Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
11
Replies

1130ag access point as local authenticator

101pch382
Level 1
Level 1

‎08-18-2008 07:23 AM - edited ‎07-03-2021 04:20 PM

This is my first attempt at wireless other than static wep key. I have set my 1130 ag as having a local radius server, including groups, users and ssids. I am having trouble getting the access point to use the local radius server. When I try to connect using eap-fast I get prompted for a user name and password but no attempts are registered on the radius server. Any help would be appreciated.

Labels:
0 Helpful
11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame

‎08-18-2008 09:06 AM

Give this doc a try... it shows you what you need to do step by step.

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37local.html

-Scott
*** Please rate helpful posts ***
0 Helpful

101pch382
Level 1
Level 1
In response to Scott Fella

‎08-18-2008 09:49 AM

I tried following the steps in this doc and still receive an error on the client that the 802.1x authentication server is not available

Heres a copy of my config

Current configuration : 2085 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname APTEST5

!

enable secret xxx

!

aaa new-model

!

!

aaa group server radius rad_eap1

server 27.101.1.5 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods1 group rad_eap1

!

aaa session-id common

!

!

!

dot11 ssid jets

authentication open eap eap_methods1

authentication network-eap eap_methods1

!

power inline negotiation prestandard source

!

!

username Cisco password xxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers wep128

!

ssid jets

!

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

radius-server local

nas 27.101.1.5 key xxx

group giants

vlan 1

ssid jets

!

user jwalsh nthash xxx group giants

user rmerullo nthash xxx group giants

!

radius-server host 27.101.1.5 auth-port 1645 acct-port 1646 key xxx

radius-server deadtime 10

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

Thanks for any help

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to 101pch382

‎08-18-2008 10:20 AM

Try to change the port to 1812 and 1813. Also I don't see any EAP-Fast settings on your config?

Try to follow these commands:

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37local.html#wp1050270

-Scott
*** Please rate helpful posts ***
0 Helpful

101pch382
Level 1
Level 1
In response to Scott Fella

‎08-18-2008 11:05 AM

I made the changes and still am unable to connect new config

Current configuration : 2276 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname APTEST5

!

enable secret xxx

!

aaa new-model

!

!

aaa group server radius rad_eap1

server 27.101.1.5 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods1 group rad_eap1

!

aaa session-id common

!

!

!

dot11 ssid jets

authentication open eap eap_methods1

authentication network-eap eap_methods1

!

power inline negotiation prestandard source

!

!

username Cisco password xxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers wep128

!

ssid jets

!

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

radius-server local

eapfast authority id FFEEDDCCBBAA998877665544332211FF

eapfast authority info pchtest

eapfast server-key primary 7 012D708B293D31F12E9736E1BB9841F70D

nas 27.101.1.5 key xxx

group giants

vlan 1

eapfast pac expiry 10 grace 2

ssid jets

!

user jwalsh nthash xxx group giants

user rmerullo nthash xxx group giants

!

radius-server host 27.101.1.5 auth-port 1812 acct-port 1813 key xxx

radius-server deadtime 10

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

Output from sh radius local-server statist

Successes : 9 Unknown usernames : 16

Client blocks : 0 Invalid passwords : 0

Unknown NAS : 0 Invalid packet from NAS: 3

NAS : 27.101.1.5

Successes : 9 Unknown usernames : 16

Client blocks : 0 Invalid passwords : 0

Corrupted packet : 0 Unknown RADIUS message : 0

No username attribute : 0 Missing auth attribute : 0

Shared key mismatch : 0 Invalid state attribute: 0

Unknown EAP message : 0 Unknown EAP auth type : 3

Auto provision success : 3 Auto provision failure : 0

PAC refresh : 0 Invalid PAC received : 1

Username Successes Failures Blocks

jwalsh 9 0 0

rmerullo 0 0 0

Thanks for your help

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to 101pch382

‎08-18-2008 11:23 AM

What is the ip of this ap and is 27.101.1.5 a different ap or is it this ap?

-Scott
*** Please rate helpful posts ***
0 Helpful

101pch382
Level 1
Level 1
In response to Scott Fella

‎08-18-2008 11:24 AM

they are the same ap

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to 101pch382

‎08-18-2008 11:27 AM

How come you didn't specify the ip address on BVI interface?

-Scott
*** Please rate helpful posts ***
0 Helpful

101pch382
Level 1
Level 1
In response to Scott Fella

‎08-18-2008 11:31 AM

currently using dhcp to obtain ip

sh int

BVI1 is up, line protocol is up

Hardware is BVI, address is 001e.f7ef.03ee (bia 0022.550d.0cf0)

Internet address is 27.101.1.5/8

MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:47, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

5 minute input rate 1000 bits/sec, 2 packets/sec

5 minute output rate 8000 bits/sec, 1 packets/sec

56221 packets input, 3451946 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

9292 packets output, 7925395 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to 101pch382

‎08-18-2008 11:38 AM

Just making sure.... now are you using wep or eap-fast, because you have wep configured under the radio:

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers wep128

!

ssid jets

-Scott
*** Please rate helpful posts ***
0 Helpful

101pch382
Level 1
Level 1
In response to Scott Fella

‎08-18-2008 11:42 AM

eapfast

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to 101pch382

‎08-23-2008 04:17 PM

Here is a config I have tried and it works. It uses WPA2 w/ EAP-FAST.

Username is test

Password is test

Building configuration...

Current configuration : 2451 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$yZcX$DaBLyWCS36.HI.2PQKe2c.

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.1.16 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

!

aaa session-id common

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

!

ip dhcp pool DHCP

network 192.168.1.0 255.255.255.0

lease 0 1

!

!

!

dot11 ssid TEST

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa version 2

!

power inline negotiation prestandard source

!

!

username Cisco password 7 123A0C041104

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid TEST

!

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

!

ssid TEST

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.1.16 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server local

no authentication leap

no authentication mac

eapfast server-key primary 7 7D16E1C2234E3179E16134EA007DB5DAC0

eapfast server-key secondary 7 7D16E1C2234E3179E16134EA007DB5DAC0

nas 192.168.1.16 key 7 045958140D721F

group EAP

eapfast pac expiry 100 grace 2

reauthentication time 3600

!

user test nthash 7 091C6D2B4F5C434A535C510C7C7D7F111370325F445B5101000F0076565A4D450E group EAP

!

radius-server host 192.168.1.16 auth-port 1812 acct-port 1813 key 7 045958140D721F

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card