Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

1220 upgraded to IOS now having PEAP problems

Hi all,

I took a 1220 that was running Vxworks and upgraded to IOS last night. The upgrade went fine, however afterwards I wasn't able to authenticate to our IAS server using PEAP with MD5.

I did an erase start and tried everything from scratch (also to make sure all filters were gone).

I am at the same point as before the erase start. When I look at the event log, the one item that stands out is:

NAS-Port-Type = Virtual

Has something changed in the IOS version that authenticates differently to IAS (Windows 2000 Server) ?

I didn't make any changes to my laptops or the IAS server.

I can however allow that port type instead of "Wireless - IEEE 802.11" and the authentication succeeds, but the vlan information doesn't get passed. So I am pretty sure that is not the correct way of configuring IAS.

Thanks

Don Hickey

4 REPLIES
Cisco Employee

Re: 1220 upgraded to IOS now having PEAP problems

Hi Don,

If in the conversion process you made a typo in the shared secrete for the AAA server you can have a problem like this

Try remving the remving the NAS entry in AAA and re enter it then reconfigure the server setting and shared secrete in the AP

New Member

Re: 1220 upgraded to IOS now having PEAP problems

Thanks,

I thought of the exact same thing. In fact I did an erase start and started from scratch. Also, I changed the shared secret on both ends just to make sure that wasn't the problem.

I have my Vxworks version back on there right now since it is working fine.

For some reason the AP is talking different to the IAS server. I am getting the requests to the IAS server and they are all being denied. I am 99 % sure it is not the configuration on the radius server. All my AP's are configured the same way. I am 100 % sure it is not the laptops as they work on the non-IOS version of the AP's.

So that leaves the AP. I have the radius server setup, wep manditory, and eap select for the radius server. I am getting ready to put a sniffer on their and see what the differences are between the one that is working (Vxworks) and the one that is not working (IOS upgraded version).

This is my 1st IOS version to play around with, but I have configured many Vxworks AP's and they are running per-user vlans, and filters and such. Either I am missing something somewhere on the IOS version, their is a bug, or they changed the way that the AP talks to the radius server for EAP (PEAP) authentication....

Thanks

Don Hickey

New Member

Re: 1220 upgraded to IOS now having PEAP problems

Well I just got done sniffing between the good and the bad :-)

On the Vxworks the NAS-port-type is 19

On the IOS the NAS-port-type is 5

This is why my IAS server is rejecting it.....

Any Ideas how to solve this problem? I have EAP selected on the radius server setup on the IOS AP....

Thanks

Don

Cisco Employee

Re: 1220 upgraded to IOS now having PEAP problems

Hi Don,

This is actually a software bug CSCeb36095

Here is the release note from the bug

IOS based APs will pass Radius attribute 61 (NAS-Port-Type) with value 5 (virtual), while VxWorks based APs use value 19 (Wireless IEEE802.11)

Users may need to re-configure Radius server setting if this attribute is used to grant access to the user, when migrating AP from VxWorks to IOS.

No ETA on when this should be fixed yet but if the work around doesnt work then please contact the TAC and open a case have you case linked to the bug then you can be kept updated of when the fix will be released

640
Views
0
Helpful
4
Replies
CreatePlease login to create content