ap with the speed reconfig.
Second issue:
I had to remove broadcast-key vlan 200 change 300 because the phone would lose connection to the ap after 5 minutes and couldn't reconnect. I'm assuming the phone wasn't receiving the new key...
Third Issue:
Periodically the phone will drop off the associated ap after sucessful operation and return with Authentication Failed. We receive the message:
Apr 29 12:45:40.661: Client 0013.1a4c.337b failed: Incorrect BSSID in re-assoc request
Apr 29 12:45:55.830: Client 0013.1a4c.337b failed: Incorrect BSSID in re-assoc request
on all the access points within range of the phone as the phone tries to reconnect. Periodically it will reassociate and get a message "Network Busy!!!"
Any ideas on any of these issues?
Thanks!
StephenFor #1, 7920 is B only, so if you have G (OFDM) ratest set to mandatory then 7920 will not be able to associate. We recommend the following for a G radio as you want to optimize for 11mbps.
interface dot11radio 0
speed basic-11.0 18.0 24.0 36.0 48.0 54.0
For #2, the 7920 does support broadcast vlan change, but ensure you are using wep ciphers not tkip/ckip.
For #3, sounds like you are running 1.08 code on the 7920 where there is an issue w/ 12.3(4)JA AP code when trying to roam/reassociate. Look at CSCeg33605 at http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/english/wip7920/relnotes/rn109.htm#wp112162. Need to upgrade to 1.09 code, which can be downloaded at http://www.cisco.com/cgi-bin/tablebuild.pl/ip-7900ser-crypto. -
Converting AIR-AP1231G-A-K9 to lightweight mode
Hi Everyone,
I have an issue with Cisco AP AIR-AP1231G-A-K9 after converted to Lightweight mode. I am using WLC 2106 with version code of 7.0.98.0 but after successfull conversion from autonomous mode to lightweight mode the, the AP is not getting associated to WLC. It shows up for a one or two seconds under WLC and then again disappers. This AP has raido AIR-MP31G which i think is supported for converting it to lightweight mode.
Please see below the log of the upgrade utility after convertign to lightweight mode.
2013/07/02 18:45:38 DEBUG 34.109.56.4 Validating IP address
2013/07/02 18:45:38 DEBUG 34.109.56.4 Opening a telnet connection to the AP
2013/07/02 18:45:40 INFO 34.109.56.4 User has Full privilege
2013/07/02 18:45:40 INFO 34.109.56.4 Getting AP Name
2013/07/02 18:45:40 DEBUG 34.109.56.4 Verify if APs image is 12.3(07)JA or greater
2013/07/02 18:45:41 INFO 34.109.56.4 AP has 12.3(7)JA Image or greater
2013/07/02 18:45:41 DEBUG 34.109.56.4 Identifying the AP Type
2013/07/02 18:45:41 INFO 34.109.56.4 Term Length configured.
2013/07/02 18:45:41 INFO 34.109.56.4 Upgrade Tool supported AP
2013/07/02 18:45:41 DEBUG 34.109.56.4 Check whether AP has supported Radio
2013/07/02 18:45:41 INFO 34.109.56.4 AP has Supported Radio
2013/07/02 18:45:41 DEBUG 34.109.56.4 Verifying Station Role
2013/07/02 18:45:42 INFO 34.109.56.4 Station role is Root AP
2013/07/02 18:45:42 DEBUG 34.109.56.4 Check whether AP has MIC Certificate
2013/07/02 18:45:42 INFO 34.109.56.4 MIC is already configured in the AP
2013/07/02 18:45:42 DEBUG 34.109.56.4 Getting Ethernet MAC address
2013/07/02 18:45:42 INFO 34.109.56.4 Hardware is PowerPC405GP Ethernet, address is 0007.0e5b.8e9d (bia 0007.0e5b.8e9d)
2013/07/02 18:45:42 DEBUG 34.109.56.4 Getting the Radio Status
2013/07/02 18:45:42 DEBUG 34.109.56.4 Entering Configuration mode
2013/07/02 18:45:42 INFO 34.109.56.4 Inside Shutdown function
2013/07/02 18:45:45 INFO 34.109.56.4 Shutdown the Dot11Radio0
2013/07/02 18:45:45 DEBUG 34.109.56.4 Getting Current System Time
2013/07/02 18:45:46 INFO 34.109.56.4 Updating the AP with Current System Time
2013/07/02 18:45:46 DEBUG 34.109.56.4 Entering Configuration mode
2013/07/02 18:45:47 DEBUG 34.109.56.4 Executing show run
2013/07/02 18:45:47 INFO 34.109.56.4 Saving the configuration into memory
