7921g Authentication using WLC Local EAP

aciscolook · ‎02-04-2008

Can anyone advise on how to use the Local EAP in WLC. I'm trying to set up EAP-FAST authentication for the 7921g phone without ACS. I have a Windows IAS available but I couldn't find support for PEAP in the 7921 even though the documentation mentions that it's possible.

Little confused about the following Settings:

On WLC:

WLAN layer 2 security - should this be WPA/WPA2, 802.1x, etc.

7921 Phone:

AKM or EAP-FAST?

Anything else need to be done? I've think I've tried a bunch of combinations of settings but can't get this to work. I've never been able to get any of the Local EAP stuff to work.

migilles · ‎02-04-2008

We just released version 1.1(1) for the 7921G phone, which contains PEAP(MS-CHAPv2) support.

EAP-FAST is not supported by IAS, but is supported by Cisco ACS and the WLAN controller's local EAP.

You can choose EAP-FAST on the phone side.

This mode can do WPA, WPA2, CCKM.

AKM mode will use LEAP for 802.1x for those authenticated key-management types (WPA, WPA2, CCKM).

AKM is primarily for WPA-PSK versions 1 and 2 as well as for WPA2 if using LEAP for 802.1x.

Also ensure you have increased the 802.1x timeout on the WLC.

Step 1 SSH or Telnet to the WLAN controller(s.)

Step 2 Type "config advanced eap request-timeout 20".

Step 3 Type "save config".

Step 4 Type "y" to confirm.

Were also some issues with local EAP in the early 4.1 WLAN controller code, so would ensure you are using 4.1.185.0 or later.

Ensure to use firmware 1.0(5) or late for the 7921G phone as well.

Michel.thebeau · ‎08-06-2008

Hi,

I'm with the department of education in New Brunswick, CA.

We currently have a large deployment province wide of access points (1130) with PEAP (MS-CHAPv2) configured for authentication. This was setup initially for laptops.

I now have a few 7921 IP phones that I want to roll out as a demonstration, but I can't seem to get them to talk PEAP on that same SSID the laptops are using.

We did get the phones working with pre-shared key configured on the access point, so I know that at least works. haha! But that was just a temporary setup.

Can you recommend some documentation that might help me resolve problems related to configurations for PEAP MS-CHAP?

Thanks muchly,

Michel

migilles · ‎08-06-2008

The 7921 currently does not do server validation, where a client cert is required. This will be in the next release 1.2(1). So ensure that your radius is not configured with "client certificate required". Other than that use the default settings when creating a profile and just check PEAP. Will also need to use version 1.1(1) of firmware for the 7921, which is the first version to support PEAP.

Michel.thebeau · ‎08-12-2008

Thank you. I have verified that:

- client certificate is not required

- version 1.1.1 is on the phone

- default settings are used for wlan profile, specifying PEAP and login information.

What I'm seeing is that the Access point does not report either a failure or success in the output for "show aaa servers" command. And the phone is not listed in the output for "show wlc wds mn". It seems as though the phone doesn't even try to get on the network.

migilles · ‎08-13-2008

From your comment about WDS, you are not using the WLAN controller but using autonomous Cisco IOS APs instead. Don't believe PEAP is supported with local radius. Try LEAP or EAP-FAST instead.

Michel.thebeau · ‎08-14-2008

I also setup my cisco profile with the service contracts for our department and opened SR 609330023. Ben Abrams responded.

He asked me for debug information from the access point which led to a configuration change on the access point, and it (peap authentication) is working now.

I believe the necessary change was

wlccp authentication-server client any my_method

instead of

wlccp authentication-server client eap my_method

)

I'm going revert and resolve the problem to be sure of which changes were necessary.

Thank you for your direction Michael.