Aironet 1600 and RADIUS EAP-TTLS

Unanswered Question
Feb 19th, 2014
User Badges:

Hello,


I'm trying to configure WLAN authorization with RADIUS (EAP-TTLS) on my Cisco Aironet 1600.


At the datasheet (

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1600-series/data_sheet_c78-715702.html) it an information that this model can handle this.


Sadly I can't configure... Coud anybody help mi with that case?


My config is:

Current configuration : 4013 bytes

!

! Last configuration change at 18:22:15 UTC Wed Feb 19 2014

! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014

! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

!

logging rate-limit console 9

enable secret 5 $1$BPWA$C5uySGSrxxkQzUodYDhXq/

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.55.22 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 192.168.55.22 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

!

!

!

!

aaa session-id common

ip cef

!

!

!

dot11 syslog

dot11 vlan-name TP_VLAN vlan 50

!

dot11 ssid TEST

   vlan 2

   authentication open eap eap_methods1

   authentication shared eap eap_methods1

   authentication network-eap eap_methods1

   dot1x eap profile eapttls

   mbssid guest-mode

!

!

eap profile eapttls

!

crypto pki token default removal timeout 0

!

!

dot1x test timeout 3

username Cisco password 7 01300F175804

!

!

bridge irb

!

!

!

interface Dot11Radio0

no ip address

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TEST

!

antenna gain 0

stbc

beamform ofdm

mbssid

channel 2472

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 spanning-disabled

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

!

interface Dot11Radio1

no ip address

shutdown

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TEST

!

antenna gain 0

no dfs band block

stbc

beamform ofdm

mbssid

channel dfs

station-role root

!

interface Dot11Radio1.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 spanning-disabled

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface GigabitEthernet0.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 spanning-disabled

no bridge-group 50 source-learning

!

interface BVI1

ip address 192.168.55.19 255.255.255.0

!

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip route 0.0.0.0 0.0.0.0 172.20.0.2

ip route 0.0.0.0 0.0.0.0 172.22.0.1

ip radius source-interface BVI1

!

radius-server local

  no authentication mac

  nas 192.168.55.22 key 7 131112011F5D5679

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.55.22 auth-port 1812 acct-port 1813 key 7 044F0E151B701E1D

radius-server vsa send accounting

!

bridge 1 route ip

!

!

wlccp ap eap profile eapttls

!

line con 0

line vty 0 4

password 7 072C285F4D06

authorization exec local

transport input all

!

end


Thank you in advance,

Pawel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eschinzer Tue, 06/02/2015 - 15:35
User Badges:

I am also having this problem with only the Aironet 1600 series APs in our environment.  We're using EAP-TLS and everything looks configured correctly, all clients have the cert installed, but it will not connect to the Aironet 1600s.

Actions

This Discussion

Related Content