2013/07/02 18:45:47 INFO 34.109.56.4 Getting AP Name
2013/07/02 18:45:47 DEBUG 34.109.56.4 Loading the LWAPP Recovery Image on to the AP
2013/07/02 18:48:10 DEBUG 34.109.56.4 Checking the Upload Status
2013/07/02 18:48:12 INFO 34.109.56.4 Successfully Loaded the LWAPP Recovery Image on to the AP
2013/07/02 18:48:12 INFO 34.109.56.4 Executing Write Erase Command
2013/07/02 18:48:18 INFO 34.109.56.4 Flash contents are logged
2013/07/02 18:48:20 INFO 34.109.56.4 Logged nvram: contents
2013/07/02 18:48:22 INFO 34.109.56.4 Logged crypto trust-points
2013/07/02 18:48:24 INFO 34.109.56.4 Logged crypto certificates
2013/07/02 18:48:26 INFO 34.109.56.4 Terminal length set to Zero
2013/07/02 18:48:32 INFO 34.109.56.4 Loading 34.109.56.4env_2July2013_184830.log from 34.108.7.50 (via BVI1): !
2013/07/02 18:48:32 INFO 34.109.56.4 Reloading the AP
2013/07/02 18:48:36 INFO 34.109.56.4 Successfully executed the Reload command
2013/07/02 18:48:36 DEBUG 34.109.56.4 Closing the Telnet Session
The Command output form WLC please see bellow
(Cisco Controller) >show ap join stats summary 00:07:0e:5b:8e:9d
Is the AP currently connected to controller................ Yes
Time at which the AP joined this controller last time...... Not applicable
Type of error that occurred last........................... Lwapp configuration request rejected
Reason for error that occurred last........................ Ignoring config stat us as mac address is not present in database
Time at which the last join eror occurred.................. Jul 03 02:43:25.677
(Cisco Controller)This was the command detailed output from WLC
(Cisco Controller) >show ap join stats detailed 00:1d:45:eb:f6:80
Discovery phase statistics
- Discovery requests received.............................. 114
- Successful discovery responses sent...................... 76
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Jul 03 04:19:19.791
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 37
- Successful join responses sent........................... 37
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Jul 03 04:19:18.831
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
- Configuration requests received.......................... 74
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 37
- Reason for last unsuccessful configuration attempt....... Ignoring config status as mac address is not present in database
- Time at last successful configuration attempt............ Not applicable
--More-- or (q)uit
- Time at last unsuccessful configuration attempt.......... Jul 03 04:19:19.638
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
Last join error summary
- Type of error that occurred last......................... Lwapp configuration request rejected
- Reason for error that occurred last...................... Ignoring config status as mac address is not present in database
- Time at which the last join error occurred............... Jul 03 04:19:19.638
Ethernet Mac : 00:07:0e:5b:8e:9d Ip Address : 34.109.56.10
(Cisco Controller) > -
Recommendation on AIR-AP1231G-A-K9 replacement in warehouse
Hello,
We have a customer with ~15 x AIR-AP1231G-A-K9 that they would like to replace with N capable devices in a warehouse. The warehouse has ~30 ft ceiling and is ~300' x ~200'. It's got around twenty 20' tall x 100' long metal shelves with cardboard & metallic content in the middle of the warehouse...
Currently, it's got some dark spots between some of the shelves. I'm thinking of the Aironet 3502E with dipole antennas, but I'm wondering if I need a patch antenna like the AIR-ANT5160NP-R to increase the power output... Also, what are some recommendations on placement of the AP's and antennas? Would ceiling mount be OK, or would you go with wallmount?
Thanks in advanced for the community's feedback.
