Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC Authentication Bypass Cisco AP 2600 and MS NPS

Hi,

 

i have some problems with MAB on Cisco aironet. 

my first problem is that Cisco SSID asks for username and password. i need to have no user or passowrd to be asked

my second problem is that - radius sends Access-Acept, but AP does not authenticate the wireless device (apple ipad). 

is there an issue with PKT, nut, i am not advanced in this. Could somebody help me? 

 

my config is here 

aaa group server radius rad_mac
 server 172.16.1.1

aaa authentication login mac_methods group rad_mac

dot11 ssid device-hive
   vlan 11
   authentication open mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode dtim-period 50

 

interface Dot11Radio0

 encryption vlan 11 mode ciphers tkip

  ssid device-hive

interface Dot11Radio0.11
 encapsulation dot1Q 11
 bridge-group 11
 bridge-group 11 subscriber-loop-control
 bridge-group 11 spanning-disabled
 bridge-group 11 block-unknown-source
 no bridge-group 11 source-learning
 no bridge-group 11 unicast-flooding

interface GigabitEthernet0.11
 encapsulation dot1Q 11
 bridge-group 11
 bridge-group 11 spanning-disabled
 no bridge-group 11 source-learning

 

 

 

 

 

 

 

the logs are here 

Mar 19 14:24:52.807: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
Mar 19 14:24:53.800: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
Mar 19 14:24:53.836: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
Mar 19 14:24:53.844: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
Mar 19 14:24:53.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
Mar 19 14:24:54.836: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Mar 19 14:24:54.844: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
Mar 19 14:24:54.880: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
Mar 19 14:24:55.881: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Mar 19 14:25:19.851: dot11_mgr_disp_auth_request: Send auth request for client acfd.eceb.7c19 to local Authenticator
Mar 19 14:25:19.851: dot11_auth_add_client_entry: Create new client acfd.eceb.7c19 for application 0x1
Mar 19 14:25:19.851: dot11_auth_initialize_client: acfd.eceb.7c19 is added to the client list for application 0x1
Mar 19 14:25:19.851: dot11_auth_add_client_entry: req->auth_type 1
Mar 19 14:25:19.851: dot11_auth_add_client_entry: auth_methods_inprocess: 1
Mar 19 14:25:19.851: dot11_auth_add_client_entry: mac list name: mac_methods
Mar 19 14:25:19.851: dot11_run_auth_methods: Start auth method MAC
Mar 19 14:25:19.851: dot11_auth_mac_start: method_list: mac_methods
Mar 19 14:25:19.851: dot11_auth_mac_start: method_index: 0xDD000002, req: 0x42CA61C
Mar 19 14:25:19.851: dot11_auth_mac_start: client->unique_id: 0x2F
Mar 19 14:25:19.851: RADIUS/ENCODE(0000002F):Orig. component type = DOT11
Mar 19 14:25:19.851: RADIUS:  AAA Unsupported Attr: ssid              [346] 11  72063020
Mar 19 14:25:19.851: RADIUS:  AAA Unsupported Attr: location-name     [754] 31  72062540
Mar 19 14:25:19.851: RADIUS:  AAA Unsupported Attr: service-type      [344] 4   1
Mar 19 14:25:19.851: RADIUS:  AAA Unsupported Attr: interface         [221] 3   72063408
Mar 19 14:25:19.851: RADIUS(0000002F): Config NAS IP: 172.16.2.1
Mar 19 14:25:19.851: RADIUS(0000002F): Config NAS IPv6: ::
Mar 19 14:25:19.851: RADIUS/ENCODE(0000002F): acct_session_id: 37
Mar 19 14:25:19.851: RADIUS(0000002F): Config NAS IP: 172.16.2.1
Mar 19 14:25:19.851: RADIUS(0000002F): sending
Mar 19 14:25:19.851: RADIUS(0000002F): Sending a IPv4 Radius Packet
Mar 19 14:25:19.851: RADIUS(0000002F): Send Access-Request to 172.16.1.1:1645 id 1645/32,len 143
