Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

AP Client Authentication Issues

cayoung81
Level 1
Level 1

‎06-16-2014 07:13 AM - edited ‎07-05-2021 01:01 AM

Hello. I have three 1200 series access points running in autonomous mode that need to allow handheld computers to connect. The handhelds need to authenticate using EAP. The AP's are properly listed and configured in the ACS and the handhelds are properly set up as well, but when I do "show dot11 association" it shows them authenticated with aaa instead of eap. As I said, these are autonomous, so there is no WLC. The vlan being used for the AP's is properly trunked all the way back to where the traffic needs to go. Here is a configuration example:

interface Dot11Radio0
 no ip address
 no shut
 no ip route-cache
 !
 encryption mode wep mandatory
 !
 ssid portableclient
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
 channel 2412
 station-role root
 rts threshold 2312
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!

aaa new-model
!
!
aaa group server radius rad_eap
 server x.x.x.x auth-port 1645 acct-port 1646
 server x.x.x.x auth-port 1645 acct-port 1646
 server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_m
!
aaa group server radius rad_a
!
aaa group server radius rad_ad
!
aaa group server tacacs+ tac_ad
!
aaa group server radius rad_p
!
aaa group server radius dummy
!
ip http authentication aaa
no ip http secure-server
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key xxxxxxxx
radius-server attribute 32 include-in-access-req format %h
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server timeout 20
radius-server deadtime 3
radius-server key xxxxxxxxx
radius-server vsa send accounting
bridge 1 route ip
!

The Clients connect to the AP but authenticate with aaa and therefore do not transmit as the Handhelds require radius. Any ideas of what I might be missing?

 

 

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic