Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 1200 Ap LEAP Issue

Reply
Thread Tools

1200 Ap LEAP Issue

 
 
jt
Guest
Posts: n/a
 
      05-10-2004
Dear all,

can anyone point me in the appropiate direction what the following means ?

DOT11-4-MAXRETRIES: : Packet to client 0040.96a1.eab3 reached max retries,
removing the client

I dug around at cisco, found information that " a packet has not been
successfully tranferred many times",
clear, but what component inside does issue this message ? I am playing
around with a test setup ( 1200 ./. CSACS )
and LEAP authentication sometimes works, sometimes it does not....no light
in the fog......


jt



 
Reply With Quote
 
 
 
 
mh
Guest
Posts: n/a
 
      05-10-2004
This means that the radio interface has tried to transfer a packet
unsucessfully to a client. By default the radio interace will try 32
times.

This can be configured

int d0
packet retries <retries>,, where retries is a value from 1 to 128
exit

The packet not being received could mean the client is too far away or
there is a LOT of interference

use the command "sh int d0 stat" and look at the retries counters
under the Transmit column

You will also probably notice that a lot of packets are being
transmitted at slower speeds

If your are having problems witha particular client, then while it is
associated
use the command "OURHOUSE-AP2#sh dot11 stat client-tr"

Clients:
10-0040.96a1.6b41 pak in 16266 bytes in 2174130 pak out 18306 bytes
out 17163810
dup 39 decrpyt err 0 mic mismatch 0 mic miss 0
tx retries 10890 data retries 10739 rts retries 151
signal strength 60 signal quality N/A

and check the retries counts
 
Reply With Quote
 
 
 
 
jt
Guest
Posts: n/a
 
      05-10-2004
Hi Merv,

this seems to be some radius traffic......anyway, thanks for your time.

Is there any option you know about to get a 1200 running
together with PEAP ./. IAS ( W2K Server with IAS, SP4 ) ?

I know I cannot run LEAP with IAS. For historic reasons, we're having
our PSTN stuff running via IAS, and and I fear the work to switch
the lines over to CSACS....so, now we got this dot11 thingie and
I'm trying to find a path in this jungle.

Any idea ? I am not looking for a complete solution, but I seem
tio get increasingly confused looking at all the options you have
when it comes to safety of wireless environments. Would you
suggest CSACS rather than IAS ? For what reason except
TACACS+ and general higher granularity ?


greets

daniel




"mh" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed) om...
> This means that the radio interface has tried to transfer a packet
> unsucessfully to a client. By default the radio interace will try 32
> times.
>
> This can be configured
>
> int d0
> packet retries <retries>,, where retries is a value from 1 to 128
> exit
>
> The packet not being received could mean the client is too far away or
> there is a LOT of interference
>
> use the command "sh int d0 stat" and look at the retries counters
> under the Transmit column
>
> You will also probably notice that a lot of packets are being
> transmitted at slower speeds
>
> If your are having problems witha particular client, then while it is
> associated
> use the command "OURHOUSE-AP2#sh dot11 stat client-tr"
>
> Clients:
> 10-0040.96a1.6b41 pak in 16266 bytes in 2174130 pak out 18306 bytes
> out 17163810
> dup 39 decrpyt err 0 mic mismatch 0 mic miss 0
> tx retries 10890 data retries 10739 rts retries 151
> signal strength 60 signal quality N/A
>
> and check the retries counts



 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      05-11-2004
I have read PEAP will work with IAS, however, I have not done it myself.

The AP 1200 will support an internal RADIUS server which only supports LEAP.
However if you have a large number of users, I would not use it.
 
Reply With Quote
 
jt
Guest
Posts: n/a
 
      05-11-2004
Dear Merv,

I've read this too, but only related to W2K3. The curiuos guy I am, I dug
around in IAS on W2K. It seems
that it is supported, because all the switches necessary in W2K3 can be
thrown there in the same manner as well.
Will dig a little bit more and inform you if I get it up and running.

At last, Can you perhaps tell me which debug options I should turn on to
determine if the client attempts to
find an "authenticator match" on the AP ? This would be very helpful because
at the very moment there is
nothing but silence; I' d like to have some sort of debug as soon as a
client attempts to comunicate with the AP.

Thanks again for your help and input


Daniel



"mh" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed) om...
> I have read PEAP will work with IAS, however, I have not done it myself.
>
> The AP 1200 will support an internal RADIUS server which only supports

LEAP.
> However if you have a large number of users, I would not use it.



 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      05-11-2004
You appear to have two issues:

a) DOT11-4-MAXRETRIES definitely means that the AP cannot reach the wireless client
If the client authenticated properly ( can be seen in the logging buffer) then
this message would have nothing to do with LEAP or RADIUS


b) "Best" authentication approach - since you have IAS set up already then I would
try to use PEAP. Also Microsoft have implemented PEAP support for most
versions of Windows
 
Reply With Quote
 
jt
Guest
Posts: n/a
 
      05-11-2004
Hi Merv,

> b) "Best" authentication approach - since you have IAS set up already then

I would
> try to use PEAP. Also Microsoft have implemented PEAP support for most
> versions of Windows



Think this is what I am going to use, here's the latest result, seems there
is still some confusion.
The testing Notebook in question associates fine, but does not authenticate,
nor does IAS log anything.
The ACU is set to EAP MSCHAP v2; Radius properties in IAS are set to
vendor=Microsoft,
"Signature Attribute" is set to required.

