Can anyone help with debugging authentication on a 1130 access point using 12.4(3g)JA?
Basically users are required to authenticate against a radius server, when connected to the SSID
'eduroam'. We are a large site with a lot of access points covering most of it. While all the access
points have pretty much the same configuration, two of them will not allow users to authenticate and
therefor will not pass traffic. The vlan assignments from the switch end appear to be ok.
The one I have picked for debugging is in a fairly isolated area, with no other wireless signals detected
with netstumbler. It is basic office space, so there should not be any other RF interference.
I've turned on a fair bit of debugging (see 'show debug' output below), however the logged messages
are fairly limited:
Apr 24 14:06:45 wapsumand 105675: Apr 24 13:06:44.871: AAA/BIND(00014F21): Bind i/f
Apr 24 14:07:15 wapsumand 105676: Apr 24 13:07:14.859: %DOT11-7-AUTH_FAILED: Station 001c.b3c6.b49b Authentication failed
Apr 24 14:07:15 wapsumand 105677: Apr 24 13:07:14.867: AAA/BIND(00014F22): Bind i/f
Apr 24 14:07:45 wapsumand 105678: Apr 24 13:07:44.866: %DOT11-7-AUTH_FAILED: Station 001c.b3c6.b49b Authentication failed
Apr 24 14:07:45 wapsumand 105679: Apr 24 13:07:44.875: AAA/BIND(00014F23): Bind i/f
Apr 24 14:07:59 wapsumand 105680: Apr 24 13:07:58.522: AAA/BIND(00014F24): Bind i/f
Apr 24 14:07:59 wapsumand 105681: Apr 24 13:07:59.209: %DOT11-7-AUTH_FAILED: Station 0018.de0d.893d Authentication failed
Apr 24 14:07:59 wapsumand 105682: Apr 24 13:07:59.237: AAA/BIND(00014F25): Bind i/f
Apr 24 14:08:00 wapsumand 105683: Apr 24 13:07:59.941: AAA/BIND(00014F26): Bind i/f
Apr 24 14:08:00 wapsumand 105684: Apr 24 13:08:00.638: AAA/BIND(00014F27): Bind i/f
Apr 24 14:08:15 wapsumand 105685: Apr 24 13:08:14.861: %DOT11-7-AUTH_FAILED: Station 001c.b3c6.b49b Authentication failed
Apr 24 14:08:15 wapsumand 105686: Apr 24 13:08:14.870: AAA/BIND(00014F28): Bind i/f
I expected to see more details of which radius server it is talking to, what is sent, what the
response is etc. The radius server itself is not logging much either. I have verified that there is
ping connectivity between the AP and server. Again, I've done the obvious and made sure the client
in question could authenticate using other APs.
The only difference I can see between these two faulty APs and the rest of the network is they are
much newer and previous APs are running IOS 12.3. I'm not aware of any major changes that would
cause these problems.
Can anyone see anything obviously wrong with the config, or suggest some more debugging options to
turn on, so I can really see what is going on?
The config is attached.
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
TACACS+ authentication debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
state machine debugging is on
process debugging is on
Mac Authentication debugging is on
Radius protocol debugging is on
Radius packet protocol (authentication) debugging is on
IEEE 802.11 events debugging is on