Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
I will look this over and see what I can do. Another question, about the default routes, I was unable to remove the 10.200.140.1 default route using the "no ip route..." command. Is there something I'm missing? The correct default route should be the 10.200.5.1. When I entered the "no ip route.." command, it accepted it with no error but nothign happened.
Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?
Regargding authentication open (as shown below), it says authentication shceme can be open with EAP authentication. "network-eap" require as certain clients (like anyconnect) with certain EAP methods (like LEAP)
A1142-1(config)#aaa authentication login EAP_MTD group RAD_GRP
A1142-1(config)#dot11 ssid TEST
A1142-1(config-ssid)# authentication open eap EAP_MTD
A1142-1(config-ssid)# authentication network-eap EAP_MTD
A1142-1(config-ssid)# authentication key-management wpa version 2
A1142-1(config-if)# encryption vlan 143 mode ciphers aes-ccm
Pls do not forget to rate our responses if that helps you.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...