A great post from Aaron Leonard (Cisco TAC)

These are debugs that you can collect while logged into the IOS CLI.

Basic setup

If you see a prompt that ends in a right angle bracket, like this:

ap>

it means that you are in unprivileged mode, so get privileged (which shows a # prompt):

ap>enable

Password:

ap#

(default username/password on APs is "Cisco".)

Configure NTP, timestamps, line timeout

ap#configure terminal

ap(config)#sntp server 1.2.3.4

ap(config)#service timestamp debug datetime msec

ap(config)#service timestamp log datetime msec

ap(config)#logging rate-limit 500

ap(config)#no logging console

[1]

ap(config)#line con 0

ap(config-line)#no exec-timeout

ap(config-line)#line vty 0 4

ap(config-line)#no exec-timeout

ap(config)#exit

ap#write   (if you wan to to save the configuration changes to NVRAM)

#

[1] if you're going to generate debug messages at an extremely high rate, should be sure to turn off console logging, otherwise the AP will hang.  (If your access is via the console, then of course you would need some other way to see the debugs then - e.g.

write them to a logging buffer, or to an external syslog server

.  Or

increase the console port speed to 115200

.)

Collecting debugs from telnet or ssh session

Telnet/ssh into the AP, then enter the command "terminal monitor".  The debug messages will be written to your terminal window.  To save the messages, configure your terminal emulator accordingly.

Collecting debugs from a console session

Some development special debug output will be written only to the console.  So in such a case, you must connect a serial cable to the AP's console port and access this cable via a terminal emulator program (e.g. Windows Hyperterminal talking to a PC COM port.)  The default console port speed is 9600 bps which is too slow to collect a large volume of debugs - so increase the speed to 115200 bps, its maximum:

ap#configure terminal

ap(config)#logging console
ap(config)#line con 0

at this point, the terminal emulator program on the serial line will no longer be able to communicate with the console port, till you reset its speed to 115200 bps to match.

Radio names

The radios are usually called Dot11Radio0 (2.4GHz) and Dot11Radio1 (5GHz.)

ajax#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       10.0.47.21      YES DHCP   up                    up  
Dot11Radio0                unassigned      YES unset  up                    up  
Dot11Radio1                unassigned      YES unset  administratively down down
FastEthernet0              unassigned      YES other  up                    up 

You can abbreviate them to do0 and do1:

ajax#show controller do0
[...]
Radio AIR-AP1131G, Base Address 0012.44b3.e000, BBlock version 0.00, Software version 6.20.6
[...]
Configured Frequency: 2442 MHz  Channel 7

Basic show commands

radio information

ajax#show interface dot11radio0
ajax#show controller dot11radio0

client information

ajax#show dot11 associations
ajax#show dot11 associations all

AP information

ajax#show config     <= configuration (from NVRAM)
ajax#show run          <= configuration (in memory)
ajax#show version     <= model, version info
ajax#show tech          <= everything - do "term length 0" first

Other basic commands

ajax#clear dot11 client 0011.2233.4455  <= deauthenticate a client
ajax#clear int dot11radio0              <= reset a radio
ajax#reload                    <= reboot the AP

Basic debug commands

radio debugs

ajax#no debug dot11 dot11radio0 print printf  <= sometimes necessary to get radio debugs to log correctly

ajax#debug dot11 dot11radio0 trace print ?    <= show list of flags
-- example:
-- debug dot11 dot11radio0 trace print mgmt keys  <= mgmt frames & keying

dot1x/RADIUS debugs

ajax#debug dot11 aaa authenticator state-machine
ajax#debug dot11 aaa authenticator txdata
ajax#debug dot11 aaa authenticator rxdata
ajax#debug radius

Example debug output

This example uses all of the above listed debugs.  This shows a client being deauthed, then successfully associating in LEAP with WPA2/AES.  Note that the messages aren't all logged in order, i.e. the 802.11 association response sent by the AP is logged after the EAP ID-Request message is logged.

