Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2506
Views
3
Helpful
5
Replies

Cisco Aironet 1242 PEAP

Steph1963
Level 1
Level 1

‎09-09-2010 02:16 PM - edited ‎07-03-2021 07:09 PM

Hi,

I am trying to configure a Windows XP service pack 3 wireless client for PEAP authentication to a Cisco 1242 and I cannot have my Client talking to the AP. Always have the following degut ouput:

dot11_auth_parse_client_pak: Received EAPOL packet from 00 12 XX XX XX

dot11_auth_parse_client_pak: no client found

I am using a FreeRADIUS server with a Windows XP client configure to not validate the certificate. I have imported the ca.der self-signed certificate generated by FreeRADIUS.

Thanks for your help

Stephane

Labels:
0 Helpful
5 Replies 5

George Stefanick
VIP Alumni
VIP Alumni

‎09-09-2010 05:53 PM

Can you post your config of the AP?

Also did you choose both "network eap and open eap" ?

  • Cisco clients—Use Network-EAP.

  • Third party clients (include CCX compliant products)—Use Open with EAP.

  • A combination of both Cisco and third party clients—Choose both Network-EAP and Open with EAP.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Steph1963
Level 1
Level 1
In response to George Stefanick

‎09-13-2010 08:06 AM

Hi,

I just post the config of this AP, here is the latest debug message that I could gathered.

* dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

*dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0012.f078.xxxx

*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx

*%DOT11-7-AUTH_FAILED: Station 0012.f078.xxxx Authentication failed

*dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

*dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0012.f078.xxxx

* dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

* dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

* dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0012.f078.xxxx

*dot11_auth_dot1x_send_response_to_server: Sending client 0012.f078.xxxx data to server

* dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds

* RADIUS/ENCODE(0000001A):Orig. component type = DOT11

*RADIUS:  AAA Unsupported Attr: ssid              [263] 14

*RADIUS:   4D 6F 6E 6F 6E 63 6C 65 5F 53 74 65 [test]

*RADIUS:  AAA Unsupported Attr: interface         [156] 3

RADIUS:   32 [2]

RADIUS(0000001A): Storing nasport 281 in rad_db

RADIUS(0000001A): Config NAS IP: 10.5.104.22

RADIUS/ENCODE(0000001A): acct_session_id: 26

RADIUS(0000001A): sending

RADIUS/DECODE: parse response no app start; FAIL

RADIUS/DECODE: parse response; FAIL

dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0012.f078.xxxx

dot11_auth_dot1x_send_response_to_client: Forwarding serve r message to client 0012.f078.xxxx

dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds

*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx

*dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078.xxxx

dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078.xxxx timer started for 30 seconds

Thanks for your help

Stephane

aaa new-model

aaa group server radius rad_eap

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode wep mandatory

!

ssid test

!

traffic-metrics aggregate-report

speed basic-54.0

no power client local

channel 2462

station-role root

antenna receive right

antenna transmit right

no dot11 extension aironet

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface BVI1

ip address X.X.X.X 255.255.255.0

no ip route-cache

!

ip default-gateway X.X.X.X

!

radius-server local

  no authentication eapfast

  no authentication leap

  no authentication mac

!

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key 7 121A0C041104

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Steph1963

‎09-13-2010 03:29 PM

This is telling "*dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078.xxxx"

Look in your radius server for a failure log. There should be a "reason" next to the failure. It will say like "client locked out", "bad EAP", "client timed out".

I would again just double check the cert make sure its installed. also if you are using an intel client. look under the trouble shoot drop down. sometimes the intel client will reveal interesting information.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Steph1963

‎09-13-2010 03:35 PM

Also one other thing ... insure the secret between the AP and the RAD is correct and also make sure the client logon and password is correct ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Steph1963
Level 1
Level 1
In response to George Stefanick

‎09-15-2010 07:22 AM

Hi,

I found the problem, I have  initially used the GUI to configure the AP and there was no IP address for the radius server under aaa group server radius rad_eap.

The configuration should be as follow:

aaa group server radius rad_eap

server 192.168.0.85 auth-port 1812 acct-port 1813

dot11 ssid test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

radius-server host 192.168.0.85 auth-port 1812 acct-port 1813 key 7 121A0C041104

In case where your radius do not rely on Active Directory, you can configured a user as follow:

username1     Cleartext-Password := "user-password1", MS-CHAP-Use-NTLM-Auth := 0

Thanks for your help

Stéphane

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card