Configure 1200 for Radius

Unanswered Question
dancampb Sat, 03/17/2007 - 08:42
User Badges:
  • Cisco Employee,

You are not going to be able to configure the AP to strip the domain name. This is set by the client. Depending on the supplicant you are using you might be able to configure it to not include the domain name.

jeromehenry_2 Mon, 03/19/2007 - 03:51
User Badges:
  • Silver, 250 points or more

Did you set up your IAS client ? Typically, your AP will be known to the IAS as a client, using its IP address and a shared secret.

Then on the AP, you would identify the IAS as the radius, and mention the same shared secret.

Is it what you did ?


Kind regards


Jerome

Yes, that is what i did and when i look at the Server event logs, it gives the AP IP address and says "Guest" from the domain is trying to loogin. On the PC, i enter the username and password and domain name so i am not sure why it says "Guest" is trying to login. I can post the config file, i think, if you like?

jeromehenry_2 Mon, 03/19/2007 - 14:42
User Badges:
  • Silver, 250 points or more

Sorry, but I still don't really get your point when you talk about "PC" and guest.

The AP is known on the IAS as a client, so the AP is not authenticated. You should see the Ap act as a relay, but it is not the one that should be authenticated.

It would be interesting to see your AP config, but also screenshot of your IAS client config and policy config... do you think you could post these ?


Tx

J

jeromehenry_2 Tue, 03/20/2007 - 02:26
User Badges:
  • Silver, 250 points or more

Hi,


Got it, thanks.

AP config seems to be fine.

ON IAS, he reason why the user is the AP is that you do not set condition by which the user should be identified as belonging the a certain windows group, s as the client is not identified, only the AP is seen.

Why I don't clearly get is he criteria you try to set as condition, could you explain them please ? From what I see, you use virtual, which is typically smething I use to authentication ssh sessions, and ^311$ which says to process Access-Request messages sent by RADIUS clients that are computers running the Microsoft Routing and Remote Access service... a bit confusing for me... so can you explain what condition you try to set ?

Oh BTW, in you client config, the client vendor should be Cisco and not radius standard...


J

Thats good to know that the AP config looks fine. I see what you are saying about the IAS policy but i have left the IAS config "default" (as it is when i installed it). We have a Juniper firewall that worked with the IAS default config so i thought the AP would too. Also, i used "user" instead of group in this policy and i am trying to use EAP/PEAP. So, i did make another IAS policy for "wireless" and in that policy, it does not have "virtual or ^311$. I will now test this and report back. Thanks for all your help and patience!

Actions

This Discussion

 

 

Trending Topics - Security & Network