Mar 19 14:25:19.851: RADIUS:  authenticator 86 B0 BC D7 32 5C 86 E0 - 4D 54 1E 07 69 24 C2 A4
Mar 19 14:25:19.851: RADIUS:  User-Name           [1]   14  "acfdeceb7c19"
Mar 19 14:25:19.851: RADIUS:  User-Password       [2]   18  *
Mar 19 14:25:19.851: RADIUS:  Called-Station-Id   [30]  31  "08-CC-68-0E-20-B0:device-hive"
Mar 19 14:25:19.851: RADIUS:  Calling-Station-Id  [31]  19  "AC-FD-EC-EB-7C-19"
Mar 19 14:25:19.851: RADIUS:  Service-Type        [6]   6   Login                     [1]
Mar 19 14:25:19.851: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
Mar 19 14:25:19.851: RADIUS:  NAS-Port            [5]   6   292
Mar 19 14:25:19.851: RADIUS:  NAS-Port-Id         [87]  5   "292"
Mar 19 14:25:19.851: RADIUS:  NAS-IP-Address      [4]   6   172.16.2.1
Mar 19 14:25:19.851: RADIUS:  Nas-Identifier      [32]  12  "WAP01"
Mar 19 14:25:19.851: RADIUS(0000002F): Started 30 sec timeout
Mar 19 14:25:19.855: RADIUS: Received from id 1645/32 172.16.1.1:1645, Access-Accept, len 102
Mar 19 14:25:19.855: RADIUS:  authenticator FA 52 8B CE 84 C8 8C AA - 6B 9B B3 80 85 32 23 C2
Mar 19 14:25:19.855: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Mar 19 14:25:19.855: RADIUS:  Service-Type        [6]   6   Login                     [1]
Mar 19 14:25:19.855: RADIUS:  Class               [25]  46
Mar 19 14:25:19.855: RADIUS:   5B 1E 04 FD 00 00 01 37 00 01 02 00 AC 10 28 A6 00 00 00 00 00 00 00 00 00 00 00 00 01 CF 35 7B 8C 78 23 01 00 00 00 00 00 0A 70 15          [ [7(5{x#p]
Mar 19 14:25:19.855: RADIUS:  Vendor, Microsoft   [26]  12
Mar 19 14:25:19.855: RADIUS:   MS-Link-Util-Thresh[14]  6
Mar 19 14:25:19.859: RADIUS:   00 00 00 32                 [ 2]
Mar 19 14:25:19.859: RADIUS:  Vendor, Microsoft   [26]  12
Mar 19 14:25:19.859: RADIUS:   MS-Link-Drop-Time-L[15]  6
Mar 19 14:25:19.859: RADIUS:   00 00 00 78                 [ x]
Mar 19 14:25:19.859: RADIUS(0000002F): Received from id 1645/32
Mar 19 14:25:19.859: dot11_mac_process_reply: AAA reply for acfd.eceb.7c19 PASSED
Mar 19 14:25:19.859: dot11_auth_server_chk_ssid: Checking for SSID in server attributes
Mar 19 14:25:19.859: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes
Mar 19 14:25:19.859: dot11_auth_server_airespace_aclname: Checking for Airespace-Acl-Name in server attributes
Mar 19 14:25:19.859: dot11_auth_server_get_timeout: Checking for session time out value - attribute #27
Mar 19 14:25:19.859: dot11_auth_send_msg:  sending data to requestor status 2
Mar 19 14:25:19.859: dot11_auth_send_msg: resp->nsk_len 0 resp->auth_key_len 0
Mar 19 14:25:19.859: dot11_auth_send_msg: client authenticated acfd.eceb.7c19, node_type 64 for application 0x1
Mar 19 14:25:19.859: dot11_auth_delete_client_entry: acfd.eceb.7c19 is deleted for application 0x1
Mar 19 14:25:19.859: dot11_mgr_disp_callback: Received message from Local Authenticator
Mar 19 14:25:19.859: dot11_mgr_disp_callback: Received DOT11_AAA_SUCCESS from Local Authenticator
Mar 19 14:25:19.859: dot11_mgr_disp_callback: Network-id =0
Mar 19 14:25:19.859: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_PASS) for acfd.eceb.7c19
Mar 19 14:25:19.859: dot11_mgr_sm_send_client_pass: Authentication passed for acfd.eceb.7c19: start wpa-v2 key exchange
Mar 19 14:25:19.859: dot11_mgr_sm_send_wpav2_ptk_msg1: Starting wpav2 ptk msg 1 to supplicant acfd.eceb.7c19Could not find station pointer for client acfd.eceb.7c19. Using vlan number from aaa_client
Mar 19 14:25:19.859: dot11_dot1x_send_ssn_eapol_key: wpav2 msg 1 pak_size 121
Mar 19 14:25:19.859: dot11_dot1x_send_ssn_eapol_key: eapol->length 117
Mar 19 14:25:19.859: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for acfd.eceb.7c19