Can you take a look at the below ?

AP cfg:

aaa group server radius testradius
server 192.168.20.204 auth-port 1645 acct-port 1646
aaa authentication login airo group itaxradius
dot11 aaa authentication attributes service login-only
encryption key 1 size 128bit *********** transmit-key
encryption mode wep mandatory
ssid testssid
authentication open eap airo

Here's the debug output :

May 11 14:42:31.349: disc_client_add 0040.96a1.eab3, set ST_FWD_PEND
May 11 14:42:31.349: disc_client_add: clnt 0040.96a1.eab3 airo flags 0x0
May 11 14:42:31.349: disc_client_add 0040.96a1.eab3, set ST_FWD_PEND
May 11 14:42:34.361: RADIUS: AAA Unsupported [248] 8
May 11 14:42:34.362: RADIUS: 49 54 41 58 5F 46
[ITAX_F]
May 11 14:42:34.362: RADIUS: AAA Unsupported [150] 3
May 11 14:42:34.362: RADIUS: 31
[1]
May 11 14:42:34.362: RADIUS(0000006F): Storing nasport 108 in rad_db
May 11 14:42:34.362: RADIUS(0000006F): Config NAS IP: 192.168.20.251
May 11 14:42:34.362: RADIUS/ENCODE(0000006F): acct_session_id: 111
May 11 14:42:34.362: RADIUS(0000006F): sending
May 11 14:42:34.363: RADIUS(0000006F): Send Access-Request to
192.168.20.204:1645 id 21645/31, len 135
May 11 14:42:34.363: RADIUS: authenticator 74 68 77 F5 3C B4 99 7F - 15 42
3B CF 43 63 A9 1F
May 11 14:42:34.363: RADIUS: User-Name [1] 15 "Administrator"
May 11 14:42:34.364: RADIUS: Framed-MTU [12] 6 1400
May 11 14:42:34.364: RADIUS: Called-Station-Id [30] 16 "000f.8f2c.1170"
May 11 14:42:34.364: RADIUS: Calling-Station-Id [31] 16 "0040.96a1.eab3"
May 11 14:42:34.364: RADIUS: Service-Type [6] 6 Login
[1]
May 11 14:42:34.364: RADIUS: Message-Authenticato[80] 18 *
May 11 14:42:34.364: RADIUS: EAP-Message [79] 20
May 11 14:42:34.364: RADIUS: 02 02 00 12 01 41 64 6D 69 6E 69 73 74 72 61
74 [?????Administrat]
May 11 14:42:34.365: RADIUS: 6F 72
[or]
May 11 14:42:34.365: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
[19]
May 11 14:42:34.365: RADIUS: NAS-Port [5] 6 108
May 11 14:42:34.365: RADIUS: NAS-IP-Address [4] 6 192.168.20.251
May 11 14:42:34.377: RADIUS: Received from id 21645/31 192.168.20.204:1645,
Access-Challenge, len 76
May 11 14:42:34.378: RADIUS: authenticator 01 E0 C1 A0 38 B1 47 2E - 2B 30
E5 97 AE 76 0B 35
May 11 14:42:34.378: RADIUS: Session-Timeout [27] 6 30
May 11 14:42:34.378: RADIUS: EAP-Message [79] 8
May 11 14:42:34.378: RADIUS: 01 03 00 06 19 20
[????? ]
May 11 14:42:34.378: RADIUS: State [24] 24
May 11 14:42:34.378: RADIUS: 1B BE 02 A8 00 00 01 37 00 01 C0 A8 14 CC 00
00 [???????7????????]
May 11 14:42:34.379: RADIUS: 00 01 00 00 00 25
[??????]
May 11 14:42:34.379: RADIUS: Message-Authenticato[80] 18 *
May 11 14:42:34.380: RADIUS(0000006F): Received from id 21645/31
May 11 14:42:34.380: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
May 11 14:42:34.436: %DOT11-4-MAXRETRIES: Packet to client 0040.96a1.eab3
reached max retries, removing the client
May 11 14:42:34.436: DOT11 EVENT: Free client
May 11 14:43:05.826: disc_client_add -- enter 0


Any ideas ?


Daniel


 
Reply With Quote
 
jt
Guest
Posts: n/a
 
      05-11-2004
I forgot the following, sorry....

radius-server host 192.168.20.204 auth-port 1645 acct-port 1646 key 7
***********



Daniel


 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      05-12-2004
You should proably add the following lines to your config:

ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type


For debugging, check out eqch of the following commands:

debug dot11 aaa dot1x all

debug dot11 d0 trace print client

debug dot11 d0 trace print rcv

debug dot11 d0 trace print xmt


It would be faster & easier to communicate by private mail "(E-Mail Removed)"
 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      05-12-2004
What wireless card is being used for your test

If it is Cisco what version of ACU software are you using?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LEAP on a Ciscoo 1200 Workgroup Bridge tef Cisco 0 09-19-2006 01:19 PM
Cisco 1200 Access Point and Vlan Issue jsallmann@wiscomp.com Cisco 1 03-13-2006 12:56 AM
Aironet 1200 networking setup issue Claudiu Cisco 0 04-19-2005 06:19 PM
AP340 LEAP and non-leap users nicklebon@netscape.net Cisco 1 04-02-2005 09:10 PM
MOving from LEAP to PEAP Sarbjit Singh Gill Wireless Networking 2 12-13-2004 12:01 PM



Advertisments