Help with configuring AP-1240AG as local authenticator for EAP-FAST client

Unanswered Question
Aug 13th, 2010
User Badges:

Hi,


I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:


dot11 lab_test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid


radius-server local
  eapfast authority id 0102030405060708090A0B0C0D0E0F10
  eapfast authority info lab
  eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
  user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05


Here is the Windows XP client configuration:


Authentication: Open

Encrpytion WEP

Disable Cisco ccxV4 improvements

username: georges

password: georges


Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:


*Mar  4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar  4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar  4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: ssid              [263] 19
*Mar  4 01:16:56.701: RADIUS:    [lab_test]
*Mar  4 01:16:56.701: RADIUS:   65                                               [e]
*Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: interface         [156] 4
*Mar  4 01:16:56.701: RADIUS:   38 32                                            [82]
*Mar  4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar  4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar  4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar  4 01:16:56.702: RADIUS(00001F5C): sending
*Mar  4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar  4 01:16:56.702: RADIUS/DECODE: parse response; FAIL


It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
Stephen Rodriguez Fri, 08/13/2010 - 11:02
User Badges:
  • Purple, 4500 points or more

It would be helpful to have the full config of the AP, there are some settings that would need to be verified that are not currently shown.


  That being said, if the SSID you are using is for client access, you need to remove the infrastrucure-ssid command from under the dot11 ssid.  The infrastructure command is for when you are using the AP to bridge.

Steph1963 Fri, 08/13/2010 - 13:40
User Badges:

Hi Stephen,


I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.


Thanks for your help

Stephane


Here is the complete configuration:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Lab

!

ip subnet-zero

!

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 lab_test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

   infrastructure-ssid

!

power inline negotiation prestandard source

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid lab_test

!

traffic-metrics aggregate-report

speed basic-54.0

no power client local

channel 2462

station-role root

antenna receive right

antenna transmit right

no dot11 extension aironet

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

dfs band 3 block

  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

channel dfs

station-role root

no dot11 extension aironet

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 10.5.104.22 255.255.255.0

!

ip default-gateway 10.5.104.254

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

  eapfast authority id 000102030405060708090A0B0C0D0E0F

  eapfast authority info LAB

  eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8

  user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007

!

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

Scott Pickles Wed, 09/29/2010 - 12:01
User Badges:

Under your group for rad_eap, you have not defined any servers.  You also have to define the AP itself as a radius server:


radius-server host 10.5.104.22 auth-port 1812 acct-port 1813


Try that for starters.  I still haven't gotten it to work either, but my problem just says 'Authentication Failed'.  The IOS config guide for 12.4(10b) is what I'm using.


Regards,
Scott

wackerk24 Wed, 09/29/2010 - 12:15
User Badges:

Here are the sections that are relevant and you are missing some config:


**Basic AAA config: (Be sure to identify your AP as the server IP)


aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.119 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common


**Basic SSID Config: (Be sure to use authentication open eap eap_methods and authentication network-eap eap_methods) I see you have that part


dot11 ssid Auto4
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2


**Radius Config:(eapfast server-key is optional, you have to define your AP as the server with the "nas" command, finally you will need the "radius-server host" command shown below to tell your ap that it's the radius server to use for authentication and be sure to specify your shared secret key at the end: same key you used for the "nas" command)


radius-server local
  eapfast server-key primary 7 387E5580E2DA618AF856E40E63D41324E2
  nas 10.10.10.119 key 7 110A1016141D
  user cisco nthash 7 1350344A5B5C227B78057B10107A452232515402097C77002B544B45087D0E7200
!
radius-server host 10.10.10.119 auth-port 1812 acct-port 1813 key 7 05080F1C2243

Scott Pickles Wed, 09/29/2010 - 19:11
User Badges:

After a day of consulting the documentation and the 'net, I have finally landed on a working config for an autonomous AP as the local authenticator for EAP-FAST.  For the good of the community, I am posting my full working config.  Keep in mind, it's for a 1252, so if you apply it to an AP with a FastEthernet interface or a different version of IOS, it may not support some parts of the config.  The version of IOS I am using is 12.4(10b), and I chose to restrict local authentications to EAP-FAST only (i.e. turned off MAC and LEAP).  The shared key for the radius server is '12345' and the username eapfast has a password of 'eapfast'.  When I generated the PAC file, I also chose to encrypt it with the password 'eapfast'.  You generate PAC files from the privileged exec mode, NOT config mode, using the command 'radius local-server pac-generate'.  A full example is included in the IOS config guide, and might look something like this:


ap#radius local-server pac-generate username tftp://172.1.1.1/test/username.pac password theuserpassword expiry 5


I would not recommend skipping this portion as there is a security risk in using phase 0 auto-provisioning.  The AP also provides DHCP services, and the local network is 192.168.1.0 /24.  The SSID is encrypted with WPA2, is broadcast, and the SSID name is 'EAP-FAST'.  The attached text file shows the config first, followed by a 'show ip dhcp bindings' to show the IP address of the client (provided to the client by the AP), and a debug output of the successful authentication.  If you have any questions or comments, don't hesitate to ask.


Regards,
Scott

Steph1963 Thu, 09/30/2010 - 13:58
User Badges:

Thanks a lot for your answers.


Being not really familiar with EAP-FAST Network Authentification, could you please give me a little bit more info about the NAS command and PAC file


1) Does the radius share key is defined by the NAS command and  why the AP would need a share key if it acts as the local authenticator?


2) Could you please confirm me that the user defined under the radius-server local is used when the client used MS-CHAPv2.


My original understanding of EAP-FAST network was that certificate was not required when MS-CHAPv2  is used (I might be totally wrong here). Could you please indicate me if the PAC must absolutely be transferred to the client PC if we want  to connect a client to the AP.


CCXv4 seems also to required a certficate, can we used the PAC file also as the certificate.


Thanks again for all your help

Stephane

Scott Pickles Thu, 09/30/2010 - 16:38
User Badges:

Stephane -


1.  When we talk about Extensible Authentication Protocol, usually the APs act as authenticators and have to be added to the RADIUS server as trusted agents.  How do we know they are trusted?  It's important to maintain the chain of custody in an authentication process.  What prevents someone from setting up their own RADIUS server with the same IP address and having requests from legitemate users get forwarded to your RADIUS server?  This is what the pre-shared key does for you.  If the RADIUS server and the AP are not configured with eachother's mutual IP addresses and the matching pre-shared key, then the relationship is not valid and requests will be dropped.  So the theory and practice does not change, despite the fact that authentication is occurring locally on the AP.  It's weird, but it's correct.  You can try without the key to see if it works, but the IOS configuration guide for version 12.4(10b) indicates that you should use the pre-shared key and I would recommend you continue to do so.


2.  Yes, the user defined locally on the AP is what is used when authenticating via MS-CHAPv2.  I know that seems strange since it's a Microsoft protocol, but that is part of the reason why this method is called EAP-FAST, with the 'F' of course standing for 'Flexible'.  You can set the AP up to support this EAP method, yet use one of three different ways to authenticate the user on phase 2, which is the inner tunnel.


As for the PAC file, it is necessary no matter what method you use to eventually authenticate the user (certificate, token, user/pass).  The reason for the PAC file is to accomplish phase 1, where an outer tunnel is created using the PAC.  The purpose of the outer tunnel is to secure the passage of the authentication method through the inner tunnel (phase 2).  You do not HAVE to manually install the PAC file on the each computer, which is one of the reasons Cisco markets EAP-FAST as so easy to deploy, scalable, and not requiring a certificate on the end device.  What they don't tell you is that the process of auto-provisioning PACs (phase 0) is subject to MIM attacks and can compromise the security of the outer tunnel.  Compromise that, and you can now gain access to the credentials passed through the tunnel in phase 2.  George Ou has a good breakdown of EAP-FAST here:


http://articles.techrepublic.com.com/5100-10878_11-6148557.html


You can mark the question 'Answered' when you're finished, assuming my comments have done just that.


Regards,
Scott

Actions

This Discussion

 

 

Trending Topics - Security & Network