ajax#clear dot11 client 0040.96b4.7e8f
ajax#
Dec  5 23:14:58.537: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0040.96b4.7e8f Reason: Previous authentication no longer valid
Dec  5 23:14:58.619: 2149F234 t 1     0  - C040 13A B47E8F B3E000 B3E000 8250 deauth l 2
        reason 2
Dec  5 23:14:58.623: 214A02B6-0 0040.96b4.7e8f- delete session key
Dec  5 23:15:02.184: 218059FB r 1      75/ 13- B000 130 B3E000 B47E8F B3E000 0290 auth l 6
        algorithm 128
        sequence 1
        status 0
Dec  5 23:15:02.185: 21805E40 t 1     0  - B000 13A B47E8F B3E000 B3E000 84B0 auth l 6
        algorithm 128
        sequence 2
        status 0
Dec  5 23:15:02.186: 218064A6 r 1      76/ 12- 0000 130 B3E000 B47E8F B3E000 02A0 assreq l 141
        cap 431 infra privacy shorthdr
        listen interval 10
        ssid LEaP
        rates 2 4 B C 12 16 18 24
        extrates 30 48 60 6C
        rsn1 mcst aes ucst aes keymgmt wpa2 cap 2800
        221 - 0 50 F2 2 0 1 0
        aironet AARON-GW-XP load 0 clients 0 hops 0 device 87-0
                refresh 10 CW 0-0 flags 18 distance 0
        IP 10.0.47.206 0
        221 - 0 40 96 1 1 0
        ccxver 5
        221 - 0 40 96 14 7
Dec  5 23:15:02.188: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0040.96b4.7e8f
Dec  5 23:15:02.189: EAPOL pak dump tx
Dec  5 23:15:02.189: EAPOL Version: 0x1  type: 0x0  length: 0x0028
Dec  5 23:15:02.189: EAP code: 0x1  id: 0x1  length: 0x0028 type: 0x1
01806BC0:                   01000028 01010028          ...(...(
01806BD0: 01006E65 74776F72 6B69643D 4C456150  ..networkid=LEaP
01806BE0: 2C6E6173 69643D61 6A61782C 706F7274  ,nasid=ajax,port
01806BF0: 69643D30                             id=0
Dec  5 23:15:02.190: dot11_auth_dot1x_send_id_req_to_client: Client 0040.96b4.7e8f timer started for 30 seconds
Dec  5 23:15:02.190: 21806A65-0 0040.96b4.7e8f- session key type 200 len 16, idx: 1, E2164DEDE9F1AA1D
Dec  5 23:15:02.191: 21807239 t 1     0  - 1000 13A B47E8F B3E000 B3E000 84C0 assrsp l 113
        cap 431 infra privacy shorthdr
        status 0
        aid C001
        rates 82 84 8B C 12 96 18 24
        extrates 30 48 60 6C
        aironet ajax load 0 clients 0 hops 0 device 89-2700
                refresh 10 CW 15-1023 flags 1 distance 0
        IP 10.0.47.21 1
        ccxver 5
        221 - 0 40 96 B 9
        221 - 0 40 96 14 1
        221 - 0 50 F2 2 1 1 8C 0 3 A4 0 0 27 A4 0 0 42 43 BC 0 62 32 66 0
Dec  5 23:15:02.192: 218076D6 t 1     0  - 8802 13A B47E8F B3E000 B3E000 C730 q7 l54
  EAP id 1 req ident 0 "networkid=LEaP,nasid=ajax,portid=0"
Dec  5 23:15:02.205: 2180ACD3 r 1      75/ 13- 0801 130 B3E000 B47E8F B3E000 02B0 l21
   0100 0009 0201 0009 016C 6561 7000 0000 0000 0000 00
Dec  5 23:15:02.205: EAPOL pak dump rx
Dec  5 23:15:02.205: EAPOL Version: 0x1  type: 0x0  length: 0x0009
Dec  5 23:15:02.205: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
01803280: 01000009 02010009 016C6561 70        .........leap
Dec  5 23:15:02.206: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0040.96b4.7e8f
Dec  5 23:15:02.206: dot11_auth_dot1x_send_response_to_server: Sending client 0040.96b4.7e8f data to server
Dec  5 23:15:02.206: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Dec  5 23:15:02.207: RADIUS/ENCODE(00000B86):Orig. component type = DOT11
Dec  5 23:15:02.207: RADIUS:  AAA Unsupported Attr: ssid              [265] 4
Dec  5 23:15:02.207: RADIUS:   4C 45                                            [LE]
Dec  5 23:15:02.207: RADIUS:  AAA Unsupported Attr: interface         [157] 4
Dec  5 23:15:02.208: RADIUS:   33 31                                            [31]
