Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
1
Replies

AIR-SAP1602I fails with WPA2 EAP

maweigel
Level 1
Level 1

‎08-13-2014 03:05 AM - edited ‎07-05-2021 01:22 AM

Hi,

the following config works on AIR-AP1142N-E-K9, AIR-AP1242AG-E-K9 and AIR-AP1242AG-E-K9, but it works not on several tested AIR-SAP1602I-E-K9.

The config is the same, except for "FastEthernet" replaced by "GigabitEthernet" depending on hardware, and some ofdm/stbc commands IOS self-added, details of radius server commands that changed in IOS versions.

On the working APs Clients will do WAP2/AES/PEAP/MS-CHAP with a freeradius server and get back a VLAN-ID. On the nonworking AIR-SAP1602i, the problem seems to be BEFORE the radius is even asked: There is no radius request.

However "test aaa group rad_eap user pass new" gives a successful authentication, so radius seems to work fine.

On the AIR-SAP1602I-E-K9 i tested with IOS 15.2(2)JB2 and 15.2(4)JB5. Same result.

 

The config:

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname xxxxxx
!
logging rate-limit console 9
enable secret ...
!
aaa new-model
!
aaa group server radius rad_eap
 server xx.xx.xx.12 auth-port 1812 acct-port 1813
 server xx.xx.xx.11 auth-port 1812 acct-port 1813
!
aaa authentication login default group rad_eap local
aaa authentication login lokal local
aaa authentication login eap_method group rad_eap
aaa authentication ppp default group rad_eap
aaa authentication ppp eap_method group rad_eap
aaa authentication dot1x default group rad_eap
aaa authentication dot1x eap_method group rad_eap
aaa authorization network default group rad_eap
aaa authorization network eap_method group rad_eap
aaa accounting network eap_method start-stop group rad_eap
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip routing
no ip cef
no ip domain lookup
ip domain name xxxxxxx
!
dot11 syslog
!
dot11 ssid PROBLEM
   vlan 1
   authentication open eap eap_method
   authentication network-eap eap_method
   authentication key-management wpa version 2
   accounting default
   guest-mode
!
!
dot11 network-map
power inline negotiation prestandard source
crypto pki token default removal timeout 0
!
bridge irb
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 10 mode ciphers aes-ccm
 encryption vlan 20 mode ciphers aes-ccm
 encryption vlan 60 mode ciphers aes-ccm
 encryption vlan 120 mode ciphers aes-ccm
 encryption vlan 130 mode ciphers aes-ccm
 encryption vlan 240 mode ciphers aes-ccm
 !
 ssid PROBLEM
 !
 antenna gain 0
 stbc
 beamform ofdm
 packet retries 128
 channel 2412
 station-role root
 rts threshold 2312
 world-mode dot11d country-code DE both
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 input-address-list 701
 bridge-group 1 output-address-list 701
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 no cdp enable
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 no cdp enable
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.60
 encapsulation dot1Q 60
 no ip route-cache
 no cdp enable
 bridge-group 60
 bridge-group 60 subscriber-loop-control
 bridge-group 60 spanning-disabled
 bridge-group 60 block-unknown-source
 no bridge-group 60 source-learning
 no bridge-group 60 unicast-flooding
!
interface Dot11Radio0.120
 encapsulation dot1Q 120
 no ip route-cache
 bridge-group 120
 bridge-group 120 subscriber-loop-control
 bridge-group 120 spanning-disabled
