Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wireless local radius authentication

Greetings,

I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.


I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.

show ver

Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen

ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)

ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number                          : 73-7886-07
PCA Assembly Number                  : 800-21481-07
PCA Revision Number                  : A0
PCB Serial Number                    : XXX
Top Assembly Part Number             : 800-22053-04
Top Assembly Serial Number           : XXX

Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1121G-A-K9

Configuration register is 0xF

show run

Current configuration : 4240 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
!
ip subnet-zero
ip domain name XXX!
!
ip ssh version 2
aaa new-model
!
!
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
server 172.16.1.35 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
!
dot11 ssid YYY
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
ip helper-address 172.16.1.1
no ip route-cache
!
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
!
broadcast-key change 300
!
!
ssid YYY
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.16.1.35 255.255.255.0
ip helper-address 172.16.1.1
no ip route-cache
!
ip default-gateway 172.16.1.1
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
  no authentication eapfast
  no authentication mac
  nas 172.16.1.35 key 7 VVV
  group YYY
    ssid YYY
    block count 3 time 30
    reauthentication time 300
  !
  user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
access-class 10 in
line vty 5 15
!
end

Debug Output:

331: AAA/ACCT(00000000): add node, session 4
*Mar  1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar  1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar  1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar  1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar  1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar  1 21:37:37.332: EAPOL pak dump tx
*Mar  1 21:37:37.332: EAPOL Version: 0x1  type: 0x0  length: 0x0036
*Mar  1 21:37:37.332: EAP code: 0x1  id: 0x1  length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72  ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E  kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543  asid=YYY
00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
*Mar  1 21:37:37.333: dot11_auth_send_msg:  sending data to requestor status 1
*Mar  1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar  1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar  1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar  1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar  1 21:38:07.333: dot11_auth_send_msg:  sending data to requestor status 0
*Mar  1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar  1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar  1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar  1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar  1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
0023.6c85.32cd
*Mar  1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar  1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar  1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar  1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar  1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar  1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar  1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar  1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar  1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar  1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar  1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar  1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar  1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
ocal'
*Mar  1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar  1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful

Any ideas how I can get simple username/password working on an autonomous AP with local radius server?


Thank you,

5 REPLIES
Gold

Re: Wireless local radius authentication

You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics".  You could also run "debug radius local-server client" and "debug radius local-server error".

New Member

Re: Wireless local radius authentication

Already in the debug

New Member

Re: Wireless local radius authentication

It's also not even asking for the username/password.  I

Gold

Re: Wireless local radius authentication

What supplicant are you using?

Is the supplicant have machine authentication enabled?

New Member

Re: Wireless local radius authentication

Whats a supplicant?

1025
Views
0
Helpful
5
Replies