Dec  5 23:15:02.208: RADIUS(00000B86): Config NAS IP: 0.0.0.0
Dec  5 23:15:02.208: RADIUS/ENCODE(00000B86): acct_session_id: 2948
Dec  5 23:15:02.208: RADIUS(00000B86): sending
Dec  5 23:15:02.208: RADIUS/ENCODE: Best Local IP-Address 10.0.47.21 for Radius-Server 10.0.47.20
Dec  5 23:15:02.208: RADIUS(00000B86): Send Access-Request to 10.0.47.20:1812 id 1645/10, len 123
Dec  5 23:15:02.209: RADIUS:  authenticator 4B A2 CB 82 2F BD 4A DA - E8 78 72 BA 6B A3 04 16
Dec  5 23:15:02.209: RADIUS:  User-Name           [1]   6   "leap"
Dec  5 23:15:02.209: RADIUS:  Framed-MTU          [12]  6   1400
Dec  5 23:15:02.209: RADIUS:  Called-Station-Id   [30]  16  "0012.44b3.e000"
Dec  5 23:15:02.209: RADIUS:  Calling-Station-Id  [31]  16  "0040.96b4.7e8f"
Dec  5 23:15:02.209: RADIUS:  Service-Type        [6]   6   Login                     [1]
Dec  5 23:15:02.209: RADIUS:  Message-Authenticato[80]  18
Dec  5 23:15:02.209: RADIUS:   C2 F3 BA 46 5D CC A7 56 6F 75 CD D5 CF 71 A1 F2  [???F]??Vou???q??]
Dec  5 23:15:02.210: RADIUS:  EAP-Message         [79]  11
Dec  5 23:15:02.210: RADIUS:   02 01 00 09 01 6C 65 61 70                       [?????leap]
Dec  5 23:15:02.210: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
Dec  5 23:15:02.210: RADIUS:  NAS-Port            [5]   6   3196
Dec  5 23:15:02.210: RADIUS:  NAS-Port-Id         [87]  6   "3196"
Dec  5 23:15:02.210: RADIUS:  NAS-IP-Address      [4]   6   10.0.47.21
Dec  5 23:15:02.215: RADIUS: Received from id 1645/10 10.0.47.20:1812, Access-Challenge, len 116
Dec  5 23:15:02.216: RADIUS:  authenticator 89 E3 9A 73 09 D3 BC C7 - F5 3B 33 C4 1F 0D 71 25
Dec  5 23:15:02.216: RADIUS:  EAP-Message         [79]  22
Dec  5 23:15:02.216: RADIUS:   01 02 00 14 11 01 00 08 C2 F9 E3 AE 90 E0 5E 4D  [??????????????^M]
Dec  5 23:15:02.216: RADIUS:   6C 65 61 70                                      [leap]
Dec  5 23:15:02.216: RADIUS:  Session-Timeout     [27]  6   10
Dec  5 23:15:02.216: RADIUS:  State               [24]  50
Dec  5 23:15:02.217: RADIUS:   C2 F9 E3 AE 90 E0 5E 4D 00 00 00 00 00 00 00 00  [??????^M????????]
Dec  5 23:15:02.217: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [????????????????]
Dec  5 23:15:02.217: RADIUS:   24 B7 93 97 FE D4 04 23 78 5C 05 87 75 00 17 6C  [$??????#x\??u??l]
Dec  5 23:15:02.217: RADIUS:  Message-Authenticato[80]  18
Dec  5 23:15:02.217: RADIUS:   B6 9B A4 4B A5 A0 81 5B CC 75 58 42 A9 3F C1 C3  [???K???[?uXB????]
Dec  5 23:15:02.218: RADIUS(00000B86): Received from id 1645/10
Dec  5 23:15:02.218: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes
Dec  5 23:15:02.219: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 0040.96b4.7e8f
Dec  5 23:15:02.219: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0040.96b4.7e8f
Dec  5 23:15:02.219: EAPOL pak dump tx
Dec  5 23:15:02.219: EAPOL Version: 0x1  type: 0x0  length: 0x0014
Dec  5 23:15:02.219: EAP code: 0x1  id: 0x2  length: 0x0014 type: 0x11
01800CB0:                   01000014 01020014          ........
01800CC0: 11010008 C2F9E3AE 90E05E4D 6C656170  ....Byc..`^Mleap
01800CD0:
Dec  5 23:15:02.220: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 10 seconds
Dec  5 23:15:02.221: 2180EC54 t 1     0  - 8802 13A B47E8F B3E000 B3E000 C740 q7 l54
  EAP id 2 req leap 0100 08C2 F9E3 AE90 E05E 4D6C 6561 70
Dec  5 23:15:02.224: EAPOL pak dump rx
Dec  5 23:15:02.224: EAPOL Version: 0x1  type: 0x0  length: 0x0024
Dec  5 23:15:02.224: EAP code: 0x2  id: 0x2  length: 0x0024 type: 0x11
01807E10: 01000024 02020024 11010018 75682898  ...$...$....uh(.
01807E20: 897FB670 FA732F1A 09B92150 B21EF0F2  ..6pzs/..9!P2.pr
01807E30: 044CDEE4 6C656170                    .L^dleap
Dec  5 23:15:02.225: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0040.96b4.7e8f
Dec  5 23:15:02.225: dot11_auth_dot1x_send_response_to_server: Sending client 0040.96b4.7e8f data to server
Dec  5 23:15:02.225: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Dec  5 23:15:02.226: RADIUS/ENCODE(00000B86):Orig. component type = DOT11
Dec  5 23:15:02.226: RADIUS:  AAA Unsupported Attr: ssid              [265] 4
Dec  5 23:15:02.226: RADIUS:   4C 45                                            [LE]
Dec  5 23:15:02.226: RADIUS:  AAA Unsupported Attr: interface         [157] 4
Dec  5 23:15:02.226: RADIUS:   33 31                                            [31]
Dec  5 23:15:02.226: RADIUS(00000B86): Config NAS IP: 0.0.0.0
Dec  5 23:15:02.227: RADIUS/ENCODE(00000B86): acct_session_id: 2948
Dec  5 23:15:02.227: RADIUS(00000B86): sending
Dec  5 23:15:02.227: RADIUS/ENCODE: Best Local IP-Address 10.0.47.21 for Radius-Server 10.0.47.20
Dec  5 23:15:02.227: RADIUS(00000B86): Send Access-Request to 10.0.47.20:1812 id 1645/11, len 200
Dec  5 23:15:02.227: RADIUS:  authenticator A7 50 BD F4 AA 2D 8A F3 - 92 EF 86 B2 2F 31 89 B4
Dec  5 23:15:02.228: RADIUS:  User-Name           [1]   6   "leap"
Dec  5 23:15:02.228: RADIUS:  Framed-MTU          [12]  6   1400
Dec  5 23:15:02.228: RADIUS:  Called-Station-Id   [30]  16  "0012.44b3.e000"
Dec  5 23:15:02.228: RADIUS:  Calling-Station-Id  [31]  16  "0040.96b4.7e8f"
Dec  5 23:15:02.228: RADIUS:  Service-Type        [6]   6   Login                     [1]
Dec  5 23:15:02.228: RADIUS:  Message-Authenticato[80]  18
Dec  5 23:15:02.228: RADIUS:   BA FE 70 17 A6 67 2B B3 A5 78 35 EB 6D AE 5B 36  [??p??g+??x5?m?[6]
Dec  5 23:15:02.228: RADIUS:  EAP-Message         [79]  38
Dec  5 23:15:02.229: RADIUS:   02 02 00 24 11 01 00 18 75 68 28 98 89 7F B6 70  [???$????uh(????p]
Dec  5 23:15:02.229: RADIUS:   FA 73 2F 1A 09 B9 21 50 B2 1E F0 F2 04 4C DE E4  [?s/???!P?????L??]
Dec  5 23:15:02.229: RADIUS:   6C 65 61 70                                      [leap]
Dec  5 23:15:02.229: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
Dec  5 23:15:02.229: RADIUS:  NAS-Port            [5]   6   3196
Dec  5 23:15:02.230: RADIUS:  NAS-Port-Id         [87]  6   "3196"
Dec  5 23:15:02.230: RADIUS:  State               [24]  50
Dec  5 23:15:02.230: RADIUS:   C2 F9 E3 AE 90 E0 5E 4D 00 00 00 00 00 00 00 00  [??????^M????????]
Dec  5 23:15:02.230: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [????????????????]
Dec  5 23:15:02.230: RADIUS:   24 B7 93 97 FE D4 04 23 78 5C 05 87 75 00 17 6C  [$??????#x\??u??l]
Dec  5 23:15:02.230: RADIUS:  NAS-IP-Address      [4]   6   10.0.47.21
Dec  5 23:15:02.231: 2180F622 r 1      76/ 13- 0801 130 B3E000 B47E8F B3E000 02C0 l48
   0100 0024 0202 0024 1101 0018 7568 2898 897F B670 FA73 2F1A 09B9 2150
  B21E F0F2 044C DEE4 6C65 6170 0000 0000 0000 0000
Dec  5 23:15:02.245: RADIUS: Received from id 1645/11 10.0.47.20:1812, Access-Challenge, len 94
Dec  5 23:15:02.245: RADIUS:  authenticator FE 64 BD 35 49 E1 0C C4 - 71 F5 9E B1 DE CB 45 9D
Dec  5 23:15:02.246: RADIUS:  EAP-Message         [79]  6
Dec  5 23:15:02.246: RADIUS:   03 02 00 04                                      [????]
Dec  5 23:15:02.246: RADIUS:  State               [24]  50
Dec  5 23:15:02.246: RADIUS:   C2 F9 E3 AE 90 E0 5E 4D 75 68 28 98 89 7F B6 70  [??????^Muh(????p]
Dec  5 23:15:02.246: RADIUS:   FA 73 2F 1A 09 B9 21 50 B2 1E F0 F2 04 4C DE E4  [?s/???!P?????L??]
Dec  5 23:15:02.247: RADIUS:   D4 2C 1C 1C 49 4D 60 80 BC BC AF FC 91 78 37 92  [?,??IM`??????x7?]
Dec  5 23:15:02.247: RADIUS:  Message-Authenticato[80]  18
Dec  5 23:15:02.247: RADIUS:   6E 86 16 34 26 7B 27 89 53 32 0A 49 DE 4E 65 FC  [n??4&{'?S2?I?Ne?]
Dec  5 23:15:02.247: RADIUS(00000B86): Received from id 1645/11
Dec  5 23:15:02.248: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Dec  5 23:15:02.248: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 0040.96b4.7e8f
Dec  5 23:15:02.248: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0040.96b4.7e8f
Dec  5 23:15:02.248: EAPOL pak dump tx
Dec  5 23:15:02.248: EAPOL Version: 0x1  type: 0x0  length: 0x0004
Dec  5 23:15:02.248: EAP code: 0x3  id: 0x2  length: 0x0004
01808F20: 01000004 03020004                    ........
Dec  5 23:15:02.249: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Dec  5 23:15:02.250: 21815D4C t 1     0  - 8802 13A B47E8F B3E000 B3E000 C750 q7 l54
  EAP id 2 success
Dec  5 23:15:02.255: EAPOL pak dump rx
Dec  5 23:15:02.255: EAPOL Version: 0x1  type: 0x0  length: 0x0014
Dec  5 23:15:02.255: EAP code: 0x1  id: 0x2  length: 0x0014 type: 0x11
01804390: 01000014 01020014 11010008 496A7925  ............Ijy%
018043A0: 08614014 6C656170                    .a@.leap
Dec  5 23:15:02.256: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0040.96b4.7e8f
Dec  5 23:15:02.256: dot11_auth_dot1x_send_response_to_server: Sending client 0040.96b4.7e8f data to server
Dec  5 23:15:02.256: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Dec  5 23:15:02.257: RADIUS/ENCODE(00000B86):Orig. component type = DOT11
Dec  5 23:15:02.257: RADIUS:  AAA Unsupported Attr: ssid              [265] 4
Dec  5 23:15:02.257: RADIUS:   4C 45                                            [LE]
Dec  5 23:15:02.257: RADIUS:  AAA Unsupported Attr: interface         [157] 4
Dec  5 23:15:02.257: RADIUS:   33 31                                            [31]
Dec  5 23:15:02.258: RADIUS(00000B86): Config NAS IP: 0.0.0.0
Dec  5 23:15:02.258: RADIUS/ENCODE(00000B86): acct_session_id: 2948
Dec  5 23:15:02.258: RADIUS(00000B86): sending
Dec  5 23:15:02.258: RADIUS/ENCODE: Best Local IP-Address 10.0.47.21 for Radius-Server 10.0.47.20
Dec  5 23:15:02.258: RADIUS(00000B86): Send Access-Request to 10.0.47.20:1812 id 1645/12, len 184
Dec  5 23:15:02.258: RADIUS:  authenticator 31 78 B8 F6 26 E4 36 F1 - 88 DB 25 40 53 56 A4 B5
Dec  5 23:15:02.259: RADIUS:  User-Name           [1]   6   "leap"
Dec  5 23:15:02.259: RADIUS:  Framed-MTU          [12]  6   1400
Dec  5 23:15:02.259: RADIUS:  Called-Station-Id   [30]  16  "0012.44b3.e000"
Dec  5 23:15:02.259: RADIUS:  Calling-Station-Id  [31]  16  "0040.96b4.7e8f"
Dec  5 23:15:02.259: RADIUS:  Service-Type        [6]   6   Login                     [1]
Dec  5 23:15:02.259: RADIUS:  Message-Authenticato[80]  18
Dec  5 23:15:02.259: RADIUS:   31 01 9A B3 64 AA 5B DB 6C 76 31 AA A2 CD 3B F6  [1???d?[?lv1???;?]
Dec  5 23:15:02.259: RADIUS:  EAP-Message         [79]  22
Dec  5 23:15:02.260: RADIUS:   01 02 00 14 11 01 00 08 49 6A 79 25 08 61 40 14  [????????Ijy??a@?]
Dec  5 23:15:02.260: RADIUS:   6C 65 61 70                                      [leap]
Dec  5 23:15:02.260: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
Dec  5 23:15:02.260: RADIUS:  NAS-Port            [5]   6   3196
Dec  5 23:15:02.260: RADIUS:  NAS-Port-Id         [87]  6   "3196"
Dec  5 23:15:02.260: RADIUS:  State               [24]  50
Dec  5 23:15:02.261: RADIUS:   C2 F9 E3 AE 90 E0 5E 4D 75 68 28 98 89 7F B6 70  [??????^Muh(????p]
Dec  5 23:15:02.261: RADIUS:   FA 73 2F 1A 09 B9 21 50 B2 1E F0 F2 04 4C DE E4  [?s/???!P?????L??]
Dec  5 23:15:02.261: RADIUS:   D4 2C 1C 1C 49 4D 60 80 BC BC AF FC 91 78 37 92  [?,??IM`??????x7?]
Dec  5 23:15:02.261: RADIUS:  NAS-IP-Address      [4]   6   10.0.47.21
Dec  5 23:15:02.262: 21816FB9 r 1      /75 12- 0801 130 B3E000 B47E8F B3E000 02D0 l32
   0100 0014 0102 0014 1101 0008 496A 7925 0861 4014 6C65 6170 0000 0000
  0000 0000
Dec  5 23:15:02.278: RADIUS: Received from id 1645/12 10.0.47.20:1812, Access-Accept, len 216
Dec  5 23:15:02.278: RADIUS:  authenticator 52 FD 9C 2F 96 3A B9 B1 - F5 C1 59 17 A7 A5 DD FD
Dec  5 23:15:02.278: RADIUS:  EAP-Message         [79]  38
Dec  5 23:15:02.278: RADIUS:   02 02 00 24 11 01 00 18 AC BD 25 1F 89 7B CB 6F  [???$?????????{?o]
Dec  5 23:15:02.279: RADIUS:   42 08 3B 37 62 8D 0D C7 78 9F 11 E3 5C D9 5B F1  [B?;7b???x???\?[?]
Dec  5 23:15:02.279: RADIUS:   6C 65 61 70                                      [leap]
Dec  5 23:15:02.279: RADIUS:  Vendor, Cisco       [26]  59
Dec  5 23:15:02.279: RADIUS:   Cisco AVpair       [1]   53  "leap:session-key=?
p<k2}l;q`o)2AHP2K%GXD>G:"
Dec  5 23:15:02.279: RADIUS:  Vendor, Cisco       [26]  31
Dec  5 23:15:02.279: RADIUS:   Cisco AVpair       [1]   25  "auth-algo-type=eap-leap"
Dec  5 23:15:02.279: RADIUS:  State               [24]  50
Dec  5 23:15:02.280: RADIUS:   C2 F9 E3 AE 90 E0 5E 4D 75 68 28 98 89 7F B6 70  [??????^Muh(????p]
Dec  5 23:15:02.280: RADIUS:   FA 73 2F 1A 09 B9 21 50 B2 1E F0 F2 04 4C DE E4  [?s/???!P?????L??]
Dec  5 23:15:02.280: RADIUS:   D4 2C 1C 1C 49 4D 60 80 BC BC AF FC 91 78 37 92  [?,??IM`??????x7?]
Dec  5 23:15:02.280: RADIUS:  Message-Authenticato[80]  18
Dec  5 23:15:02.280: RADIUS:   A4 B6 3E 73 9D C0 5E 01 EB 1F 6A 57 D7 44 4C DF  [??>s??^???jW?DL?]
Dec  5 23:15:02.281: RADIUS(00000B86): Received from id 1645/12
Dec  5 23:15:02.281: RADIUS/DECODE: EAP-Message fragments, 36, total 36 bytes
Dec  5 23:15:02.281: found leap session key
Dec  5 23:15:02.282: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_PASS) for 0040.96b4.7e8f
Dec  5 23:15:02.282: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0040.96b4.7e8f
Dec  5 23:15:02.282: EAPOL pak dump tx
Dec  5 23:15:02.282: EAPOL Version: 0x1  type: 0x0  length: 0x0024
Dec  5 23:15:02.282: EAP code: 0x2  id: 0x2  length: 0x0024 type: 0x11
01804AE0: 01000024 02020024 11010018 ACBD251F  ...$...$....,=%.
01804AF0: 897BCB6F 42083B37 628D0DC7 789F11E3  .{KoB.;7b..Gx..c
01804B00: 5CD95BF1 6C656170                    \Y[qleap
Dec  5 23:15:02.283: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Dec  5 23:15:02.284: 2181E306 t 1     0  - 8802 13A B47E8F B3E000 B3E000 C760 q7 l54
  EAP id 2 resp leap 0100 18AC BD25 1F89 7BCB 6F42 083B 3762 8D0D C778 9F11
  E35C D95B F16C 6561 70
Dec  5 23:15:02.286: 2181EA22 t 1     0  - 8802 13A B47E8F B3E000 B3E000 C770 q7 l129
  EAPOL2 EAPOL key desc 02  008A 0010 0000 0000 0000 0001 5AD9 47C1 D022
  5AE4 6C06 F77E AFD2 B48A D7CD 4D05 1510 DF8C F732 7D69 E62D A592 0000 0000
Dec  5 23:15:02.298: 21821818 r 1      /76 14- 0801 130 B3E000 B47E8F B3E000 02E0 l161
   0103 0095 0201 0A00 0000 0000 0000 0000 01B1 3B6A A511 28C1 8CD6 A90B
  8797 8C2F F115 1D9A 95C1 9BE1 C07E E9A8 9AA7 86C2 B500 0000 0000 0000 0000
Dec  5 23:15:02.302: 218227E8 t 1     0  - 8802 13A B47E8F B3E000 B3E000 C780 q7 l179
  EAPOL2 EAPOL key desc 02  13CA 0010 0000 0000 0000 0002 5AD9 47C1 D022
  5AE4 6C06 F77E AFD2 B48A D7CD 4D05 1510 DF8C F732 7D69 E62D A592 0000 0000
Dec  5 23:15:02.312: 21824F9A r 1      /76 15- 0801 130 B3E000 B47E8F B3E000 02F0 l107
   0103 005F 0203 0A00 0000 0000 0000 0000 0200 0000 0000 0000 0000 0000
  0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
Dec  5 23:15:02.313: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AARON-GW-XP 0040.96b4.7e8f Associated KEY_MGMT[WPAv2]
Dec  5 23:15:02.314: 218252AE-0 0040.96b4.7e8f- session key type 200 len 16, idx: 0, B0DC14798C4898C6

