CIsco 1142N security woes

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
So i posted this over on networking-forum but don't seem to be getting any responses so i'll try here. I have an 1142N that i'm trying to get setup, i have the main SSID setup, however if i use any type of security some of my devices refuse to work. For example, i've tried WPA1 and 2 and with that my laptop will connect fine, but my mom's laptop, my 3DS, and wii refuse to, my phone will connect but eventually have issues and not work after a while either.

Here is my current config if it helps anybody figure out whats wrong, why nothing will connect. Also running the newest IOS on it as well, and i believe the version i had on it exhibited the same problem but can't be certain as i had only ever had my laptop connected.

Code:
Current configuration : 6486 bytes
!
! Last configuration change at 18:31:14 -0400 Thu Mar 31 2011 by chris
! NVRAM config last updated at 18:31:14 -0400 Thu Mar 31 2011 by chris
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1142N
!
logging rate-limit console 9
enable secret 5 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
!
!
dot11 mbssid
dot11 syslog
dot11 vlan-name guest vlan 140
!
dot11 ssid MS-Guest
   vlan 140
   authentication open
!
dot11 ssid Miller-Secure
   vlan 136
   authentication open mac-address mac_methods
   guest-mode
   information-element ssidl wps
   no ids mfp client
!
dot11 ssid Miller-Secure-V
   vlan 135
   authentication open
!
!
crypto pki trustpoint TP-self-signed-256142432
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-256142432
revocation-check none
rsakeypair TP-self-signed-256142432
!
!
crypto pki certificate chain TP-self-signed-256142432
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32353631 34323433 32301E17 0D303230 35323830 31343732
  305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3235 36313432
  34333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BE3B401D D0EF8B2A 7963968E EC338F83 302D8C61 FB287667 49F0FEFF EECA2B49
  A4882D83 274BC64A 1B581B63 3D44D472 86C54B73 F0072328 9C418311 7F21AEFC
  2C14A1F3 D5A8E9D4 308217FA 10662EF1 2C823C2C 02180D24 FA42BD47 DDB315F7
  429E47CA FAB6598C 4812FC73 D0C8D946 D280F95F D1CC46A5 E7CF4FE6 48674EED
  02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
  11041D30 1B821931 3134324E 2E6D6F6F 73656D61 6E737475 64696F73 2E636F6D
  301F0603 551D2304 18301680 142ACFA4 541B91B9 2193A264 1BFD7823 7DB58381
  CB301D06 03551D0E 04160414 2ACFA454 1B91B921 93A2641B FD78237D B58381CB
  300D0609 2A864886 F70D0101 04050003 8181007F A200CBCC 95B488EB 070E8D79
  2E06F196 9991E5F0 DDBF4A1E D5479359 D054CBDD 51FD5DFA 64414941 1341F695
  FA9867E2 A1C080F8 8A6A6BD6 8B748894 F5EC4876 D1F1207A D429F44E D90D108A
  A589483B 35ACAB40 C219E6FD AC1CE6D1 9A01BA46 3DC1C7CE 077338C7 E33FD076
  AC049D58 2DB227CA C8F6C594 37F0460F 5B8FDF
  quit
username Cisco password 7 XXXXXXXXXXXXXX
username chris privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXX
username Dave privilege 15 password 7 XXXXXXXXXXXXXXX
username d86bf72265ae password 7 XXXXXXXXXXXXXXXXXXX
username d86bf72265ae autocommand exit
username f87b7aadab0c password 7 XXXXXXXXXXXXXXXXXXXX
username f87b7aadab0c autocommand exit
username 0025d3f776e4 password 7 XXXXXXXXXXXXXXXXXXXX
username 0025d3f776e4 autocommand exit
!
!
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 135 key 1 size 40bit 7 XXXXXXXXXXXXX transmit-key
encryption vlan 135 mode wep mandatory
!
ssid MS-Guest
!
ssid Miller-Secure
!
ssid Miller-Secure-V
!
antenna gain 0
no mbssid
station-role root
!
interface Dot11Radio0.135
encapsulation dot1Q 135
no ip route-cache
bridge-group 135
bridge-group 135 subscriber-loop-control
bridge-group 135 block-unknown-source
no bridge-group 135 source-learning
no bridge-group 135 unicast-flooding
bridge-group 135 spanning-disabled
!
interface Dot11Radio0.136
encapsulation dot1Q 136 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.140
encapsulation dot1Q 140
no ip route-cache
bridge-group 140
bridge-group 140 subscriber-loop-control
bridge-group 140 block-unknown-source
no bridge-group 140 source-learning
no bridge-group 140 unicast-flooding
bridge-group 140 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
ssid MS-Guest
!
ssid Miller-Secure
!
antenna gain 0
dfs band 3 block
no mbssid
channel width 40-above
channel dfs
station-role root
no cdp enable
!
interface Dot11Radio1.136
encapsulation dot1Q 136 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.140
encapsulation dot1Q 140
no ip route-cache
bridge-group 140
bridge-group 140 subscriber-loop-control
bridge-group 140 block-unknown-source
no bridge-group 140 source-learning
no bridge-group 140 unicast-flooding
bridge-group 140 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.135
encapsulation dot1Q 135
no ip route-cache
bridge-group 135
no bridge-group 135 source-learning
bridge-group 135 spanning-disabled
!
interface GigabitEthernet0.136
encapsulation dot1Q 136 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.140
encapsulation dot1Q 140
no ip route-cache
bridge-group 140
no bridge-group 140 source-learning
bridge-group 140 spanning-disabled
!
interface BVI1
ip address 10.19.136.68 255.255.255.0
no ip route-cache
!
ip default-gateway 10.19.136.201
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history debugging
logging trap debugging
logging 10.19.136.61
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
sntp server 129.6.15.28
sntp broadcast client
end
 

DragonNOA1

Supreme [H]ardness
Joined
Aug 15, 2004
Messages
4,301
I'm guessing this is in standalone mode and not connected to a controller? What is the exact version of code you are running?
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
its in standalone mode, i wish i could afford a controller to play with here at home. code version is:

Product/Model Number: AIR-AP1142N-A-K9
Top Assembly Serial Number: XXXXXX
System Software Filename: c1140-k9w7-tar.124-25d.JA
System Software Version: 12.4(25d)JA
Bootloader Version: 12.4(18a)JA3
 

mattjw916

[H]ard|Gawd
Joined
Mar 10, 2005
Messages
1,289
I don't really do Cisco wireless but as with any Cisco device if you are having an issue look up the debug commands for the feature, test, and see what the problem is.

Also, your configuration looks pretty complex for a home setup. You could always save the config off to TFTP, wipe the AP and start over with a simpler config... Use the AP's GUI to get everything working first at the most basic level. Then with success gradually add more complexity like multiple SSIDs and VLANs.

Gotta crawl before you can run. My $0.02.
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
have blown it away a few times already seeing if it was just something funny causing issues. had a buddy configure it this last time and he hasn't had success either. all done through the webgui each time.
 

abyss1

Weaksauce
Joined
Apr 8, 2010
Messages
68
Hmmm sounds to me like the normal WOES with these things.

I have one here at home as well giving me the same issues and I use various at work also posing issue like this (they are on controllers with a central WCS for global wireless management.)

There seems to be some compatibility issues in the decryption algorithm, been working for months already with Cisco trying to figure out why some mobile devices can connect and some cant where we service Ipad's,Iphones, every other smartphone imaginably, xoom's and what not + normal laptops and macbooks.

All tht has been said hold true , debug is you friend see when it goes wrong . I am pretty convinced you will notice th client gets dropped AFTER the authentication handshake.
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
will do, any particular debugs to start with? I've yet to use CLI on it at all so i'm not even sure what debugs are available LOL. Also glad to know its just not me being retarded setting it up, sounds like cisco needs to pull it together and fix the issue.
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
alrighty, i finally got aroudn to backdating to the 12.4(21a) version i think it was, second to newest IOS. still no go as far as any security goes. Looking through the different debugs i'm not sure if i'm missing what i'm after or what as far as debugging the authentication. any hints?
 
Top