dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1950
share rss forum feed


mdimran03

@2.91.1.x

[Config] Cisco Aironet 1310 accesspoint Bridge mode wifi issue

Hi..

I have a wireless network of 4 access point cisco 1310 bridge mode...

Recently some users update there ipad/iphone to IOS7...

When i try to connect to the wifi - when i select the wifi network it's saying "UNABLE TO JOIN THE NETWORK WIRELSESS NAME" even it's not asking for the password,

The new ios 7 is not supporting the current configuration...

Please advise me for the related configuration.

looking forward to your earliest response.

markysharkey
Premium
join:2012-12-20
united kingd

Re: [Config] Cisco Aironet 1310 accesspoint Bridge mode wifi iss

How is your wireless secured?
I always have trouble connecting Apple devices to networks secured with WEP.
WPA2 can be patchy too in my experience with Apple / Cisco wireless networks.
And I can't remember if there are any issues with AES over TKIP, but I usually go for AES.
I'd start by dropping any security and see if that works. If it does then Apple have done something to the security implementation in iOS.
--
Binary is as easy as 01 10 11


mdimran03

@2.91.1.x
Thanks for your response.

presently its configures as wpa security

Please correct the below configuration..

dot11 ssid Cisco
vlan 212
authentication open
authentication key-management wpa (aes/Tkip aes?)
guest-mode
wpa-psk ascii 7 xxxx

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mdimran03
Can you post your full config (minus passwords any anything else of a sensitive nature) for review?

What the logs on the AP show while the iXXX devices are trying to connect?

As a though, you may want to turn on "debug dot11 ?" while they try and connect and see what's happening.

My 00000010bits

Regards

markysharkey
Premium
join:2012-12-20
united kingd
reply to mdimran03
As hellfire says we need more than that. If there is more than one wireless then the following will apply:
You need to tie the SSID to the interface. I'd probably unhide it too (mbssid guest-mode BUT ONLY if there is more than one wireless network). Then you need a trunk to the switch, a radio sub-if for the vlan, an ethernet sub-if for the vlan and a bridge-group xxx ieee command.
--
Binary is as easy as 01 10 11


mdimran03

@78.93.110.x
no there is only one wireless ...

here my config.. of root AP..
Root_AP#sh run
Building configuration...
Current configuration : 2992 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Root_AP
!
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
ip subnet-zero
!
!
no aaa new-model
dot11 vlan-name DATA_212 vlan 212
!
dot11 ssid XXXX
vlan 2
authentication open
infrastructure-ssid
!
dot11 ssid Cisco
vlan 212
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 XXXXXXXXX
!
dot11 network-map
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 212 mode ciphers tkip
!
ssid xxx
!
ssid Cisco
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2412
station-role root bridge wireless-clients
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.112
encapsulation dot1Q 112
service-policy input Phone
service-policy output Phone
no ip route-cache
bridge-group 112
bridge-group 112 spanning-disabled
!
interface Dot11Radio0.212
encapsulation dot1Q 212
no ip route-cache
bridge-group 212
bridge-group 212 spanning-disabled
!

!
interface BVI1
ip address x.x.x.x 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
control-plane
!
bridge 1 route ip
!
!
!
line con 0
login local
line vty 0 4
login local
transport input telnet
line vty 5 15
no login
!
end

markysharkey
Premium
join:2012-12-20
united kingd
Under the radio interface you need to add mbssid;

 
Root_AP(config-if)#mbssid
 
 

--
Binary is as easy as 01 10 11


mdimran03

@37.105.127.x
please can you explain what is the use of this command..

i just posted my Root Access Point configuration....

I have 3 other non-root access point .... with the same configuration....

do i need to add the same mbssid command on all other access points?

markysharkey
Premium
join:2012-12-20
united kingd
reply to mdimran03
Whilst you may only want one wireless, the AP is configured with 2. Either remove the unwanted config or run mbssid under the interface. If I recall correctly, mbssid stands for multiple basic service set identifier, which speaks for itself.
--
Binary is as easy as 01 10 11

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
reply to mdimran03
While I concur with markysharkey See Profile, I also have the following quick recommendations:
dot11 ssid Cisco
   vlan 212
   authentication open
   authentication key-management wpa
 
This should probably be “authentication key-management wpa version 2”—anything else is legacy.
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 212 mode ciphers tkip
 
This is legacy and insecure—I’d go with “encryption vlan 212 mode ciphers aes-ccm”.

Please know my recommendations might break your existing environment—I highly recommend piloting these changes before using them in production.

ladino

join:2001-02-24
USA
kudos:1
reply to mdimran03
@markysharkey....read up on the mssid command before use start suggesting it as a fix. What happens when you have multiple SSIDs, yet only what to broadcast 1 SSID

@Bink... the op claims this WPA worked. How did you conclude that WPA2 is the workaround/fix?

@mdimran03
Can you provide proof that IOS 6.X works?
The easiest evidence would be... sh dot11 association

Since we 'assume' that IOS 6.X works, you can get closer to a solution if you provide evidence & possible error(s) generating when IOS 7 clients attempts to connect. When troubleshooting always collect/provide the necessary debugs. Especially when the devices where previously known to be working. Since there other AP/bridges in the mix, do those allow IOS7 to connect?. If the answer is no, then please provide debugs showing this failure. Note IOS 7 just recently came out, I have not seen 'well documented' Cisco fix for IOS7 problems.

You can run the following debugs & compare IOS6 & IOS7 logs
debug dot11 events
debug dot11 packets
debug dot1x all

On the router/switch divvying out the network IP addresses, do the IOS7 clients request IP address when attempting to connect?


mdirman03

@78.93.199.x
Sorry i wasn't available...

authentication key-management wpa version 2 -- is not available in cisco 1310

i didn't check the debug, once i done i will post the log.

can any body tell me the code for configuration of WEP on Cisco 1310 bridge.. for password:12345678

configure terminal
dot11 ssid abcd
lan 212
authentication open

exit
inter dot11Radio 0
encryption vlan 212 key 1 size 40bit 12345678 transit-key
end

please correct me if i'm wrong..

markysharkey
Premium
join:2012-12-20
united kingd
reply to ladino
quote:
@markysharkey....read up on the mssid command before use start suggesting it as a fix. What happens when you have multiple SSIDs, yet only what to broadcast 1 SSID
SSID's with guest-mode configured are broadcast. No guest-mode, no broadcast... well, not really! The SSID will be hidden from the view of a PC, but any sniffer worth it's salt will see a hidden SSID as the info is contained in all poll requests even though you think it is hidden. The ONLY way to secure wireless is with strong passwords or DOT1X or somesuch. Hiding an SSID IS NOT a "security feature".

--
Binary is as easy as 01 10 11


mdimran03

@37.105.127.x
i wont to know the below configuration are correct?

and the password need to convert to hexa or no need ...?

Please advise me

configure terminal
dot11 ssid abcd
lan 212
authentication open
guest-mode

exit
inter dot11Radio 0
encryption vlan 212 key 1 size 40bit 12345678 transit-key
end

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mdimran03
"?" during CLI config is pretty handy, you know...

I'm following my config on a 1200-series AP, so I don't know how much this will differ to your 1130, but it should
be fairly applicable.

dot11 ssid [your SSID here]
   authentication key-management ?
 

...and I would think the options of WEP, WPA and WPA2 should be there.
Continue hitting "?" afterwards to see how the key is entered.

interface Dot11Radio0
 encryption mode ciphers ?
 

...and again, the relevant cipher sets should be there... or post up what options it has and we'll see if we can help you.

My 00000010bits.

Regards


mdimran03

@78.93.110.x
I have already tested with wpa2/wep and static ip binding

still the same problem.. unable to connect wifi dismiss

when i remove all security the ipad mini's are working..

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mdimran03
Did you try the debug commands mentioned by ladino See Profile ? What about "show log." Did it generate anything?

Kinda hard to help when you're really not providing much for us to sink our teeth into.

Regards

markysharkey
Premium
join:2012-12-20
united kingd
reply to mdimran03
I'm pretty sure iPads won't like WEP. I have had issues with iPads and WEP before.
WPA2 is not actually listed as an option but it is supported. That's Cisco not bothering to update the command text but "fixing" it in the background. Don't worry about it. So
dot11 ssid xxxx vlan xxx
 authentication open
 authentication key-management wpa
 wpa-psk ascii 0 xxxxxxxxxxxxxx
 mbssid guest-mode
 

Then a sub-if under each radio and ethernet port to support the VLAN, add an appropriately numbered bridge group (match the vlan number) then at global add bridge [bridge group number] route ip
Make sure the port on the switch is a trunk and the switch has the layer 2 VLAN configured. Then for internet connectivity you'll need a sub-if on the router and a reciprocal route back in to the internal subnets.
--
Binary is as easy as 01 10 11