 bridge-group 120 block-unknown-source
 no bridge-group 120 source-learning
 no bridge-group 120 unicast-flooding
!
interface Dot11Radio0.130
 encapsulation dot1Q 130
 no ip route-cache
 no cdp enable
 bridge-group 130
 bridge-group 130 subscriber-loop-control
 bridge-group 130 spanning-disabled
 bridge-group 130 block-unknown-source
 no bridge-group 130 source-learning
 no bridge-group 130 unicast-flooding
!
interface Dot11Radio0.240
 encapsulation dot1Q 240
 no ip route-cache
 no cdp enable
 bridge-group 240
 bridge-group 240 subscriber-loop-control
 bridge-group 240 spanning-disabled
 bridge-group 240 block-unknown-source
 no bridge-group 240 source-learning
 no bridge-group 240 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 10 mode ciphers aes-ccm
 encryption vlan 20 mode ciphers aes-ccm
 encryption vlan 60 mode ciphers aes-ccm
 encryption vlan 120 mode ciphers aes-ccm
 encryption vlan 130 mode ciphers aes-ccm
 encryption vlan 240 mode ciphers aes-ccm
 !
 ssid PROBLEM
 !
 antenna gain 0
 no dfs band block
 stbc
 beamform ofdm
 packet retries 128
 channel dfs
 station-role root
 rts threshold 2312
 world-mode dot11d country-code DE both
 no cdp enable
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 input-address-list 701
 bridge-group 1 output-address-list 701
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 no ip route-cache
 no cdp enable
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 no ip route-cache
 no cdp enable
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.60
 encapsulation dot1Q 60
 no ip route-cache
 no cdp enable
 bridge-group 60
 bridge-group 60 subscriber-loop-control
 bridge-group 60 spanning-disabled
 bridge-group 60 block-unknown-source
 no bridge-group 60 source-learning
 no bridge-group 60 unicast-flooding
!
interface Dot11Radio1.120
 encapsulation dot1Q 120
 no ip route-cache
 bridge-group 120
 bridge-group 120 subscriber-loop-control
 bridge-group 120 spanning-disabled
 bridge-group 120 block-unknown-source
 no bridge-group 120 source-learning
 no bridge-group 120 unicast-flooding
!
interface Dot11Radio1.130
 encapsulation dot1Q 130
 no ip route-cache
 no cdp enable
 bridge-group 130
 bridge-group 130 subscriber-loop-control
 bridge-group 130 spanning-disabled
 bridge-group 130 block-unknown-source
 no bridge-group 130 source-learning
 no bridge-group 130 unicast-flooding
!
interface Dot11Radio1.240
 encapsulation dot1Q 240
 no ip route-cache
 no cdp enable
 bridge-group 240
 bridge-group 240 subscriber-loop-control
 bridge-group 240 spanning-disabled
 bridge-group 240 block-unknown-source
 no bridge-group 240 source-learning
 no bridge-group 240 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.60
 encapsulation dot1Q 60
 no ip route-cache
 bridge-group 60
 bridge-group 60 spanning-disabled
 no bridge-group 60 source-learning
!
interface GigabitEthernet0.120
 encapsulation dot1Q 120
 no ip route-cache
 bridge-group 120
 bridge-group 120 spanning-disabled
 no bridge-group 120 source-learning
!
interface GigabitEthernet0.130
 encapsulation dot1Q 130
 no ip route-cache
 bridge-group 130
 bridge-group 130 spanning-disabled
 no bridge-group 130 source-learning
!
interface GigabitEthernet0.240
 encapsulation dot1Q 240
 no ip route-cache
 bridge-group 240
 bridge-group 240 spanning-disabled
 no bridge-group 240 source-learning

