I have a WLC 4402 configured to run 1131AG LAPs in 11 buildings.
I already have a working SSID on VLAN 3 for public consumption.
Now, I want to add a second SSID on a separate VLAN 6 that uses a RADIUS server to authenticate our Windows domain users. This SSID will not be broadcast, either. Basically, what I want to end up with is two SSIDs (one public, one private) operating on different VLANs.
I've set up the new subnet scope and scope options on the same DHCP servers.
I've set up the subinterface on the router and added the same IP-Helper addresses of the DHCP servers.
I've got the IAS server configured and communicating with the WLC.
I've set up the second interface and WLAN on the WLC 4402.
When testing on a laptop, I can manually enter the SSID and get it to attempt to connect. The SSID is being seen, but the laptop is failing to obtain an IP address from the DHCP servers.
In troubleshooting this, I'm wondering how this configuration can work, since the LAPs are access ports on the switches assigned to VLAN 3. They cannot be made into trunk ports on the switch and work with the WLC.
I've searched for anything that would describe this kind of configuration, but haven't found anything, yet.
Does anyone have some kind of configuration example that would describe how to get all these components configured and operational to support two SSIDs on two VLANs?
I have experience with MS IAS (PEAP w/ MS-CHAP v2) and the 4402. When the tricks are all worked out with IAS, it works pretty well. I'm currently using Funk OAS though. Please respond to the following questions...
1. Have you tried statically setting the DHCP server IP address in the WLAN configuration on the controller?
2. Can you confirm that your IAS Radius server is working / setup properly?
- Did you setup a certificate authority or a third party cert for IAS to use?
-Do you have a valid RAS policy created for clients to pass through? I make mine require "domain users" as a group requirement.
-Do you have any strict policy requirements in place like a "NAS-PORT-TYPE" and the port type is set for 802.11 (wireless)?
3. Can you ping the WLC interface that the WPA2 Enterprise ssid is using?
Just a little bit of background on the WLC as well to answer your question about the different vlans / wlans.
The WLC is connected to your core switch via a trunk port. The trunk port needs to have access to the different vlans that you intend to use for wlans as well as the vlan you put your ap's on. A simple config on the port like this should work fine.
description WLC PORT
switchport mode trunk
switchport trunk encapsulation dot1q
Interfaces for each vlan that the controller needs to talk to are created on the controller. All traffic from the AP is sent on the AP manager vlan back to the controller, and then the controller dictates which vlan the traffic needs to get forwarded to, via the interface you created.
So, if your clients aren't getting IP's then it could be that the vlan isn't accessible by the WLC, your client failed authentication because the radius server denied it, the dhcp scope is off, the helper address is incorrect, or the client is not cofigured properly. Based on what I'm hearing though, if the static DHCP server setting doesn't work, I'm leaning toward auth failure / radius IAS problems. What does your client status say on the WLC? If you try the test again, please do a MAC address client lookup from the controller and let us know what the WLC says...
P.S. Below is a technet link that should help get logging going on IAS so you can see from the MS side if the client auths properly...
Thanks for the response.
1. Changing the setting in the WLAN for DHCP server override and requring DCHP Address Assignment has not effect.
2. I followed this link to configure IAS, but also used some other resources on both Technet and Cisco to assist in the configuration:
- IAS is installed on one of our domain controllers.
- I set up the logging to the local file. Would have preferred using SQL 2005, but nothing is provided in IAS to facilitate this and the documentation regarding the database is sparse at best. I don't have enough SQL 2005 expertise to build the database, table(s) and index(s) from the ground up, so I had to forego this method for now. After setting the WLC RADIUS Authentication server settings, a log file was created on the server and gets routine messages from the WLC, although it is always the same one. Just looks like some routine message stating that All users must use Windows authentication that is generated at some specified interval. Kind of like a heartbeat message or something like that.
- In the RADIUS client that I have set up for the WLC, I have tried changing the Client-Vendor setting from RADIUS Standard to Cisco.
- Following the article in the link above, I used the wizard to configure the Remote Access Policy for this. The conditions are NAS-Port-Type matches "Wireless - Other OR Wireless IEEE 802.11" AND Windows-Groups matches "Domain Computer, Domain Users, Domain Admins"
- One oddity occurs with IAS, once - and only once - each day. If I open IAS mmc - open the properties of the Remote Access Policy I configured for this -> Edit Profile -> Authentication tab -> EAP Methods button -> highlight PEAP and click Edit button I get an error box saying there is no matching certificate. I import the same certificate again which is a self-signed certificate from our CA and is valid until next year. I can log off/on all day and check this again and everything is fine. Come back tomorrow and start all over again with the invalid cert box.
3. I can ping all the IPs associated with the WLC and private SSID/VLAN I am trying to get working.
4. WLC has two GBICs. On the WLC side, these are link aggregated. On the switch side, both have the switchport trunk, switchport trunk encap dot1q and switchport trunk allowed vlan 1,3,6 commands entered. There is also a channel-group 10 mode on entry. Interface Port-channel 10 is also configured with the same three switchport trunk entries.
The DHCP scope is enabled.
The IP helper addresses are correct (these are the same DHCP servers we use with every other VLAN)
Since this isn't working, I can't tell if the IAS authentication isn't taking place or the client is misconfigured.
- There are no Windows Event log messages on either the client or the IAS server regarding authentication;
- There are no IAS log messages indicating that an attempt was made or rejected;
- There are no WLC trap messages saying an attempt was made or rejected;
- For testing, I set the client to prompt for the domain name/password which it does. The client Wireless config shows the association with the private SSID and reports signal strength - then attempts to get a DHCP address and times out.
