Wireless 877W

andrew100 · ‎08-07-2006

Hi,

I posted a question a week or so ago about setting up an 877W with wireless and VPN back to headend site. The requirement is for the remote site (5 + users) to VPN to main site but have wireless locally with authentication via PEAP into headend site were ACS into AD is configured. I have installed the Router, but at the minute only with VPN access. I was not able to get the wireless working! I'm having issues with the BVI/Radio/Vlan interfaces. The remote site is to only have one subnet with some wireless and some not. My subnet is 172.16.0.96/28. Do i only need one Ip address on the router, as i can't assign the Vlan and BVI interface in the same subnet? Should my Default Gateway be the BVI Interface? I have also configured WEP 128 (Customer asked for) but Windows displays this an 'Open Network' and only one laptop can see it? And this can't connect. i tried to forget the PEAP and just get wireless working locally for some security but with no luck

I have posted the config, can somebody help me and tell me what i have done wrong?

Any help is appreciated!!

Andy

mchin345 · ‎08-11-2006

Two subnets one for each interface.If only one laptop can see it,try changing the channel numbers.PEAP is supported only in win Xp.Laptops not running win XP cant connect.

pbroa1iss · ‎02-09-2007

I'm struggling with excatly the same problem. Got a few access points on our LAN using PEAP fine but can't seem to get it working on a 877w. Can get the VPN connection back to our concentrator working. Has anyone got any ideas.

Thanks,

Phil

Benjamin Solero · ‎02-09-2007

Hi Andy,

The common configuration for this type of scenario is to bridge the VLAN1 and Dot11radio interfaces together in order to place both wired and wireless clients on the same VLAN/network.

If the customer's requirement is to allow both static WEP128 and PEAP clients to co-exist on a single SSID, then that's not going to work. PEAP uses dynamic encryption keys, so when EAP is configured on the SSID, the encryption keys are dynamic. You'd have to create a separate SSID on a separate VLAN to support static WEP in addition to PEAP on the same router.

Try reconfiguring (based upon your attached configs) as follows to support PEAP on VLAN 1 (use CONSOLE port, not telnet when configuring):

!

conf t

bridge irb

!

int do 0

no encryption key 1

no encryption mode wep mandatory

encryption vlan 1 mode wep mandatory

no bridge-group 1

!

int do 0.1

bridge-group 1

!

int vlan 1

no ip address

bridge-group 1

!

int bvi 1

ip address 172.16.0.97 255.255.255.240

!

ip radius source-interface bvi 1

!

bridge 1 route ip

bridge 1 protocol ieee

end

*******************

The 'radius source-interface bvi 1' forces the router to use 172.0.16.97 as the source of all RADIUS packets; therefore, you want to make sure the ACS Server has this router configured as an AAA Client with ip address 172.0.16.97.

Try this out, if it works, then do a 'wr mem' on the router to save the config to nvram.

Best Regards,

Ben

pbroa1iss · ‎02-13-2007

Hi,

That?s a great help, but I'm still having problems getting peap working. I have checked our firewall and the ACS server and am not getting any failed attempts but I am getting failed attempts when I remove the AAA account so I know it's hitting the ACS server. According to the debugging on the router It looks to be a problem with the shared key, but I have checked and doubled checked that. I have attached both the router config and the debugging. Can anyone shed any light? Thanks is advance,

Phil

andrew100 · ‎02-13-2007

Hi Phil,

Are you using NDG's on your AAA server? Your Pre-shared key is that of the NDG?

Andy

pbroa1iss · ‎02-13-2007

Yes it sits in the NDG authenticating using RADIUS (cisco aironet)

Thanks,

Phil