Mar 19 14:25:19.859: dot11_dot1x_build_ptk_handshake: ptk key len 32
Mar 19 14:25:19.859: dot11_dot1x_build_ptk_handshake: ptk key data len 22
Mar 19 14:25:19.859: dot11_dot1x_build_ptk_handshake: wpav2 pmkid[DOT1X]: C81319000000000000E44F409ACF991A
Mar 19 14:25:19.859: dot11_mgr_disp_client_send_eapol: Overwrote hwidb address 08cc.680e.20b0 with MBSSID address 08cc.680e.20b0
Mar 19 14:25:19.859: dot11_mgr_disp_client_send_eapol: sending eapol to client acfd.eceb.7c19 on BSSID 08cc.680e.20b0
Mar 19 14:25:19.859: dot11_mgr_sm_send_wpav2_ptk_msg1: [1] Sent PTK msg 1 to acfd.eceb.7c19, no timer set
Mar 19 14:25:19.859: dot11_mgr_sm_hs_callback: [1] Handshake msg to acfd.eceb.7c19, timer set: timeout 100 ms
Mar 19 14:25:19.959: dot11_mgr_sm_run_machine: Executing Action(WPAV2_PTK_MSG2_WAIT,TIMEOUT) for acfd.eceb.7c19
Mar 19 14:25:19.959: dot11_mgr_sm_send_wpav2_ptk_msg1: Starting wpav2 ptk msg 1 to supplicant acfd.eceb.7c19Could not find station pointer for client acfd.eceb.7c19. Using vlan number from aaa_client
Mar 19 14:25:19.959: dot11_dot1x_send_ssn_eapol_key: wpav2 msg 1 pak_size 121
Mar 19 14:25:19.959: dot11_dot1x_send_ssn_eapol_key: eapol->length 117
Mar 19 14:25:19.959: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for acfd.eceb.7c19
Mar 19 14:25:19.959: dot11_dot1x_build_ptk_handshake: ptk key len 32
Mar 19 14:25:19.959: dot11_dot1x_build_ptk_handshake: ptk key data len 22
Mar 19 14:25:19.959: dot11_dot1x_build_ptk_handshake: wpav2 pmkid[DOT1X]: 41202D20364220394220423320383020
Mar 19 14:25:19.959: dot11_mgr_disp_client_send_eapol: Overwrote hwidb address 08cc.680e.20b0 with MBSSID address 08cc.680e.20b0
Mar 19 14:25:19.959: dot11_mgr_disp_client_send_eapol: sending eapol to client acfd.eceb.7c19 on BSSID 08cc.680e.20b0
Mar 19 14:25:19.959: dot11_mgr_sm_send_wpav2_ptk_msg1: [2] Sent PTK msg 1 to acfd.eceb.7c19, no timer set
Mar 19 14:25:19.959: dot11_mgr_sm_hs_callback: [2] Handshake msg to acfd.eceb.7c19, timer set: timeout 100 ms
Mar 19 14:25:20.059: dot11_mgr_sm_run_machine: Executing Action(WPAV2_PTK_MSG2_WAIT,TIMEOUT) for acfd.eceb.7c19
Mar 19 14:25:20.059: dot11_mgr_sm_send_wpav2_ptk_msg1: Starting wpav2 ptk msg 1 to supplicant acfd.eceb.7c19Could not find station pointer for client acfd.eceb.7c19. Using vlan number from aaa_client
Mar 19 14:25:20.059: dot11_dot1x_send_ssn_eapol_key: wpav2 msg 1 pak_size 121
Mar 19 14:25:20.059: dot11_dot1x_send_ssn_eapol_key: eapol->length 117
Mar 19 14:25:20.059: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for acfd.eceb.7c19
Mar 19 14:25:20.059: dot11_dot1x_build_ptk_handshake: ptk key len 32
Mar 19 14:25:20.059: dot11_dot1x_build_ptk_handshake: ptk key data len 22
Mar 19 14:25:20.059: dot11_dot1x_build_ptk_handshake: wpav2 pmkid[DOT1X]: 2D45432D45422D37432D313922392E20
Mar 19 14:25:20.059: dot11_mgr_disp_client_send_eapol: Overwrote hwidb address 08cc.680e.20b0 with MBSSID address 08cc.680e.20b0
Mar 19 14:25:20.059: dot11_mgr_disp_client_send_eapol: sending eapol to client acfd.eceb.7c19 on BSSID 08cc.680e.20b0
Mar 19 14:25:20.059: dot11_mgr_sm_send_wpav2_ptk_msg1: [3] Sent PTK msg 1 to acfd.eceb.7c19, no timer set
Mar 19 14:25:20.059: dot11_mgr_sm_hs_callback: [3] Handshake msg to acfd.eceb.7c19, timer set: timeout 100 ms
Mar 19 14:25:20.159: dot11_mgr_sm_run_machine: Executing Action(WPAV2_PTK_MSG2_WAIT,TIMEOUT) for acfd.eceb.7c19
Mar 19 14:25:20.159: dot11_mgr_sm_send_wpav2_ptk_msg1: Starting wpav2 ptk msg 1 to supplicant acfd.eceb.7c19
Mar 19 14:25:20.159: dot11_mgr_sm_handshake_fail: Handshake failure for acfd.eceb.7c19
Mar 19 14:25:20.159: %DOT11-7-AUTH_FAILED: Station acfd.eceb.7c19 Authentication failed

 

163
Views
0
Helpful
0
Replies
CreatePlease to create content