More info

Quick Start Guide Cisco Aironet 1240AG Series Access Point

Configuration Guide

AP Command Reference

  

Back in the day when I couldn’t afford a spectrum or packet analyzer I would often use the next best free thing available. Its called the "carrier busy" test and it’s built into the Cisco Autonomous Access Point.

The carrier busy test will allow you to see what is going on in an environment from 50,000 feet, but that’s about where it ends. It doesn’t have details like a professional analyzer will provide. You could incorporate other commands like frame retries etc to help better interpret “carrier busy”.

Needless to say, it’s a fun command and if you don’t have the proper tools could help you in a pinch. If you do outdoor bridges, you may already use this command to assist on channel assignment.

What is "Carrier Busy"

On a Cisco autonomous access point you can run a command called 'carrier busy'. The AP will shutdown the respected radio interface and will scan all respected channels and report back with a percentage of channel activity. The channel activity collected includes activity from both 802.11 traffic and interference also sometimes called RFI (Radio Frequency Interference).

What this means, if there is 802.11 traffic and suppose there is interference it will compute a  (percentage) to this value. Things to note when you run the carrier busy test the radio will do a shut and all associated clients will lose connectivity between 5 - 8 seconds during the test. After the test the radio will no shut itself and return to production allowing clients to associate again.

I have not found any detailed documentation stating exactly how the access point computes these values. If you have any info please do share!