-DaveSince the release of 802.11n, its been great for warehouses. Warehouses often suffer from multipath. 802.11n needs multipath. It also allows for beam forming to non-802.11n clients. Good choice and the 3500 will give you clean air.
I've had great success with warehouse deployments by shaping the signal to the area of coverage and not so much with the omni or dipoles. Especially, if you ceiling mount them.
Ive fixed a lot of deployments where dipole and omni's were all mounted to ceiling. However when you go up on a lift truck and get above the racks you will see all the APs see each other.
Thus why i like directions for warehouses. Cuts down on exsessive bleed.
Thats just my 2 pennys -
Configure AIR-AP1231G-A-K9 for WGB (IOS 12.4(13d)JA
Hello,
I am trying to configure one of our extra 1231 AP as a work group bridge. The AP was configured as a lightweight AP so I think that might be part of my issue.
This was the documentation I found to do the config: http://cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43hot.html
However I do not have the commands available that they list.
Here is sh ver info:
Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 08-Feb-08 17:24 by prod_rel_team
swn-e9-wh-01-SWAP#config t
Enter configuration commands, one per line. End with CNTL/Z.
swn-e9-wh-01-SWAP(config)#int dot
swn-e9-wh-01-SWAP(config)#int dot11Radio 0
swn-e9-wh-01-SWAP(config-if)#stati?
% Unrecognized command
Is this not possible with the IOS and AP that I have?Hi Eric,
I'm just curious, did you convert the AP back to IOS already?
This can be converted to an Autonomous/stand-alone AP that you desire;
Here is a conversion method;
Reverting the Access Point Back to Autonomous Mode
You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
Using a TFTP Server to Return to a Previous Release
Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 5 Disconnect power from the access point.
Step 6 Press and hold MODE while you reconnect power to the access point.
Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
Hope this helps!
Rob -
Access Point - AIR-AP1231G-A-K9 - PCs can connect but Apple Macs Cannot ...
Hello,
This is a sort of follow up to a post I made a few days ago. I made changes to my access points and on Windows computers everything works but on Apple products (Macs, iPads, iPhones) the strangest things happen.
(1). About 90% of the time nothing works in that we get NO connection to the Access Point. In the client association logs we see the Mac Address show up but there is a 0.0.0 address where it seems like the device is trying to get an DHCP lease. After a while, the device gets the IPPA address of 169.X.X.X.
(2) After a extended period of time (an hour or more) the Apple device eventually gets an IP address from the network and then is able to successfully connect to the network. However, the connection is short lived and drops after about 30 minutes to an hour.
Is there a problem with the way Apple products encapsulates their network traffic versus Windows or other products?
Again, this not affect any Windows or Andriod based devices (laptops, phones, etc.) They can connect right away and never drop out.
Below is the configuration file for the AP in question, although this is affecting all of our APs:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP-5
enable {Authentication Information}
enable {Authentication Information}
username {Authentication Information}
username {Authentication Information}
ip subnet-zero
ip domain name {Domain here}
no aaa new-model
dot11 ssid (Secure) Staff/Faculty
vlan 70
authentication open
dot11 ssid Public
vlan 60
authentication open
guest-mode
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid (Secure) Staff/Faculty
ssid Public
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
interface Dot11Radio0.60
encapsulation dot1Q 60 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.70
encapsulation dot1Q 70
no ip route-cache
no cdp enable
bridge-group 70
bridge-group 70 subscriber-loop-control
no bridge-group 70 source-learning
bridge-group 70 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.60
encapsulation dot1Q 60 native
ip address 10.60.255.5 255.255.0.0
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.70
encapsulation dot1Q 70
ip address dhcp
no ip route-cache
bridge-group 70
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface BVI1
ip address 10.60.255.5 255.255.0.0
no ip route-cache
ip default-gateway 10.60.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging snmp-trap emergencies
logging snmp-trap alerts
logging snmp-trap critical
logging snmp-trap errors
logging snmp-trap warnings
bridge 1 route ip
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
endFor initial configuration you can access AP from the Console port.
Following are the guides you need to look at for configuring you 1600 AP :
Cisco Aironet 1600/2600/3600 Series Access Point Deployment Guide
Getting Started Guide: Cisco Aironet 1600 Series Access Points
Moreover you can check the configuration guide from cisco.com/google, based on the Actual software image your AP is running. Some of the newer IOS for AP you can check here.
