Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Need to implement Fast Secure Roaming; Does Win2K IAS support this?

I have configured Wireless Domain Services on an access point, in addition to IAS on a Win2K server. The AP has been configured with a username and password for the infrastructure authentication, but the authentication fails on the IAS server with the error, "The specified authentication type is not supported on this system." Within the IAS server profile, all authentication types are selected along with EAP/PEAP. From a 2004 Networks presentation, I saw that Fast Secure Roaming requires LEAP or EAP-FAST, which are both Cisco protocols. I presume the authentication is failing because of this issue. Does anyone know if it is possible to use IAS on a Win2K server, or possibly is there a way to use the local RADIUS server on the AP? Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

the AP uses port 1812 and 1813 for RADIUS instead of 1645 and 1646. Swap that out, and your config looks almost identical to the one I have archived.

9 REPLIES
Silver

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

I do not believe IAS can support it, but I have used the local RADIUS server on APs to do CCKM in the past. I would not do it if there are a lot of users, but my deployments were just a few APs and a few VoIP phones and it worked fine with eap-fast.

Community Member

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

Can you check the attached configuration with your configuration? The local RADIUS looks straight-forward, but my logs keep showing the following:

Sep 15 16:59:36.423: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.80:1645,1646 is not responding.

Sep 15 16:59:36.423: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.80:1645,1646 has returned.

Sep 15 17:00:46.193: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.80:1645,1646 is not responding.

Sep 15 17:00:46.193: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.80:1645,1646 has returned.

Thanks again.

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP1

!

enable secret 5 ********

!

ip subnet-zero

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.1.80 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius Infrastructure

server 192.168.1.80 auth-port 1645 acct-port 1646

!

aaa group server radius Client

server 192.168.1.80 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_Infrastructure group Infrastructure

aaa authentication login method_Client group Client

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid Epworth

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa cckm

!

!

crypto pki trustpoint TP-self-signed-3104825495

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3104825495

revocation-check none

rsakeypair TP-self-signed-3104825495

!

!

crypto ca certificate chain TP-self-signed-3104825495

certificate self-signed 01

...

quit

username ************ privilege 15 password 7 ************

username ************ privilege 15 password 7 ************

username ************ privilege 15 password 7 ************

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Epworth

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2417

station-role root

antenna gain 5

world-mode legacy

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 192.168.1.80 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.1.251

ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

no authentication mac

nas 192.168.1.80 key 7 06160E325F59060B01

user ************ nthash 7 ************

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key 7 095C4F1A0A1218000F

radius-server host 192.168.1.80 auth-port 1645 acct-port 1646 key 7 03145A1815182E5E4A

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

wlccp ap username ************ password 7 ************

wlccp authentication-server infrastructure method_Infrastructure

wlccp authentication-server client any method_Client

wlccp wds priority 254 interface BVI1

!

line con 0

line vty 0 4

!

end

AP1#

Silver

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

the AP uses port 1812 and 1813 for RADIUS instead of 1645 and 1646. Swap that out, and your config looks almost identical to the one I have archived.

Community Member

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

Yes, this fixed the problem. The system is up and running.

By the way, how do you mark problems as solved?

Silver

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

Glad to hear.

Next to all posts is an option to "rate this post" with a 1-5 points available. I believe there is also an option to mark this post as solving your problem, but I haven't asked a question lately, so I don't know exactly what it says.

Community Member

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

Im looking at a similar architecture with the same questions.

Its not clear to me from your post how this was resolved and whether changing the ports on which the radius server listens will permit EAP-authenticated clients to roam between access points.

Could you clarify/explain:

-Are you trying to get EAP clients to roam between access points using IAS?

-Was the change of ports the key?

-Any idea why?

Would you be willing to share your config?

Community Member

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

I was initially going to use IAS, but the client didn't have the servers up yet. I ended up authenticating user based on local accounts on the wireless APs (RADIUS was set up on the APs), and the RADIUS server on the APs run on ports 1812 and 1813, not on what is normally used by, say, a Windows IAS RADIUS server (which is the default port used by the APs).

Community Member

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

Thanks for the reply.

Now its clear what you meant. Well if it helps anyone else I did try a brief test and the results show that an intel client connected either with PEAP or WPA-PSK

Bronze

Re: Need to implement Fast Secure Roaming; Does Win2K IAS suppor

IAS does not support either LEAP or EAP-FAST. You can use the local RADIUS server on the AP. Note that CCKM is supported with ALL EAP types with CCXv4 clients, provided you're using a supplicant that supports it.

190
Views
0
Helpful
9
Replies
CreatePlease to create content