Cannot connect Windows clients to a WDS/local-RADIUS set-up. Error: "Station 8853.xxxx.xxxx Authentication failed

Unanswered Question
Jul 9th, 2012

tl;dr: Cannot connect Windows clients to a WDS/local-RADIUS set-up. Error: "Station 8853.xxxx.xxxx Authentication failed"

Hello all!

Got one for y'all. It involved WDS, RADIUS on the AP, and a tech who's ready to jump of a building...

I got four LAP1131AG's and converted them to autonomous AP's. Now I am trying to set them up to cover two floors of a building for a small Co. I am setting them up like this:

Internet -- Modem -- Router -- 3560-24 -- 3560-8 PoE - AP1, AP2, AP3, AP4

AP4 (192.168.1.10) contains the WDS, the local RADIUS, and is NOT connected to itself via the SWAN Infrastructure. I have followed the instructions found at

http://www.cisco.com/en/US/products/hw/wireless/ps458/products_configuration_example09186a008059a559.shtml and

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38roamg.html and

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml

to the letter and have been absolutely unable to connect any of the Co. (or mine) Windows computers to the other three AP's which are setup on the SWAN. The error that I get on the AP's is:

"Station 8853.xxxx.xxxx Authentication failed"

Here's the fun bit: the WDS AP sees the other AP's and auth's them no problem. I just can't connect a single other non-infrastrucure device to them. I've tried every combination of authentication/open/shared that I can think of- nothing works if I want to do WDS. (Non-WDS WPA2-PSK as well as just open work just fine)

Following are the setups for the WDS AP (192.168.1.10) as well as one of the regular AP's. (stripped users/pass/auth - trust me all the infrastructure users match)

Thank you!!

-----

!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname AP4
!
logging rate-limit console 9
enable secret 5 <<>>
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.1.10 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
 server 192.168.1.10 auth-port 1812 acct-port 1813
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius Infrastructure
 server 192.168.1.10 auth-port 1812 acct-port 1813
!
aaa group server radius Clients
 server 192.168.1.10 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_Infrastructure group Infrastructure
aaa authentication login method_Clients group Clients
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name kompass
!
!
dot11 syslog
!
crypto pki trustpoint TP-self-signed-201383056
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-201383056
 revocation-check none
 rsakeypair TP-self-signed-201383056
!
!
crypto pki certificate chain TP-self-signed-201383056
 certificate self-signed 01
<<cert>>
username user password 7 <<>> ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown ! encryption vlan 1 mode wep mandatory station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption vlan 1 mode wep mandatory dfs band 3 block channel dfs station-role root ! interface Dot11Radio1.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.1.10 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.1.1 no ip http server ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 radius-server local   no authentication eapfast   no authentication mac   nas 192.168.1.10 key 7 <<>>   user infra nthash 7 <<>>   user user nthash 7 <<>> ! radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key 7 <<>> radius-server vsa send accounting bridge 1 route ip ! ! wlccp authentication-server infrastructure method_Infrastructure wlccp authentication-server client eap method_Clients wlccp authentication-server client leap method_Clients wlccp authentication-server client any method_Clients wlccp wds priority 254 interface BVI1 ! line con 0 line vty 0 4 ! sntp server 192.168.1.1 sntp broadcast client end

----

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1
!
logging rate-limit console 9
enable secret 5 <<>>
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.1.10 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
 server 192.168.1.10 auth-port 1812 acct-port 1813
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
!
aaa group server radius Infrastructure
!
aaa group server radius Users
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication login method_Infrastructure group Infrastructure
aaa authentication login method_Users group Users
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip domain name kompass
!
!
dot11 syslog
dot11 vlan-name VLAN1 vlan 1
!
dot11 ssid zvezda2
   vlan 1
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   no ids mfp client
!
!
crypto pki trustpoint TP-self-signed-1419208580
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1419208580
 revocation-check none
 rsakeypair TP-self-signed-1419208580
!
!
crypto pki certificate chain TP-self-signed-1419208580
 certificate self-signed 01
<<cert>>
username user password 7 <<>>
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 key 2 size 128bit 7 <<>> transmit-key
 encryption vlan 1 mode wep mandatory 
 !
 ssid zvezda2
 !
 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 port-protected
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1 key 2 size 128bit 7 <<>> transmit-key
 encryption vlan 1 mode wep mandatory 
 !
 ssid zvezda2
 !
 dfs band 3 block
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 channel dfs
 station-role root
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 port-protected
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.1.7 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
radius-server local
  no authentication eapfast
  no authentication mac
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key 7 <<>>
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp ap username infra password 7 <<>>
wlccp authentication-server infrastructure method_Infrastructure
wlccp authentication-server client any method_Users
!
line con 0
line vty 0 4
!
sntp server 192.168.1.1
sntp broadcast client
end
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
Amjad Abdullah Mon, 07/09/2012 - 01:46

Well, this is interesting,

Let me tell you coulpe of things I noticed:

- Are you using LEAP as the EAP method? some config examples illustrate configuriong using LEAP with WEP keys. Forget this and use WPA2-AES.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c40b6.shtml

- in some AP configurations (AP1 for example) I can see that:

wlccp authentication-server client any method_Users


This means that the wlccp client authentication will use the method called method_Users. Let us see what is configured with this method:

aaa authentication login method_Users group Users

This shows us that the method method_Users uses the server group named Users.

let us see what is configured withe the group Users:

aaa group server radius Users
!

NOTHING!! it is empty!! so when a client tries to connect it will try to autheticate it against the radius server but the radius server group that it needs to check is empty.

so I think you need to either use the correct method under which the server is configured with the wlccp statement. OR you need to configure the method_Users with correct user group that contains a server.

Check and let me know if that works.

Regards,

Amjad

hrusha2002 Sun, 07/22/2012 - 17:02

Ok let me see if I can go point-by-point:

1) I am using LEAP to try and stay true to the guide. I have attempted to use WPA2 (Cipher: AES-CCMP with Mandatory WPAv2)

2) I attemted to create a group for the users under the RADIUS server and put in the users into that group. I also named the group under aaa the same thing. I am still getting the same issues.

What is bugging me is that I am following the examples to the T, and I am not getting anything to work.

Any more ideas? (and thanks for the try Amjad!)

I am willing to try and config or debug to try and get this working.

Thanks!

Amjad Abdullah Sun, 07/22/2012 - 23:33

I am sorry that it did not work.

Well, can you please try to collect some deugs:

AP#debug dot11 aaa authenticator all

AP#debug aaa authentication

AP#debug radius local-server
AP#debug radius

I hope that will show us something useful about why the fail happens.

Regards,

Amjad

Amjad Abdullah Tue, 07/24/2012 - 08:56

I tried to do the same implementation today. The cisco example is a bit not clear actually. I tried to follow it and it did not work.

I noticed something now that you need to add the infrastructure AP as a NAS device under the local radius config.

You already have:

nas 192.168.1.10 key 7 

You need to add also the infrastructure AP IP address as NAS:

nas 192.168.1.7 key 7 

I think this is your only issue.

HTH

Amjad

Actions

Login or Register to take actions

This Discussion

Posted July 9, 2012 at 12:16 AM
Stats:
Replies:4 Avg. Rating:4
Views:1337 Votes:0
Shares:0

Related Content

Discussions Leaderboard