09-09-2010 02:16 PM - edited 07-03-2021 07:09 PM
Hi,
I am trying to configure a Windows XP service pack 3 wireless client for PEAP authentication to a Cisco 1242 and I cannot have my Client talking to the AP. Always have the following degut ouput:
dot11_auth_parse_client_pak: Received EAPOL packet from 00 12 XX XX XX
dot11_auth_parse_client_pak: no client found
I am using a FreeRADIUS server with a Windows XP client configure to not validate the certificate. I have imported the ca.der self-signed certificate generated by FreeRADIUS.
Thanks for your help
Stephane
09-09-2010 05:53 PM
Can you post your config of the AP?
Also did you choose both "network eap and open eap" ?
Cisco clients—Use Network-EAP.
Third party clients (include CCX compliant products)—Use Open with EAP.
A combination of both Cisco and third party clients—Choose both Network-EAP and Open with EAP.
09-13-2010 08:06 AM
Hi,
I just post the config of this AP, here is the latest debug message that I could gathered.
* dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx
*dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds
* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0012.f078.xxxx
*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx
*%DOT11-7-AUTH_FAILED: Station 0012.f078.xxxx Authentication failed
*dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx
*dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds
* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0012.f078.xxxx
* dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx
* dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds
* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0012.f078.xxxx
*dot11_auth_dot1x_send_response_to_server: Sending client 0012.f078.xxxx data to server
* dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
* RADIUS/ENCODE(0000001A):Orig. component type = DOT11
*RADIUS: AAA Unsupported Attr: ssid [263] 14
*RADIUS: 4D 6F 6E 6F 6E 63 6C 65 5F 53 74 65 [test]
*RADIUS: AAA Unsupported Attr: interface [156] 3
RADIUS: 32 [2]
RADIUS(0000001A): Storing nasport 281 in rad_db
RADIUS(0000001A): Config NAS IP: 10.5.104.22
RADIUS/ENCODE(0000001A): acct_session_id: 26
RADIUS(0000001A): sending
RADIUS/DECODE: parse response no app start; FAIL
RADIUS/DECODE: parse response; FAIL
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0012.f078.xxxx
dot11_auth_dot1x_send_response_to_client: Forwarding serve r message to client 0012.f078.xxxx
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx
*dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx
dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds
Thanks for your help
Stephane
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory
!
ssid test
!
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface BVI1
ip address X.X.X.X 255.255.255.0
no ip route-cache
!
ip default-gateway X.X.X.X
!
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
!
radius-server host X.X.X.X auth-port 1812 acct-port 1813 key 7 121A0C041104
09-13-2010 03:29 PM
This is telling "*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx"
Look in your radius server for a failure log. There should be a "reason" next to the failure. It will say like "client locked out", "bad EAP", "client timed out".
I would again just double check the cert make sure its installed. also if you are using an intel client. look under the trouble shoot drop down. sometimes the intel client will reveal interesting information.
09-13-2010 03:35 PM
Also one other thing ... insure the secret between the AP and the RAD is correct and also make sure the client logon and password is correct ...
09-15-2010 07:22 AM
Hi,
I found the problem, I have initially used the GUI to configure the AP and there was no IP address for the radius server under aaa group server radius rad_eap.
The configuration should be as follow:
aaa group server radius rad_eap
server 192.168.0.85 auth-port 1812 acct-port 1813
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
radius-server host 192.168.0.85 auth-port 1812 acct-port 1813 key 7 121A0C041104
In case where your radius do not rely on Active Directory, you can configured a user as follow:
username1 Cleartext-Password := "user-password1", MS-CHAP-Use-NTLM-Auth := 0
Thanks for your help
Stéphane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide