Interesting Troubleshooting Cases, Part 1 - The RADIUS Connection

Interesting Troubleshooting Cases, Part 1 - The RADIUS Connection

Note: This article is part 1 of a 4-part troubleshooting series, with more in-depth information about a TEN talk at WLPC.
Part 2 - Zoom issues
Part 3 - Breaking other Wi-Fi
Part 4 - The suddenly weaker Wi-Fi
Video recording from WLPC Prague

Incoming Ticket: I’m a student from Institution X in the same town. I am visiting your library and I can’t connect to eduroam here. It works fine on the campus of Institution X.

If you are not familiar with eduroam, it is a worldwide network of Universities, granting each other wireless access.

eduroam is built in a tree-like structure:

tree-like countries

If you as an institution receive an authentication request from a foreign user, you will forward it to your country root - you only talk directly to your root. This root will either know where to forward it - if it is in the same country - or forward it to his root, which knows all countries. Upon being received by the correct country root, it will arrive at the right institution.

Cisco outdoor AP not connecting to WLC

Cisco outdoor AP not connecting to WLC

This might be some old news for most, but I only have a few outdoor APs and touch one every few years. But since I just got a new Cisco Aironet 1542I and was surprised again, I’d thought I document this for me. This also applies not only to the 1542, but 1532, 1552 and probably the whole outdoor portfolio, on Cisco wireless controllers.

The simple issue is: the AP is out of the box in “bridge mode”, and the controller wont let it join just that way without authenticating it. To fix, you have two possibilities: authenticate it on the controller, or switch it from bridge mode to local mode:

Cisco access point firmware corruption issues and how to remediate

Cisco access point firmware corruption issues and how to remediate

Over the last years, some nasty bugs have accumulated with Cisco lightweight APs, involving flash corruption. In the first instances, APs have lost configuration (coming up with default name and role), later some refused to boot or were stuck in a boot loop. That occured at any given time the AP reboots - power outage, software upgrade,… The most common I have seen:

*Mar 1 00:00:30.483: %SYS-5-RELOAD: Reload requested by Init. Reload Reason:
Radio FW image download failed ....

There are a number of bugs that resulted in these behaviours, ranging from software version 8.0 to 8.5. Cisco Field Notice: FN - 70330 lists the corresponding bug IDs, software versions and APs (including 1700/2700/3700, which were hit the hardest it seems).

If you are running one of the affected versions, seeing this problems and want to upgrade - Cisco made a Python tool, that tries to fix the flash before you’re upgrading, saving you from stranded APs. You can read how to use it in their document Understanding Various AP-IOS Flash Corruption Issues.

If you already have non-functional APs, they are probably fixable, just not remote. Here’s how you do it:

Making sense of Cisco WLC access point firmware pre-download

Making sense of Cisco WLC access point firmware pre-download

Firmware pre-download on the Cisco WLC wireless LAN controllers is a beautiful thing.

“In the old days"™ the update went like this:

  1. Upload firmware to controller
  2. Reboot controller
  3. Accesspoints want to rejoin controller, see non matching firmware, start updating, 10 at a time … 1 hour later …
  4. Most of your APs updated, some are still updating…

In large wireless LANs, this was not really an ideal solution, as the Wi-Fi was down for a long time if you had many APs on the controller. So Cisco introduced the pre-download feature with version 6.0, many years ago. It is documented in the official config guides, for example here.

The issue I have with this, that it was not really clear to me, which primary/backup command does what, because you have primary and backup images on WLC and AP.

So here a little guide, with the example of a usual upgrade path: