Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco Aironet 1242 PEAP

Hi,

I am trying to configure a Windows XP service pack 3 wireless client for PEAP authentication to a Cisco 1242 and I cannot have my Client talking to the AP. Always have the following degut ouput:

dot11_auth_parse_client_pak: Received EAPOL packet from 00 12 XX XX XX

dot11_auth_parse_client_pak: no client found

I am using a FreeRADIUS server with a Windows XP client configure to not validate the certificate. I have imported the ca.der self-signed certificate generated by FreeRADIUS.

Thanks for your help

Stephane

5 REPLIES

Re: Cisco Aironet 1242 PEAP

Can you post your config of the AP?

Also did you choose both "network eap and open eap" ?

  • Cisco clients—Use Network-EAP.

  • Third party clients (include CCX compliant products)—Use Open with EAP.

  • A combination of both Cisco and third party clients—Choose both Network-EAP and Open with EAP.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Community Member

Re: Cisco Aironet 1242 PEAP

Hi,

I just post the config of this AP, here is the latest debug message that I could gathered.

* dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

*dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0012.f078.xxxx

*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx

*%DOT11-7-AUTH_FAILED: Station 0012.f078.xxxx Authentication failed

*dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

*dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0012.f078.xxxx

* dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

* dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0012.f078.xxxx

*dot11_auth_dot1x_send_response_to_server: Sending client 0012.f078.xxxx data to server

* dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds

* RADIUS/ENCODE(0000001A):Orig. component type = DOT11

*RADIUS:  AAA Unsupported Attr: ssid              [263] 14

*RADIUS:   4D 6F 6E 6F 6E 63 6C 65 5F 53 74 65 [test]

*RADIUS:  AAA Unsupported Attr: interface         [156] 3

RADIUS:   32 [2]

RADIUS(0000001A): Storing nasport 281 in rad_db

RADIUS(0000001A): Config NAS IP: 10.5.104.22

RADIUS/ENCODE(0000001A): acct_session_id: 26

RADIUS(0000001A): sending

RADIUS/DECODE: parse response no app start; FAIL

RADIUS/DECODE: parse response; FAIL

dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0012.f078.xxxx

dot11_auth_dot1x_send_response_to_client: Forwarding serve r message to client 0012.f078.xxxx

dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds

*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx

*dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

Thanks for your help

Stephane

aaa new-model

aaa group server radius rad_eap

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode wep mandatory

!

ssid test

!

traffic-metrics aggregate-report

speed basic-54.0

no power client local

channel 2462

station-role root

antenna receive right

antenna transmit right

no dot11 extension aironet

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface BVI1

ip address X.X.X.X 255.255.255.0

no ip route-cache

!

ip default-gateway X.X.X.X

!

radius-server local

  no authentication eapfast

  no authentication leap

  no authentication mac

!

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key 7 121A0C041104

Re: Cisco Aironet 1242 PEAP

This is telling "*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx"

Look in your radius server for a failure log. There should be a "reason" next to the failure. It will say like "client locked out", "bad EAP", "client timed out".

I would again just double check the cert make sure its installed. also if you are using an intel client. look under the trouble shoot drop down. sometimes the intel client will reveal interesting information.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Re: Cisco Aironet 1242 PEAP

Also one other thing ... insure the secret between the AP and the RAD is correct and also make sure the client logon and password is correct ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Community Member

Re: Cisco Aironet 1242 PEAP

Hi,

I found the problem, I have  initially used the GUI to configure the AP and there was no IP address for the radius server under aaa group server radius rad_eap.

The configuration should be as follow:

aaa group server radius rad_eap

server 192.168.0.85 auth-port 1812 acct-port 1813

dot11 ssid test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

radius-server host 192.168.0.85 auth-port 1812 acct-port 1813 key 7 121A0C041104

In case where your radius do not rely on Active Directory, you can configured a user as follow:

username1     Cleartext-Password := "user-password1", MS-CHAP-Use-NTLM-Auth := 0

Thanks for your help

Stéphane

2160
Views
3
Helpful
5
Replies
CreatePlease to create content