-Thanks
Vinod
**Encourage Contributors. RATE Them.** -
Need a solution for the following error code on AIR-AP1231G-A-K9
Dec 1 10:05:46.243: %DOT11-7-AUTH_FAILED: Station 0018.de89.d720 Authentication failed
Hi
Here you are the explanation:
The specified station has failed authentication.
The most common reasons are the user has entered the wrong password or the radius server maybe unavailable.
Hope this helps -
WPA2 Enterprise and autonomous 1231
I have a bunch of standalone AIR-AP1231G-A-K9 running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2 which is currently setup for guest and company ssid. The guest I don't care but for company, it goes back to a Microsoft IAS radious Certificate Authority using WEP. I want to migrate to WPA2 Enterprise without effecting the current setup so want to create some type of testing. Can I do so or do I need to blow away wavenet with WEP altogether. If so, any sample configs out there?
Since you'll have to touch all the clients in order to change your security/encryption, why not add another SSID and define it as WPA2/Enterprise and point it to the same IAS server? I'm pretty sure that IAS will support that (I know your AP's will). Try it on one AP, then configure the others, then migrate your clients (kill the old SSID when you're done).
-
Greetings -
I currently have a Cisco AIR-AP1231G-A-K9 that is running IOS version 12.3(8)JEA1. I am trying to setup WPA2 "Personal" (WPA2-PSK) with a client running Windows XP SP2. The WLAN Nic is a Cisco a/b/g PCMCIA, driver version 2.5.0.22. I have configured the PSK on both the AP and the client and verified that I did not make a typing mistake. I have installed the Microsoft WPA2 hotfix to see if that was causing the problem but it is not. The actual problem is that the client says it's "Authenticated" but will not allow any traffic to pass through. Whenever I created an SSID NOT using WPA2-PSK, the client can ge an IP address and things function normally. Here is the current AP configuration:
sh run
Building configuration...
Current configuration : 4170 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP1
enable secret ****
ip subnet-zero
no aaa new-model
dot11 vlan-name Joes-VLANofFUN vlan 237
dot11 vlan-name Joes-VLANofFUN-PartII vlan 238
dot11 ssid -=b0Gg$=-
vlan 237
authentication open
--More-- authentication key-management wpa
wpa-psk ascii ****
username Cisco password ****
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 237 mode ciphers aes-ccm
ssid -=b0Gg$=-
--More-- speed basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 50
power local cck 50
power local ofdm 30
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.237
encapsulation dot1Q 237
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 237
bridge-group 237 subscriber-loop-control
bridge-group 237 block-unknown-source
--More-- no bridge-group 237 source-learning
no bridge-group 237 unicast-flooding
bridge-group 237 spanning-disabled
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
speed 100
full-duplex
hold-queue 160 in
interface FastEthernet0.237
encapsulation dot1Q 237
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 237
--More-- bridge-group 237 subscriber-loop-control
bridge-group 237 block-unknown-source
no bridge-group 237 source-learning
no bridge-group 237 unicast-flooding
bridge-group 237 spanning-disabled
interface FastEthernet0.238
encapsulation dot1Q 238 native
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.238.1.100 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
--More-- ip default-gateway 10.238.1.10
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
control-plane
bridge 1 route ip
line con 0
privilege level 15
logging synchronous
line vty 0 4
login local
end
I have tried upgrading the WLAN NIC drivers to the latest version (3.5 I believe) but it does not help. If I run the troubleshooting task of the Aironet Desktop Utility is sasys that the Authentication tests failed, even though the status shows me as "Authenticated". Perhaps there is something in the above config that I am missing.
Any help would be greatly appreciated.
JoeCheck the hardware version of your AP radio(S).
Earlier versions (ending in "20") do not support AES (used for WPA2 / 802.11i).
You should have at least a "Radio AIR-MP31G " for your 802.11G and "Radio AIR-RM21A" for your 802.11a radio.
THe (probably) easiest way to check this is the Web GUI ... go to INterfaces, select each band, then the "Detailed Status" tab.
If your radios are older than this, the CLI and GUI will accept your configuration for WPA2/802.11i, but will not operate in that mode (and usually fail).
Either radio is independently upgradeable for ~US$100.00 through someplace like www.cdw.com.
Good Luck
Scott -
Hi all,
I need to analyse options for starting using WPA2 with our Wireless network. I have been looking around Cisco web site, but can not find definite answer if our kit can be upgraded (hardware and/or software) to support this.
We have mixture of following two APs:
Cisco AIR-AP1220-IOS-UPGRD (PowerPC405GP) processor with 15038K/1336K bytes of memory.
Product/Model Number: AIR-AP1220-IOS-UPGRD
System Software Filename: c1200-k9w7-tar.123-8.JA2
System Software Version: 12.3(8)JA2
Cisco AIR-AP1231G-E-K9 (PowerPC405GP) processor (revision A0) with 15038K/1336K bytes of memory.
Product/Model Number: AIR-AP1231G-E-K9
System Software Filename: c1200-k9w7-tar.123-8.JA2
System Software Version: 12.3(8)JA2
Additionally all APs have radio upgraded to 802.11g by by replacing original radio cards with AIR-MP21G-E-K9 cards.
The main questions I need answered are:
1) Will our current 1200 Aironets support WPA2 with upgrade (hardware and/or software)?
2) If yes, what needs to be upgraded?
I would appreciate help with this.
Regards,
SasaMy understanding from Cisco was that, if you have 802.11g radios, you can use WPA2 via a software upgrade. But I'd still do as Scott says and either post or research your model numbers to find out for sure.
The 1231s aren't a concern - they can certainly use WPA2 with an IOS update. The 1220s are the concern for whether the upraded radios can support such a software upgrade or not. -
Upgraded AP1231G still has old MGMT interface - issues connecting
Hi, I have a stand alone AP (Air-AP1231G-E-K9) which is not lightweight, or connected to a WLC, its a simple config with a Radio and Management interface.
The IOS was previously running c1200-k9w7-mx.122-13.JA1, so I upgraded the IOS to c1200-k9w7-mx.123-8.JA2 (Similar to some other working AP's I have), however there are problems with clients connecting to the AP, they doesn't see the AP.The configs on working and non-working AP's are identical (apart from IP's) and the only difference I can find is the web management interface screen which is different.There are more options on the newer working AP's with the new version of code and newer management interface,,, the AP I've upgraded has an older looking web management interface.
If i want to upgrade the files on the new AP to have the new Management interface over http working, what do I need to do, where do I get the files from, and what do I need to replace on the new AP along with the latest IOS to be able to configue this and hopefully get it working?
Thanks,
BrianHi Steve,
Thanks for that,so there must be another problem if the web mgmt interface did not upgrade during the new ios install (which was through the cli).is there a quick way to flush the old code + other directories on the AP's so I can try the IOS upgrade again from my tftp server?
Regards,
Brian -
Cisco AP1231G failed to flash the interface on failed boot
Hello,
I have an issue with Cisco AIR-AP1231G-E-K9 since I have rebooted it to reload startup conf :
Now, radio is disabled. On web interface, Radio mac address is 0000.0000.0000
I tried a no shut on Dot11radio0 but didn't work.
I tried to upload a new firmware but didn't solve the issue.
Here you can find result of sh log :
POZAPA-0004#sh log
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 38 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 40 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level notifications, 34 message lines logged
Logging to 10.128.2.12, 34 message lines logged, xml disabled,
filtering disabled
Log Buffer (4096 bytes):
101.img)
*Mar 1 00:00:11.895: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
k9w7-mx.123-7.JA3/5101.img)
*Mar 1 00:00:19.202: Failed to flash the interface on failed boot
*Mar 1 00:00:19.205: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
k9w7-mx.123-7.JA3/5101.img)
*Mar 1 00:00:19.264: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
k9w7-mx.123-7.JA3/5101.img)
*Mar 1 00:00:26.574: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
k9w7-mx.123-7.JA3/5101.img)
*Mar 1 00:00:34.181: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
k9w7-mx.123-7.JA3/5101.img)
*Mar 1 00:00:34.241: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-
k9w7-mx.123-7.JA3/5101.img)
*Mar 1 00:00:41.548: Failed to flash the interface on failed boot
*Mar 1 00:00:41.548: Tried to send command 0229 while the MAC not running
*Mar 1 00:00:41.549: Tried to send command 0229 while the MAC not running
*Mar 1 00:00:41.549: Unable to read RID_CHAN_POWER
*Mar 1 00:00:41.549: %DOT11-3-POWERS_INVALID: Interface Dot11Radio0, no valid power levels available
*Mar 1 00:00:41.549: %DOT11-3-POWERS_INVALID: Interface Dot11Radio0, no valid power levels available
*Mar 1 00:00:43.640: %SYS-6-LOGGERSTART: Logger process started
*Mar 1 00:00:43.642: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar 1 01:00:43.768 GMT: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:00:43 UTC Fri Mar 1 2002 t
o 01:00:43 GMT Fri Mar 1 2002, configured from console by console.
*Mar 1 01:00:44.703 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar 1 01:00:45.270 GMT: %SYS-5-CONFIG_I: Configured from memory by console
*Mar 1 01:00:45.270 GMT: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 21-Mar-06 14:18 by ccai
*Mar 1 01:00:45.270 GMT: %SNMP-5-COLDSTART: SNMP agent on host POZAPA-0004 is undergoing a cold start
*Mar 1 01:00:45.286 GMT: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 1 01:00:45.296 GMT: Writing radio coredump to 'flash:/r0_00_0000_E6177677.rcore'
*Mar 1 01:00:46.151 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
Sep 23 10:05:02.004 GMT: Writing radio coredump to 'flash:/r0_00_0000_BA624BBC.rcore'
Sep 23 10:05:05.015 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:05:06.073 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
Sep 23 10:05:38.648 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:05:38.708 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:06:12.048 GMT: Failed to flash the interface on failed boot
Sep 23 10:06:12.050 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:06:12.111 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:06:45.463 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:07:20.311 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:07:20.371 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c12
00-k9w7-mx.123-7.JA3/5101.img)
Sep 23 10:07:54.989 GMT: Failed to flash the interface on failed boot
As you can see , I have multiples line saying that radio is loading firmware but at the end we have "Failed to flash the interface on failed boot"
Did someone had this issue already ?
tanks for your answer.Sep 23 10:06:12.111 GMT: %DOT11-4-LOADING_RADIO: Interface Dot11Radio0, loading the radio firmware (flash:/c1200-k9w7-mx.123-7.JA3/5101.img)
This is the reason why your 802.11b radio won't come up. The radio-specific firmware is either missing or corrupted.
Most effective way is to overwrite and unpack the entire TAR file. So let the AP boot normally. Don't worry about the radio for the time being.
Make sure you have the TAR file located in the correct folder of your TFTP server. Use the command "archive download-sw /over /force tftp://<TFTP IP address>/filename.tar".
Once the process is complete the AP will reboot. -
Difference between AP1232AG & AP1231G
What is the difference between AIR-AP1232AG-E-K9 802.11g IOS AP w/Avail CBus Slot, ETSI Cnfg AND AIR-AP1231G-E-K9 802.11a/g dual radio IOS AP, ETSI cfg ?
Both part numbers need to order Antenna separetly ?
Regards
MohamedRefer this document for more information on the difference between the two Access points
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a0080610b71.shtml -
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.07.16 21:01:53 =~=~=~=~=~=~=~=~=~=~=~=
sh ver
NACNSHRTCAP10#sh version
Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 16-Apr-04 12:22 by cmong
Image text-base: 0x00003000, data-base: 0x0053CF74
ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
NACNSHRTCAP10 uptime is 6 hours, 37 minutes
System returned to ROM by power-on
System image file is "flash:/c1200-k9w7-mx.122-13.JA4/c1200-k9w7-mx.122-13.JA4"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
--More-- agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1231G-A-K9 (PowerPC405GP) processor (revision B0) with 14326K/2048K bytes of memory.
Processor board ID FOC084102J0
PowerPC405GP CPU at 196Mhz, revision number 0x0145
Last reset from power-on
Bridging software.
1 FastEthernet/IEEE 802.3 interface(s)
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:43:95:C8:ED
Part Number : 73-8704-07
PCA Assembly Number : 800-23211-08
PCA Revision Number : A0
--More-- PCB Serial Number : FOC084102J0
Top Assembly Part Number : 800-23304-07
Top Assembly Serial Number : FTX0844J2WV
Top Revision Number : B0
Product/Model Number : AIR-AP1231G-A-K9
Configuration register is 0xF
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#sh dot
NACNSHRTCAP10#sh dot11 ro
NACNSHRTCAP10#sh dot11 ro inter
NACNSHRTCAP10#sh interfaces dot
NACNSHRTCAP10#sh interfaces dot11Radio 0
Dot11Radio0 is up, line protocol is up
Hardware is 802.11G Radio, address is 0011.bbd5.9db0 (bia 0011.bbd5.9db0)
MTU 1500 bytes, BW 54000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 05:02:04, output 05:00:51, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/3/0 (size/max/drops/flushes); Total output drops: 10422
Queueing strategy: fifo
Output queue: 0/30 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
82030 packets input, 27550308 bytes, 0 no buffer
Received 1724 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
62722 packets output, 32205820 bytes, 0 underruns
1276 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#sh har
NACNSHRTCAP10#sh harwa
NACNSHRTCAP10#sh harware
^
% Invalid input detected at '^' marker.
NACNSHRTCAP10#sh harware dware
Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 16-Apr-04 12:22 by cmong
Image text-base: 0x00003000, data-base: 0x0053CF74
ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
NACNSHRTCAP10 uptime is 6 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:/c1200-k9w7-mx.122-13.JA4/c1200-k9w7-mx.122-13.JA4"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
--More-- agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1231G-A-K9 (PowerPC405GP) processor (revision B0) with 14326K/2048K bytes of memory.
Processor board ID FOC084102J0
PowerPC405GP CPU at 196Mhz, revision number 0x0145
Last reset from power-on
Bridging software.
1 FastEthernet/IEEE 802.3 interface(s)
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:43:95:C8:ED
Part Number : 73-8704-07
PCA Assembly Number : 800-23211-08
PCA Revision Number : A0
--More-- PCB Serial Number : FOC084102J0
Top Assembly Part Number : 800-23304-07
Top Assembly Serial Number : FTX0844J2WV
Top Revision Number : B0
Product/Model Number : AIR-AP1231G-A-K9
Configuration register is 0xF
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#
NACNSHRTCAP10#It should be able to per:
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-access-point/product_data_sheet09186a00800937a6.html
but take a look at the radio module in a show controller dot11radio 0
you can also try to enable :
encryption mode ciphers aes-ccm
under the radio.
That being said, those AP are EOL/EOS
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-series/eol_c51-506611.html
HTH,
Steve
Maybe you are looking for
-
ORA-01839: date not valid for month specified
Hi I got this error while executing the mapping. We are using 9.0.2.56 version of OWB. Error details shown in audit viwer is "PER_EMPP_CREATIONTIMESTAMP"("PER_EMPPROFILING_STG_01_i") := "DEDUP_MAP_INPUTS_ENDDATE_PAR"("DEDUP_i"); 1752 Records are sele
-
Change over from a simple Xml call to a rpc-Http call ....
Hi there, I need to change over from a simple Xml call: <mx:XML id="urlsGeneral" source="http://www.mySite.com//.../AFS.xml"/> to a rpc-Http call which is updating the readout if Xml is changed at any time. I forgot to mention the most important item
-
this is my 3rd macbook air and pro that kicks me out my yahoo email all the time and tells me my password is wrong when its not this been going on 2 years 3 different macs sometimes it dont do it for months after a software update
-
Where to put ConCurrManag, Report and Forms
Hi, Are there any "rule of tumb" on the issue of where to put Concurrent Manager, forms server and report server? I know this is pretty much a question of number of users, batch-load and stuff like that, but would still like to hear some comments on
-
Random Crash / Memory Crash during night Kinect v2
Hi, I'm working on SARAH a C#/NodeJS Home Automation software listenig to family at home. I have 24/7 Windows 8.1 NUC computer using USB device like Kinect 2 and PQLabs Touch Frame. - During the night it seems the application crash with a memory prob