09-24-2003 11:17 AM - edited 07-04-2021 09:02 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I'm trying to implement PEAP and for some reason my APs (both 1100 & 350) are not sending the EAP request to the auth Server (IAS)... I've sniffed the line and they aren't sending any information at all even though both APs say things like 'EAP retry time out' or 'Auth failure'. I know it's going to be something trivial that I'm missing, but it's driving me crazy.
my 1100 configs (ver 122-11)
-----------------
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname WIRELESS-TEST
!
aaa new-model
!
!
aaa group server radius rad_eap
server 172.16.32.161 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
username xxxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip subnet-zero
ip domain name test.org
ip name-server x.x.x.x
ip name-server x.x.x.x
!
dot11 holdoff-time 600
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory mic key-hash
!
broadcast-key change 320
!
!
ssid TEST
authentication open eap eap_methods
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
power local 20
channel 2462
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
ntp broadcast client
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.16.200.39 255.255.252.0
no ip route-cache
!
ip default-gateway 172.16.200.1
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip http authentication aaa
ip radius source-interface BVI1
snmp-server community private RW
snmp-server chassis-id WIRELESS-TEST
no snmp-server enable traps tty
snmp-server host x.x.x.x private
radius-server host 172.16.32.161 auth-port 1812 acct-port 1813 key 7 xxxxxx
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
line con 0
line vty 5 15
!
ntp server x.x.x.x
end
-------------------------
my 350 non-default config (ver 12.03T)
-------------------------
#===Beginning of PACW1 (Cisco 350 Series AP 12.03T) Configuration File===
dot11DesiredSSID.2=TEST
dot11AuthenticationAlgorithmsEnable.2.1=true
dot11AuthenticationAlgorithmsEnable.2.3=false
dot11ExcludeUnencrypted.2=true
sysName=PACW1
ipRouteNextHop.0.0.0.0=172.16.200.1
enableSNMP=T
enableSNTP=T
bootconfigBootProtocol=none
bootconfigBootCount=53
awcIfDefaultIpAddress.1=172.16.200.60
awcIfDefaultIpNetMask.1=255.255.252.0
awcDot11DesiredSSIDMicAlgorithm.2=micMMH
awcDot11DesiredSSIDWEPKeyPermuteAlgorithm.2=wepPermuteIV
awcDot11AuthenticationRequireEAP.2.1=true
awcDot11AllowEncrypted.2=true
allowBrowseWithoutLogin=F
protectLegalPage=T
awcConsoleAutoApply=T
defaultResolverDomain=applygannon.org
defaultResolverDomainServer.1=x.x.x.x
defaultSntpServer=x.x.x.x
awcAaaServerName.1=172.16.32.161
awcAaaServerName.2=
awcAaaServerName.3=
awcAaaServerName.4=
awcAaaServer8021xCapabilityEnabled.2=F
awcAaaServer8021xCapabilityEnabled.3=F
awcAaaServer8021xCapabilityEnabled.4=F
awcAaaServerMacAddrAuthEnabled.1=F
awcAaaServerAdminAuthEnabled.1=F
awcAaaServerMipAuthEnabled.1=F
awcAcctServerName.1=172.16.32.161
#awcAcctServerSharedSecret.1=
awcAcctEnable=T
awcAaaServerPrimaryReattemptPeriod=1
awcVlanNUcastKeyRotationInterval.4095=320
#===End of PACW1 Configuration File===
------------------
If anybody has any insight I would appreciate it... I am probably missing the Work/Don't Work box.
Ben
09-30-2003 11:44 AM
What is the error message that you are getting, may be that might give us an idea?
10-01-2003 04:05 AM
Thanks for responding, I got it squared away, was trying to have it do Network EAP & Open-EAP at the same time and it didn't like that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide