not able to use EAP with ACS 4.1

Unanswered Question
Nov 13th, 2007

I was trying to setup user authentication via EAP with ACS server. what I did is just follow the configure of the url:http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Please check my AP configuration:

ISDAP3#sh run

Building configuration...

Current configuration : 2437 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SEPISDAP3

!

!

ip subnet-zero

no ip domain lookup

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 172.16.17.15 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

server 172.16.17.15

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid SEP1WLAN

authentication open eap eap_methods

authentication network-eap eap_methods

!

!

!

username xxxxxx privilege 15 password xxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode wep mandatory

!

ssid SEP1WLAN

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption mode wep mandatory

!

ssid SEP1WLAN

!

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 172.16.18.59 255.255.255.0

no ip route-cache

!

ip default-gateway 172.16.18.1

ip http server

ip http authentication aaa

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 172.16.17.15 auth-port 1645 acct-port 1646 key sepwireless

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

after that i did test with "debug aaa authent" trun on on the AP, I got the error msg:

*Mar 1 03:02:22.206: %DOT11-7-AUTH_FAILED: Station 0019.d29e.898c Authentication failed

*Mar 1 03:02:22.303: AAA/BIND(00000035): Bind i/f

*Mar 1 03:02:22.317: AAA/AUTHEN/PPP (00000035): Pick method list 'eap_methods'

SEPISDAP3#

SEPISDAP3#

*Mar 1 03:02:43.839: %DOT11-7-AUTH_FAILED: Station 0019.d29e.898c Authentication failed

*Mar 1 03:02:43.861: AAA/BIND(00000036): Bind i/f

*Mar 1 03:02:11.492: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.17.15:1645,1646 is not responding.

*Mar 1 03:02:11.492: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.17.15:1645,1646 has returned.

I am albe to telnet to the ACS server from AP, so there is no network reachability problem. can someone guide me how to reslove the problem?

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bbxie Wed, 11/14/2007 - 18:31

try to check the logs of the RADIUS server for failed attempts, and the reasons those attempts failed. if no record, then there's communication issue between ACS and AP(check ACS's network configuration for AAA client as showed in the book), if have record, check related configuration accordingly, for example your global authentication setup,user/user group setup, client software config...

Actions

This Discussion

 

 

Trending Topics - Security & Network