Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Problem authenticating Wireless users with peap

Good afternoon,

 

I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :

 

AAA/AUTHEN/PPP : Pick method list 'Permanent Local'

DOT11-7-AUTH_FAILED : Station ... Authentication failed

 

It shouldn't use local authentication, but the aaa server I configured.

 

I looked on the internet but didn't find a working solution.

Does anyone know why it is not working ?

 

Here is my running configuration :

 

Current configuration : 4276 bytes
!
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.2.2 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
!
!
!
dot11 syslog
!
dot11 ssid test
   authentication open eap eap_list
   authentication key-management wpa version 2
   guest-mode
!
!
eap profile peap
 method peap
!
crypto pki token default removal timeout 0
!
...
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid test
 !
 antenna gain 0
 stbc
 beamform ofdm
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 dot1x pae authenticator
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 192.168.3.10 255.255.255.0
 no ip route-cache
!
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

 

 

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

I haven't setup autonomous

I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:

dot11 ssid test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode

Hope this helps!

 

Thank you for rating helpful posts!

3 REPLIES
Cisco Employee

I haven't setup autonomous

I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:

dot11 ssid test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode

Hope this helps!

 

Thank you for rating helpful posts!

Community Member

Thank you so much, I had read

Thank you so much, I had read this many times but I had not seen this error.

It now works perfectly :)

Cisco Employee

It happens to all of us :)

It happens to all of us :) Glad I was able to help!

48
Views
0
Helpful
3
Replies
CreatePlease to create content