 

The debug output:

003374: Aug 13 09:42:24.571: dot11_auth_add_client_entry: Create new client 3423.bab9.9568 for application 0x1
003375: Aug 13 09:42:24.571: dot11_auth_initialize_client: 3423.bab9.9568 is added to the client list for application 0x1
003376: Aug 13 09:42:24.571: dot11_auth_add_client_entry: req->auth_type 0
003377: Aug 13 09:42:24.571: dot11_auth_add_client_entry: auth_methods_inprocess: 2
003378: Aug 13 09:42:24.571: dot11_auth_add_client_entry: eap list name: eap_method
003379: Aug 13 09:42:24.571: dot11_run_auth_methods: Start auth method EAP or LEAP
003380: Aug 13 09:42:24.571: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
003381: Aug 13 09:42:24.571: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 3423.bab9.9568
003382: Aug 13 09:42:24.571: EAPOL pak dump tx
003383: Aug 13 09:42:24.571: EAPOL Version: 0x1  type: 0x0  length: 0x002F
003384: Aug 13 09:42:24.571: EAP code: 0x1  id: 0x1  length: 0x002F type: 0x1
0E020390:                   0100002F 0101002F          .../.../
0E0203A0: ...................  ..networkid=PROB
0E0203B0: ..................  LEM,nasid=xxxxxx
0E0203C0: ..................             xx,portid=0
003385: Aug 13 09:42:24.571: dot11_auth_send_msg:  sending data to requestor status 1
003386: Aug 13 09:42:24.571: dot11_auth_send_msg: Sending EAPOL to requestor
003387: Aug 13 09:42:24.571: dot11_auth_dot1x_send_id_req_to_client: Client 3423.bab9.9568 timer started for 30 seconds
003388: Aug 13 09:42:54.571: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 3423.bab9.9568
003389: Aug 13 09:42:54.571: dot11_auth_dot1x_send_client_fail: Authentication failed for 3423.bab9.9568
003390: Aug 13 09:42:54.571: dot11_auth_send_msg:  sending data to requestor status 0
003391: Aug 13 09:42:54.571: dot11_auth_send_msg: client FAILED to authenticate 3423.bab9.9568, node_type 64 for application 0x1
003392: Aug 13 09:42:54.571: dot11_auth_delete_client_entry: 3423.bab9.9568 is deleted for application 0x1
003393: Aug 13 09:42:54.571: %DOT11-7-AUTH_FAILED: Station 3423.bab9.9568 Authentication failed
003394: Aug 13 09:42:54.571: dot11_auth_client_abort: Received abort request for client 3423.bab9.9568
003395: Aug 13 09:42:54.571: dot11_auth_client_abort: No client entry to abort: 3423.bab9.9568 for application 0x1
003396: Aug 13 09:42:54.911: AAA/BIND(000001A7): Bind i/f
003397: Aug 13 09:42:54.911: dot11_auth_add_client_entry: Create new client 3423.bab9.9568 for application 0x1
003398: Aug 13 09:42:54.911: dot11_auth_initialize_client: 3423.bab9.9568 is added to the client list for application 0x1
003399: Aug 13 09:42:54.911: dot11_auth_add_client_entry: req->auth_type 0
003400: Aug 13 09:42:54.911: dot11_auth_add_client_entry: auth_methods_inprocess: 2
003401: Aug 13 09:42:54.911: dot11_auth_add_client_entry: eap list name: eap_method
003402: Aug 13 09:42:54.911: dot11_run_auth_methods: Start auth method EAP or LEAP
003403: Aug 13 09:42:54.911: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
003404: Aug 13 09:42:54.911: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 3423.bab9.9568
003405: Aug 13 09:42:54.911: EAPOL pak dump tx
003406: Aug 13 09:42:54.911: EAPOL Version: 0x1  type: 0x0  length: 0x002F
003407: Aug 13 09:42:54.911: EAP code: 0x1  id: 0x1  length: 0x002F type: 0x1
0E021100: 0100002F 0101002F 01006E65 74776F72  .../.../..networ
0E021110: .................  kid=PROBLEM,nas
0E021120: .................  id=xxxxx,porti
0E021130: 643D30                               d=0
003408: Aug 13 09:42:54.911: dot11_auth_send_msg:  sending data to requestor status 1
003409: Aug 13 09:42:54.911: dot11_auth_send_msg: Sending EAPOL to requestor
003410: Aug 13 09:42:54.911: dot11_auth_dot1x_send_id_req_to_client: Client 3423.bab9.9568 timer started for 30 seconds
003411: Aug 13 09:43:24.910: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 3423.bab9.9568
003412: Aug 13 09:43:24.910: dot11_auth_dot1x_send_client_fail: Authentication failed for 3423.bab9.9568
003413: Aug 13 09:43:24.910: dot11_auth_send_msg:  sending data to requestor status 0
003414: Aug 13 09:43:24.910: dot11_auth_send_msg: client FAILED to authenticate 3423.bab9.9568, node_type 64 for application 0x1
003415: Aug 13 09:43:24.910: dot11_auth_delete_client_entry: 3423.bab9.9568 is deleted for application 0x1
003416: Aug 13 09:43:24.910: %DOT11-7-AUTH_FAILED: Station 3423.bab9.9568 Authentication failed

 

For "Action(CLIENT_WAIT,TIMEOUT)" i found this doc: http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/50843-debug-authen.html

However various very same clients work fine with the identical config on other models of accesspoints. What is different with the 1602i ?

Any ideas what the problem is?

 

Best Regards

Matthias

 

Labels:
0 Helpful
1 Reply 1

maweigel
Level 1
Level 1

‎08-14-2014 11:06 PM

Hello,

here i am back, answering my own question:

All my authorized WLAN users are in one of the configured VLANs. That VLAN ID is assigned by radius.

VLAN1 is configured for the SSID, but never used for authorized users, radius will always override it with the users correct VLAN ID. If a user is not authorized for WLAN, he will be put into VLAN1, which is unusable because of the ACL.

In previous versions of IOS i could shutdown the subinterface dot x1 or filter all traffic and authorized users still can connect. The subinterface would be used for users traffic only, not for EAP.

e.g.

interface dot x.1

  shutdown

  bridge-group 1 input-address-list 701
  bridge-group 1 output-address-list 701

 

In IOS 15.2, the native WLAN subinterface dot x.1 seems to be used by IOS for EAP traffic!

So all EAP traffic got filtered by the MAC ACL and never reached the client.

If i remove the ACL and enable the subinterface dot x.1, everything works fine.

e.g.

interface dot x.1

  no shutdown

  no bridge-group 1 input-address-list 701
  no bridge-group 1 output-address-list 701

 

However now i have to find a new solution for the unauthorized users...

Best Regards

Matthias

 

P.S. please somebody mark this as solved, i cannot mark my own problems solved in this forum.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card