Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to configure wireless Cisco 1041/EAP2 with Radius

Hello,

Having trouble configuring wireless on a Cisco 1041 with a 2012 Radius Server

I have a cisco ASA 5505 and Windows server 2012 Radius with NAP and Network Security policy

Guest Test guest works, test does not, I want the users to log into test with their AD credentials

Here is the AP config:

Thanks for any help

o service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap1

!

logging rate-limit console 9

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap2

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods2 group rad_eap2

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

clock timezone -0500 -5

clock summer-time -0400 recurring

ip domain name ser.local

!

!

dot11 syslog

!

dot11 ssid test

   vlan 1

   authentication open eap eap_methods2

   authentication network-eap eap_methods2

   authentication key-management wpa

   mbssid guest-mode

!

dot11 ssid test guest

   vlan 12

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7

!

dot11 priority-map avvid

dot11 phone dot11e

power inline negotiation injector 001b.8fac.990a

power inline negotiation prestandard source

!

!

!

!

class-map match-all _class_data_policy0

match ip dscp default

class-map match-all _class_voice_policy0

match ip dscp ef

!

!

policy-map voice_policy

class _class_voice_policy0

  set cos 6

policy-map data_policy

class _class_data_policy0

  set cos 0

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm

!

encryption vlan 12 mode ciphers aes-ccm

!

ssid ihiCorp

!

ssid ihiGuest

!

antenna gain 0

mbssid

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

service-policy input data_policy

service-policy output data_policy

!

interface Dot11Radio0.12

encapsulation dot1Q 12

no ip route-cache

bridge-group 12

bridge-group 12 subscriber-loop-control

bridge-group 12 block-unknown-source

no bridge-group 12 source-learning

no bridge-group 12 unicast-flooding

bridge-group 12 spanning-disabled

service-policy input data_policy

service-policy output data_policy

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.12

encapsulation dot1Q 12

no ip route-cache

bridge-group 12

no bridge-group 12 source-learning

bridge-group 12 spanning-disabled

!

interface BVI1

ip address x.x.x.x 255.255.255.0

no ip route-cache

!

ip default-gateway x.x.x.x

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

1 ACCEPTED SOLUTION

Accepted Solutions

How to configure wireless Cisco 1041/EAP2 with Radius

on teh laptop, go to Start > Run and type in mmc.

Add remove snap-in for Certificates, Computer account should be fine.  In there you'll see Root Trust and Enterprise root Trust.  Make sure the Root CA is listed in one of those areas.

You should be able to push that cert out via GPO, so long as the computers are on the wire first

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
12 REPLIES
New Member

How to configure wireless Cisco 1041/EAP2 with Radius

with radius debug on, on the AP I fet these error messages:

RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

*Sep 12 20:40:14.341: %DOT11-7-AUTH_FAILED: Station

RADIUS:  EAP-Message         [79]  6

ADIUS:  Message-Authenticato[80]  18

EAP-Message         [79]  6

How to configure wireless Cisco 1041/EAP2 with Radius

So, the config looks right from the group mapping perspective, though "authentication network-eap eap_methods2" would be used for LEAP.  PEAP or TLS will use "authentication open eap eap_methods2"

you can take a look at the below on some commands you can use to test the AAA from the CLI

https://supportforums.cisco.com/docs/DOC-22169

Do you know if the NPS is configured to listen on 1645/1646?  It may only be set to use 1812/1813

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How to configure wireless Cisco 1041/EAP2 with Radius

where can I check the NPS port setting (Server 2012) ?

Thanks for the reply

New Member

How to configure wireless Cisco 1041/EAP2 with Radius

it is set to use

1812,1645- authentication

1813,1646 -accounting

How to configure wireless Cisco 1041/EAP2 with Radius

ok, when you check the systems log for the timeframe the user tried to get on, do you see any messages?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How to configure wireless Cisco 1041/EAP2 with Radius

I was checing the logs earlier, did not see anything will check again now

New Member

How to configure wireless Cisco 1041/EAP2 with Radius

I get these messages:

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 48.

from source schannel

A LDAP connection with domain controller IHIserver01.ihi-press.local for domain TEST is established.(from source NPS)

New Member

How to configure wireless Cisco 1041/EAP2 with Radius

in order I get these messages;

The processing of Group Policy failed. Windows attempted to read the file \\test.local\sysvol\test.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

A LDAP connection with domain controller IHIserver01.ihi-press.local for domain TEST is established.

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 48.

How to configure wireless Cisco 1041/EAP2 with Radius

Alert code 48 is unknown CA

http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx

So you are doing EAP-TLS, does the end machine have the Root CA in it's trust list?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How to configure wireless Cisco 1041/EAP2 with Radius

Sorry, How do I check ?

How to configure wireless Cisco 1041/EAP2 with Radius

on teh laptop, go to Start > Run and type in mmc.

Add remove snap-in for Certificates, Computer account should be fine.  In there you'll see Root Trust and Enterprise root Trust.  Make sure the Root CA is listed in one of those areas.

You should be able to push that cert out via GPO, so long as the computers are on the wire first

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How to configure wireless Cisco 1041/EAP2 with Radius

Thanks alot !!!!!!!!!!!

1119
Views
0
Helpful
12
Replies
CreatePlease to create content