Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

EAP-FAST with the Internal RADIUS on Autonomous AP

I've configured an 1142 following this document to the letter:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080c1dd60.shtml

I've tried both the GUI and CLI methods with the same result.

I'm constantly getting "Unknown usernames" errors from the local RADIUS server.  I can assure you I know how to type in "user1."  I've tried both Windows laptops and iOS devices as supplicants.

ap#show radius local-server stat

Successes              : 0           Unknown usernames      : 1

Client blocks          : 0           Invalid passwords      : 0

Unknown NAS            : 0           Invalid packet from NAS: 0

NAS : 192.168.23.10

Successes              : 0           Unknown usernames      : 1

Client blocks          : 0           Invalid passwords      : 0

Corrupted packet       : 0           Unknown RADIUS message : 0

No username attribute  : 0           Missing auth attribute : 0

Shared key mismatch    : 0           Invalid state attribute: 0

Unknown EAP message    : 0           Unknown EAP auth type  : 0

Auto provision success : 0           Auto provision failure : 0

PAC refresh            : 0           Invalid PAC received   : 0

Username                  Successes  Failures  Blocks

user1                             0         0       0

ap#

See below for the device configuration.  I feel like I'm facing an IOS bug.  Does anyone have any insight on this?

ap#show run

Building configuration...

Current configuration : 2887 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$nODk$XfXXiZANZyA013RgDRl7l0

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 192.168.23.10 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

!

dot11 ssid Contractors

   authentication open eap eap_methods1

   authentication network-eap eap_methods1

   authentication key-management wpa version 2

   guest-mode

!

!

!

username Cisco password 7 0802455D0A16

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Contractors

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Contractors

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.23.10 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server local

  no authentication leap

  no authentication mac

  eapfast authority id 466142405638363A264262412F2E6F2A

  eapfast authority info CompanyName

  eapfast server-key primary 7 F021B5A13255CE10F14D803834ACDF53BD

  eapfast server-key secondary 7 F021B5A13255CE10F14D803834ACDF53BD

  nas 192.168.23.10 key 7 04681C5F27204E5C1C

  user user1 nthash 7 075F716E1C2A415033362D2E20720807706263724123402522010A0C03712C533A

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.23.10 auth-port 1812 acct-port 1813 key 7 15211C552C2B29363D

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

ap#

I can post output from debug dot11 aaa authenticator all if you feel it would be helpful.

Thanks in advance

Everyone's tags (3)
400
Views
0
Helpful
0
Replies