AIR-CAP1552E-E-K9 joint nicht auf einem WLC 2504

Samuel Heinrich

Gerade Stunden damit verbracht 5 Cisco 1552 AP’s an einem 2504er Controller anzumelden

Simples Lab Setup, alle AP’s an einem Switch, Controller in der selben Broadcast Domain, DHCP direkt auf dem Controller. Die AP’s sollten also in der Lage sein, über Broadcast den Controller zu finden. 

Brandneue AIR-CAP1552E-E-K9 aus der Schachtel. Via Console der erste Schock:

cisco AIR-SAP1552E-E-K9 (PowerPC 8349) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FCZ1751H00F
PowerPC 8349 CPU at 533Mhz, revision number 0x0031
Last reset from power loss
AVR Microcontroller 2 - SW Version: 00.01.09
AVR Microcontroller 6 - SW Version: 00.01.00
4 Gigabit Ethernet interfaces
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: DC:A5:F4:B8:8C:00
Part Number : 73-13538-02
PCA Assembly Number : 800-31224-01
PCA Revision Number : 03
PCB Serial Number : FOC172952Z5
Top Assembly Part Number : 800-34853-05
Top Assembly Serial Number : FCZ1751H00F
Top Revision Number : A0
Product/Model Number : AIR-CAP1552E-E-K9

Handelt es sich hier wirklich um CAPWAP Accesspoints? Scheinbar sind das Standalone! WTF!

Nicht lange überlegen, Capwap Image draufspielen:

ap#$archive download-sw /force /overwrite ftp://username:password@10.71.1.9/c1520-k9w8-tar.152-4.JB4.tar 
examining image...
Loading c1520-k9w8-tar.152-4.JB4.tar 
extracting info (285 bytes)!
Image info:
    Version Suffix: k9w8-.152-4.JB4
    Image Name: c1520-k9w8-mx.152-4.JB4
    Version Directory: c1520-k9w8-mx.152-4.JB4
    Ios Image Size: 123392
    Total Image Size: 8571392
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: C1520
    Wireless Switch Management Version: 7.6.100.0
Extracting files...
c1520-k9w8-mx.152-4.JB4/ (directory) 0 (bytes)
extracting c1520-k9w8-mx.152-4.JB4/c1520-k9w8-mx.152-4.JB4 (116954 bytes)
extracting c1520-k9w8-mx.152-4.JB4/c1520-k9w8-xx.152-4.JB4 (6948304 bytes)!!

Nach dem Reboot sieht es schon besser aus, zumindest erscheint in den „AP Join“ Statistiken jetzt folgender Fehler:

 

Via Console auf dem AP:

*Mar 21 21:49:49.091: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Mar 21 21:49:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.71.1.10 peer_port: 5246
*Mar 21 21:49:49.807: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.71.1.10 peer_port: 5246
*Mar 21 21:49:49.807: %CAPWAP-5-SENDJOIN: sending Join Request to 10.71.1.10
*Mar 21 21:49:49.815: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Mar 21 21:49:49.815: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Mar 21 21:49:49.815: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Mar 21 21:49:49.815: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.71.1.10

Via Console auf dem WLC:

*spamApTask0: Mar 21 22:43:20.292: dc:a5:f4:xx:xx:00 ApModel: AIR-CAP1552E-E-K9

*spamApTask0: Mar 21 22:43:20.292: Could not find image version of bundled AP(apType: 20)!!!
*spamApTask0: Mar 21 22:43:20.292: Unable to get AP Bundled Version. Using Controller Version!!!

*spamApTask2: Mar 21 22:43:51.856: 18:9c:5d:xx:xx:e0 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.71.1.51:60383)since DTLS session is not established 

*spamApTask2: Mar 21 22:43:52.294: 18:9c:5d:xx:xx:e0 AP with same name AP189c.5d8e.bde0 exist. Using default name AP189c.5d8e.bde0 for this AP.

*spamApTask0: Mar 21 22:43:52.295: œ]Ž½à
*spamApTask2: Mar 21 22:43:52.302: 18:9c:5d:xx:xx:e0 State machine handler: Failed to process  msg type = 3 state = 0 from 10.71.1.51:60383

*spamApTask2: Mar 21 22:43:52.302: 18:9c:5d:xx:xx:e0 Failed to parse CAPWAP packet from 10.71.1.51:60383

*spamApTask3: Mar 21 22:43:53.553: 34:db:fd:xx:xx:40 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.71.1.53:56646)since DTLS session is not established

Let’s read the fucking manual:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-3/configuration/guide/b_cg73/b_wlc-cg_chapter_01000.html#task_63A63B8012924CA5AA3602813E2E21D8

 

Authorizing Access Points Using MICs

You can configure controllers to use RADIUS servers to authorize access points using MICs. The controller uses an access point’s MAC address as both the username and password when sending the information to a RADIUS server. For example, if the MAC address of the access point is 000b85229a70, both the username and password used by the controller to authorize the access point are 000b85229a70.


Note

The lack of a strong password by the use of the access point’s MAC address should not be an issue because the controller uses MIC to authenticate the access point prior to authorizing the access point through the RADIUS server. Using MIC provides strong authentication.

Note

If you use the MAC address as the username and password for access point authentication on a RADIUS AAA server, do not use the same AAA server for client authentication.
Somit die MAC Adressen hinzugefügt:

 

Wichtig zu wissen, dass Accesspoints im Bridgemode standardmässig auf MAP (Mesh AP) hochkommen, daher ist es notwendig die MAC Adresse unter „AP Policy“ oder „MAC Filter“ hinzuzufügen. 

 

 

E voila:

 

Stillschweigend joinen joinen nun auch die AP’s aus sicht der Console:

*Mar 21 21:56:44.971: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.71.1.10
*Mar 21 21:56:45.959: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 21 21:56:46.003: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 21 21:56:46.091: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller Cisco_x:xx:44
*Mar 21 21:56:46.127: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 21 21:56:46.383: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Mar 21 21:56:46.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 21 21:56:47.035: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 21 21:56:47.043: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 21 21:56:48.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 21 21:56:48.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 21 21:56:48.063: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 21 21:56:48.071: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 21 21:56:48.079: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 21 21:56:49.063: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 21 21:56:49.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 21 21:56:49.099: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 21 21:56:50.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 21 21:57:09.619: %CLEANAIR-6-STATE: Slot 1 disabled
*Mar 21 21:57:14.619: %CLEANAIR-6-STATE: Slot 0 disabled

 

Samuel Heinrich
Senior Network Engineer at Selution AG (Switzerland)
Arbeitet in Raum Basel (Switzerland) als Senior Network Engineer mit über 15 Jahren Erfahrung im Bereich Netzwerk

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Seite verwendet Akismet, um Spam zu reduzieren. Erfahre, wie deine Kommentardaten verarbeitet werden..