08-18-2008 07:23 AM - edited 07-03-2021 04:20 PM
This is my first attempt at wireless other than static wep key. I have set my 1130 ag as having a local radius server, including groups, users and ssids. I am having trouble getting the access point to use the local radius server. When I try to connect using eap-fast I get prompted for a user name and password but no attempts are registered on the radius server. Any help would be appreciated.
08-18-2008 09:06 AM
Give this doc a try... it shows you what you need to do step by step.
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37local.html
08-18-2008 09:49 AM
I tried following the steps in this doc and still receive an error on the client that the 802.1x authentication server is not available
Heres a copy of my config
Current configuration : 2085 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname APTEST5
!
enable secret xxx
!
aaa new-model
!
!
aaa group server radius rad_eap1
server 27.101.1.5 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods1 group rad_eap1
!
aaa session-id common
!
!
!
dot11 ssid jets
authentication open eap eap_methods1
authentication network-eap eap_methods1
!
power inline negotiation prestandard source
!
!
username Cisco password xxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers wep128
!
ssid jets
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server local
nas 27.101.1.5 key xxx
group giants
vlan 1
ssid jets
!
user jwalsh nthash xxx group giants
user rmerullo nthash xxx group giants
!
radius-server host 27.101.1.5 auth-port 1645 acct-port 1646 key xxx
radius-server deadtime 10
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
Thanks for any help
08-18-2008 10:20 AM
Try to change the port to 1812 and 1813. Also I don't see any EAP-Fast settings on your config?
Try to follow these commands:
08-18-2008 11:05 AM
I made the changes and still am unable to connect new config
Current configuration : 2276 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname APTEST5
!
enable secret xxx
!
aaa new-model
!
!
aaa group server radius rad_eap1
server 27.101.1.5 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods1 group rad_eap1
!
aaa session-id common
!
!
!
dot11 ssid jets
authentication open eap eap_methods1
authentication network-eap eap_methods1
!
power inline negotiation prestandard source
!
!
username Cisco password xxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers wep128
!
ssid jets
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server local
eapfast authority id FFEEDDCCBBAA998877665544332211FF
eapfast authority info pchtest
eapfast server-key primary 7 012D708B293D31F12E9736E1BB9841F70D
nas 27.101.1.5 key xxx
group giants
vlan 1
eapfast pac expiry 10 grace 2
ssid jets
!
user jwalsh nthash xxx group giants
user rmerullo nthash xxx group giants
!
radius-server host 27.101.1.5 auth-port 1812 acct-port 1813 key xxx
radius-server deadtime 10
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
Output from sh radius local-server statist
Successes : 9 Unknown usernames : 16
Client blocks : 0 Invalid passwords : 0
Unknown NAS : 0 Invalid packet from NAS: 3
NAS : 27.101.1.5
Successes : 9 Unknown usernames : 16
Client blocks : 0 Invalid passwords : 0
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 3
Auto provision success : 3 Auto provision failure : 0
PAC refresh : 0 Invalid PAC received : 1
Username Successes Failures Blocks
jwalsh 9 0 0
rmerullo 0 0 0
Thanks for your help
08-18-2008 11:23 AM
What is the ip of this ap and is 27.101.1.5 a different ap or is it this ap?
08-18-2008 11:24 AM
they are the same ap
08-18-2008 11:27 AM
How come you didn't specify the ip address on BVI interface?
08-18-2008 11:31 AM
currently using dhcp to obtain ip
sh int
BVI1 is up, line protocol is up
Hardware is BVI, address is 001e.f7ef.03ee (bia 0022.550d.0cf0)
Internet address is 27.101.1.5/8
MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:47, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 8000 bits/sec, 1 packets/sec
56221 packets input, 3451946 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9292 packets output, 7925395 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
08-18-2008 11:38 AM
Just making sure.... now are you using wep or eap-fast, because you have wep configured under the radio:
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers wep128
!
ssid jets
08-18-2008 11:42 AM
eapfast
08-23-2008 04:17 PM
Here is a config I have tried and it works. It uses WPA2 w/ EAP-FAST.
Username is test
Password is test
Building configuration...
Current configuration : 2451 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$yZcX$DaBLyWCS36.HI.2PQKe2c.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.16 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
lease 0 1
!
!
!
dot11 ssid TEST
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
!
power inline negotiation prestandard source
!
!
username Cisco password 7 123A0C041104
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid TEST
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption mode ciphers aes-ccm
!
ssid TEST
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.16 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication leap
no authentication mac
eapfast server-key primary 7 7D16E1C2234E3179E16134EA007DB5DAC0
eapfast server-key secondary 7 7D16E1C2234E3179E16134EA007DB5DAC0
nas 192.168.1.16 key 7 045958140D721F
group EAP
eapfast pac expiry 100 grace 2
reauthentication time 3600
!
user test nthash 7 091C6D2B4F5C434A535C510C7C7D7F111370325F445B5101000F0076565A4D450E group EAP
!
radius-server host 192.168.1.16 auth-port 1812 acct-port 1813 key 7 045958140D721F
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide