This document describes why the client cannot associate to an Access Point (AP) under these conditions:
Runs Lightweight Extensible Authentication Protocol (LEAP)/asynchronous communications server (ACS).
The firmware on the AP is upgraded to 11.06 or later.
The firmware on the client is upgraded to version 4.25.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
AP340 firmware version 11.06, and PC340 firmware version 4.25.5.
AP AIR-AP342E2R and Client Adapter AIR-PCM342.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Firmware versions 11.06 and later on the AP conform to IEEE 802.1X Draft 10 standards. The Draft 8 standard was used prior to this release. Firmware version 4.25 on the clients conforms to Draft 10. On an AP that runs firmware 11.06, you can use either draft. If you want clients that run firmware 4.23 and earlier to associate, use Draft 8. A 4.25 client does not work with an 11.06 AP that uses the Draft 8 configuration, and a 4.25 client does not work with an 11.05 AP.
|AP Firmware Version||Client Firmware Version||IEEE 802.1X Draft|
|11.06 (and later)||4.25||10|
|4.23 or earlier||8|
|11.03--11.05||4.25 (does not work with 11.05)||AP requires 8, but client does not work with 8|
|4.23 or earlier||8|
There are two options to solve this problem:
Use Draft 10 (11.06) on the AP and upgrade the firmware of the client cards to 4.25.
Use Draft 8 on the AP and use the AP with earlier firmware on the clients.
This table shows the IEEE 802.1X Draft Standards to which the different versions of the Client Adapter firmware (and Workgroup Bridge firmware) conform.
|Client Firmware Version||Draft 8||Draft 10|
|4.25 or later||-||x|
MAC Authentication with RADIUS Server is used. A few of the Aironet 1231G APs (APs from Cisco IOS® Release 12.3(7)JA1 to 12.3(7)JA3,) are having problems for user authentication.
This is a common problem if you upgrade from a later version of Cisco IOS to 12.3(7)JA3.
The first step to solve this problem is to test with configuration. Complete these steps:
Remove the Encryption key at SECURITY > Encryption Manager.
Click None and then Apply.
Go to the SSID Manager, highlight the SSID SSID_Name, and choose <NO ADDITION>.
From the Open Authentication menu, scroll down and click Apply.
Once you have applied these changes, you can test with the client adapter.
If it still fails, even without the encryption and authentication setting, it is better to reset the AP back to defaults and re-configure from scratch.
Complete these steps in order to reset the AP back to default:
Choose System Software > System Configuration.
Click Reset to Defaults (Except IP).
Once it reboots, you can re-configure it again and test with the client adapter.
Check the MAC Authentication setting under Advance Security and set it to Server only. Complete these steps:
Choose Security > Advance Security > MAC Authentication.
Click Server only.
Click the Save setting.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.