- The WLC monitor displays the client, associated with the private WLAN, but has 'No" under the Auth column.
- I've set the WLAN for WPA+WPA2 Level 2 Security and entered the only RADIUS server in the Advanced tab for Authentication and Accounting; on the client, I set the authentication for either WPA-Enterprise or WPA2-Enterprise (depending on the laptop used) and configured the Windows login name/password/domain, as well as the client and server certificates.
Post your show run-config and I can tell you what you need to change. Also, how is your switchport configured where the wlc connects. Access port is correct for the access points.
This must be an IAS issue, because if I don't use IAS at all and configure the client to just use WPA-Personal (PSK), it works fine.
So, now the question is...
Can anyone share their working configuration of Windows 2003 R2x64 IAS on a domain controller using a self-signed certificate, working with a WLAN Controller 4402 and 1131AG APs and the correct client configuration for either an HP or Dell laptop client using WPA-Enterprise or WPA2-Enterprise authentication?
I have poured over the Windows support site, Technet articles, Cisco documentation and various forums, but have yet to find a configuration for the WLC-IAS server and laptop clients that functions.
I've been working on this for two weeks and still don't have a working solution for RADIUS authentication for wireless laptops <-> WLC 4402 <-> IAS server(s) using PEAP (MSChapv2)
When I boot the laptop I'm testing with, an authentication success message is recorded in the IAS server. But when I log on with any account, IAS rejection messages are recorded and the wireless connection is never established. Windows Event log message on IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Time: 2:27:24 PM
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = domainname\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Type = EAP
Reason-Code = 8
Reason = The specified user account does not exist.
I believe that I'm at a spot where IAS is properly configured. So, either something in the WLAN Controller config is wrong or the laptop config is wrong.
I've read that the controller merely passes the messages from client to IAS server, but was wondering if it adds/subtracts anything from the messages as it's passing them back and forth. If so, then something about the controller configuration might need changed. I believe I've removed/disabled all the settings that attempt to encrypt the WLC <-> IAS communication because I couldn't get encrypted communication to work at all. The WLC 4402 config is:
Security -> AAA -> RADIUS -> Authentication:
Call Station ID = IP Address
Use AES Key Wrap = Unchecked
RADIUS Server 1:
Server Index = 1
Server Address = (IAS Server IP address)
Shared Secret Format = ASCII
Share Secret and Confirm Shared Secret are set with same key.
Key Wrap = unchecked box
Port Number = 1812
Server Status = Enabled
Support for RFC 3576 = Enabled
Server Timeoue = 2 seconds
Network User = checked
Management = checked
IPSec = unchecked
WLANs Edit -> TestSSID
Profile name = TestSSID
Type = WLAN
SSID = TestSSID
Status = checked
Security Policies = [WPA+WPA2][Auth(802.1X)]\
Radio Policy = All
Interface = domain test
Broadcast SSID = unchecked
Security Tab, Layer 2 tab:
Layer 2 Security = WPA+WPA2
MAC Filtering = unchecked
WPA Policy = checked
WPA Encryption = AES checked, TKIP unchecked
WPA2 Policy = checked
WPA2 Encryption = AES checked, TKIP unchecked
Auth Key Mgmt = 802.1X
Security Tab, Layer 3 tab:
Layer 3 Security = None
Web Policy = unchecked
Security Tab, AAA Servers tab:
Authentication Server 1 = IAS server IP, 1812
Accounting Servers = Enable box checked, Server 1 IP = IAS server IP, 1813
No LDAP servers
Local EAP Authentication = unchecked
Authentication Priority order for web-auth user = RADIUS, LOCAL, LDAP
Quality of Service = Silver (best effort)
WMM Policy = Allowed
7920 AP CAC = unchecked
7920 Client CAC = unchecked
Allow AAA Override = unchecked
H-REAP Local Switching = unchecked
Enable Session Timeout = checked, 1800 secs
Aironet IE = unchecked
Diagnostic Channel = unchecked
IPv6 Enable = unchecked
Overrid Interface ACL = None
P2P Blocking Action = Disabled
Client Exclusion = Enabled, 60 secs
DHCP Server = unchecked
DHCP Addr. Assignment = unchecked
Infrastructure MFP Protection = checked (Global MFP Disabled)
MFP Client Protection = Optional
DTIM Period 802.11a/n = 1
DTIM Period 802.1b/g/n = 1
NAC State = unchecked
I have similar setup with APs located in 22 differant locations, works without problem.
Your WLAN config seems to be OK. But, I also had the same authentication problem with IAS server when I user the Intel client on Laptop. Due to some reason IAS server could not understand that client is sending MS-CHAP type auth request.
When I use the Windows native client with wireless zero ocnfig ( I have tested with both XP and VIsta) it worked fine.
The DHCP issue: If your AP and WLAN are not in Reap mode, entire client traffic is encapsulated up to WLC. Therefore you need a DHCP server accessible in the same AP Management WLAN interface. If you enable Reap mode for both WLAN and AP, the client will search for a DHCP server located in the LAN where AP is plugged.
I did manage to get PEAP-MSCHAPv2 authentication working, by ignoring any documentation on autoenrollment of machines to the certificate authority.
In working through all this, however, I think that PEAP-TLS authentication (or any other machine authentication method) would be a better fit for our environment, but I haven't been able to get authentication to occur using a machine certificate. IAS is still complaining that the specified user account does not exist.
This isn't a WLC issue, so I'm largely posting on the MS site for this. However, if anyone has gotten this working with PEAP-TLS - or any other machine authentication method - I would appreciate hearing how you configured IAS and the clients to get this to function.