Guys,

I've got a new cisco 857w router as my old netgear one was utter pants.

Any hints on how to get the Squeezebox 2 talking to it using at least WEP? At the moment the only way I can do it is to have 'WEP' encryption as optional and tie access down with a hidden SSID and mac address based ACLs.

If I force WEP to be mandatory the squeezebox2's never connect, if I make it optional and disable WEP they connect instantly.

anyone resolved this?

I'm running the wifi bridged (though I think it'll be routed after this weekend) and the current config for the interface is below (access list 700 is my mac-address ACL).

interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 40bit 7 <KeyRemoved> transmit-key
encryption vlan 1 mode wep optional
!
ssid <SSIDRemoved>
vlan 1
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 output-address-list 700
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

cheers
Paul

Hi,

I don't have any experience with 857w in terms of what subset of wireless commands is allowed, so you'd have to figure it out yourself. Below is an extract from my wireless config (AP1242), which uses WPA2/AES-CCMP, with some additional blocks that might prove useful. However, I use no VLANs, so the config would have to be adapted accordingly.

/DVB

aaa new-model
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local-case
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
dot11 ssid <SSIDRemoved>
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 <KeyRemoved>
!

!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
broadcast-key change 300 membership-termination capability-change
!
!
ssid <SSIDRemoved>
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
world-mode dot11d country GB both
no cdp enable
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!

interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
!

ip radius source-interface BVI1
!

radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip

DVB, what version of IOS are you using on your AP? I'm running a Cisco 1240AG and seeing some different setting descriptions from yours.

AIR-AP1242AG-E-K9 - 12.4(10b)JA(ED), which is the latest for this AP.

I've only posted specific sections of my config, which I thought were relevant to the original question. If you need assistance troubleshooting your wireless Cisco-based setup - I can help you with that. In my experience, Cisco wireless products don't usually work with squeezeboxes out of the box, primary reason being incompatibility with CCX. However, once properly set up, the connection is extremely reliable - no dropouts or any other unpleasant wireless-related side effects.

If you want, I can post the complete config.

/DVB

DVB,

Thanks, so can I use WPA with my Squeezebox 2's? I thought they only did WEP?

I'd prefer to use WPA if possible.

As for the VLANs, it's just because you have the option of runnign the wireless on a seperate VLAN and then routing that interface. Not something I'm really bothered about as I don't have a lot of data on my network.

Ironically all my laptops (various PC/Mac) connect using wep fine. Though the Apple Airport express I have doesn't seem to like the 857 much (it's connected, listen in the arp table, but not the mac-address table, spooky)..

Anyway, if I can use WPA2 with my SB2, I'll do so. How do I tell the SB2 to use WPA?

Paul

SB works just fine with either WPA/TKIP or WPA2/AES-CCMP. I personally prefer the latter.

You can, of course, use VLANs if you need them, I just wanted to underline that my config would have to be amended. It's not a massive change, though, just a few lines for encapsulation, tagging and routing.

If all other nodes connect OK - deactivate CCX. This was the original problem I had between SBs and Cisco APs, SBs just don't seem to be compatible with CCX. As for the Apple wireless hardware - I seem to remember that older versions of it were unable to connect using WEP if any key index other than 1 was in use.

As for SB and WPA (WPA2) - once your access point is set up and running, just try to connect SB to a wireless network the usual way, it should recognize the encryption scheme automatically and ask you to enter the WPA (WPA2) key.

/DVB

Hi,

Thanks, I'm using WPA/tkip now, my laptops all connect fine.

when I start my SB2s they ask for a net work SSID, and then I have a choice of 128bit,64bit or no encryption.
It doesn't matter which I choose, the SB2 never connects I just get "Can't find wireless network".

Silly question what is CCX?

Here's my config at the moment ;-

interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid HundredAcres
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <Key removed>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
l2-filter bridge-group-acl
bridge-group 1
!

I've done some debugging, this message looks relivant ;-

000406: *Mar 8 20:36:32.815 PCTime: dot11_mgmt:[35DCF163]receive (re)assoc req from 0004.2005.0393

000407: *Mar 8 20:36:32.815 PCTime: dot11_mgmt: reject 0004.2005.0393 due to missing ssnie
000408: *Mar 8 20:36:32.815 PCTime: dot11_mgmt: [35DCF389]send assoc resp, status[13] to dst=0004.2005.0393,aid[0]

what on earth is an SSNIE?
and yes, that is the mac address of one of my SB2s (running firmware v 40).

OK, my assumpton is that the SSNIE is the key, or at least the first part of the processing of establishing a WPA link.

Just checked with my laptop (which works) and before it sends the '(re)assoc req' I see the following ;-

000530: *Mar 8 20:52:23.927 PCTime: dot11_mgmt:[6E8DBC19]recv auth msg from nnn.nnn.nnnn, seq_num = 1

My problem is that at *NO* point does the SB2 prompt me for a WPA-PSK password, so I can only assume it's not actually capable of recognising the 857w is using WPA-PSK (my dell laptop did this just fine).

Any suggestions for a next move?

Paul

CCX stands for Cisco Compatible eXtensions.

There is one thing that is not clear to me from your posts, and that is how you try to connect to the network. Do you get a SSID (or a list of SSIDs) on the screen and then proceed, or do you enter everything manually? If you get the correct SSID on the screen and click the right arrow on it to go forward, there might be, as you suggested, a chance that SB fails to recognise the encryption scheme in use correctly. Should it be the case, try to enter everything (including SSID) manually, as you would be able to choose correct encryption settings.

Also, another fact from your posts puzzled me, and that is the firmware revision of your SB2 (v40). Why the number is so low? Have you tried updating your SB2 to the latest firmware? Finally, the million dollar question - is your device definitely a SB2? According to wiki, SB and SB2 look exactly the same, and v40 is the latest firmware version for SB (again, according to wiki). However, SB does not support WPA in any shape or form, with WEP being the only option available. Could you, just to be sure, confirm that you definitely have SB2s?

Finally, it might be a good idea to update your IOS to the latest revision (assuming it's not been done already). Can you provide sh ver output to confirm?

/DVB

Hi,

I don't always see the SSID, sometimes I do, sometimes I don't. I lowered the beacon period to 20seconds to see if that helped, and it made no change.

As for SB/SB2, I thought the original squeezebox was wired only and the display had only a single row of characters.

If this isn't the case, how can I tell an SB from an SB2?

The IOS is reasonably up to date ;-

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(6)T5, RELEASE SOFTWARE (fc1)

Paul

If you don't always see the SSID, it may indicate an unstable connection.

The original SLIMP3 was wired only, SB and above are all wireless capable. I'm not sure how to tell them apart, as I don't have either, but I presume there should be some information on the SC's status page that might help. Also, have a look here: http://wiki.slimdevices.com/index.cgi?HardwareComparison

If you do indeed have SBs, this could explain the instability of your connection. SB, according to wiki, is a 802.11b-only device, but the config example I provided was for g devices only, which in turn means that config would have to be adapted yet again to account for b speeds and negotiations (such as defining basic speeds, changing preamble to long, etc).

As for the IOS version, the latest for your device is 12.4.15T3, so if I were you I would update.

/DVB

Well, I'm a lemon.

Yes, I have three squeezebox 1's....

The one I was thinking of was called 'SLIMP3'...

Time to sell the old ones, and buy a new one. Though it will only be the one sadly.

Thanks for all your help and patience, still, I learned a lot about wifi that the CCNA books/course never taught me :-)

Paul