Command for "Carrier Busy"

If your access point has both 802.11g <dot11Radio 0> and 802.11a <dot11Radio 1> radios you can run busy test on either the 2.4 GHz or the 5 GHz spectrums.

ap#dot11 <Radio Interface> carrier busy

ap#show dot11 carrier busy

802.11g = dot11Radio 0
802.11a = dot11Radio 1

ap#dot11 dot11Radio 0 carrier busy

Example # 1 - Carrier Busy (Normal)

This example is a neighboring access point on channel 11 only sending management frames

ap#dot11 dot11Radio 0 carrier busy

*Mar  2 09:07:33.173: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  2 09:07:34.173: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

Frequency  Carrier Busy %
---------  --------------
2412          0
2417          3
2422          0
2427          0
2432          0
2437          0
2442          0
2447          4
2452          5
2457          2
2462          5

*Mar  2 09:07:38.695: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  2 09:07:39.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Example # 2 - Carrier Busy (Microwave)

 I introduced a microwave oven into the mix. You can see there is a significant increase in channel activity from 2447 - 2462. 

ap#dot11 dot11Radio 0 carrier busy

*Mar  2 09:05:52.664: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  2 09:05:53.664: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

Frequency  Carrier Busy %
---------  --------------
2412          1
2417          7
2422          5
2427          1
2432          11
2437          13
2442          10
2447          31
2452          36
2457          42
2462          45

*Mar  2 09:05:58.186: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  2 09:05:59.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

ap#

Example # 3 - Carrier Busy (ISO Download)

In this example I introduced 2 laptops and conducted an ISO download for the purpose of creating 802.11 traffic.

ap#dot11 dot11Radio 0 carrier busy

*Mar  2 09:07:33.173: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  2 09:07:34.173: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

Frequency  Carrier Busy %
---------  --------------
2412          0
2417          3
2422          0
2427          0
2432          0
2437          0
2442          3
2447          9
2452          19
2457          21
2462          23

*Mar  2 09:07:38.695: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  2 09:07:39.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Conclusion

If you don’t have tools and you are in a pinch the carrier busy test may be a tool you might find helpful. Keep in mind, you will need to incorporate other commands to interpret the carrier busy results.

How to enable or disable the web interface on a Cisco access point (autonomous) 

The web browser command in the CLI is

"ip http server" for port 80 HTTP

"ip http secure-server" for port 443 HTTPS

ENABLE

ap(config)#ip http server 

ap(config)#ip http secure-server

DISABLE - You negate the command with "NO"

ap(config)#NO ip http server

ap(config)#NO ip http secure-server

I wanted to share this in case you may have a use for it. I've used it in the past, its a little hit or miss on what is supported and how the code is sometimes read. It was recently updated to support the Cisco WLCs show & debug commands

Output Interpreter is a troubleshooting tool that reports potential problems by analyzing supported "show" command output. Output Interpreter supports various "show" command output from your router, switch, PIX/ASA firewall, IOS® wireless access point, or Meeting Place Platform.

The Output Interpreter continues to support new features to better serve you. This month's list of new features includes support for GOLD diagnostics and other outputs, including:

• Cisco 12000 IOS XR Firmware, Hardware and Software Readiness Assessment (Up to version 3.8)
• Wireless LAN Controller - show & debug commands
• GOLD diagnostics - show diagnostic result
• ASA Commands - show tech-support, show running-config

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl 

How to reset a Cisco AP using the MODE button.

I have a small project coming up and getting refreshed with the Cisco Autonomous Access Points...

Using the MODE Button

Follow these steps to delete the current configuration and return all access point settings to the factory defaults by using the MODE button:

1. Disconnect power from the access point (the power jack for external power or the Ethernet cable for in-line power).

2. Press and hold the MODE button while you reconnect power to the access point.

3. Continue pressing the MODE button until the Ethernet LED turns amber. (approximately 2 to 3 seconds). Then release the button.

4. After the access point reboots, you must reconfigure it using the web browser interface, the Telnet interface, or the access point console port.

After having worked on countless Cisco WLAN VoIP deployments a general rule of thumb from Cisco TAC is to disable TKIP countermeasure on ALL voice WLANs and lessen the timer for DATA WLANs. Again this is all subject to your comfort level and performance requirements. Personally, I can't say I have ever seen this to be an issue or had an issue that was directly related to the countermeasure. But something to chew on!

TKIP countermeasure mode can occur if the Access Point receives 2 message integrity check (MIC) errors within a 60 second period. When this occurs, the Access Point will de-authenticate ALL TKIP clients associated to that 802.11 radio and holdoff any clients for the countermeasure holdoff time (default = 60 seconds).

ap#config t

ap(config)#interface dot11Radio 0

Note: This is radio specific on autonomous access points

ap(config-if)#countermeasure tkip 0

Note:  Configures TKIP MIC countermeasures hold-down timer (0-65535 seconds), unlike the WLC which is (0-60 seconds)