Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help to troubleshoot WDS configuration.

Hi,

I'm trying to deploy WDS but I'm having a few problem connecting with a client to the ap. Access point is a Cisco Aironet 1040.

Current configuration : 3432 bytes

!

! Last configuration change at 08:30:28 UTC Fri Mar 1 2002

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

!

logging rate-limit console 9

enable secret 5 $1$OoEN$.2/pcffM5ZPX2lIcguYE3.

!

aaa new-model

!

!

aaa group server radius rad_eap88

server name 192.168.1.5

!

aaa group server radius Infrastructure

--More--

*Mar  1 08:30:28.669: %SYS-5-CONFIG_I: Configured from console  server name 192.168.1.5

!

aaa group server radius rad_eap

server name 192.168.1.5

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

server name 192.168.1.5

!

aaa group server radius rad_admin

server name 192.168.1.5

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius clients

server name 192.168.1.5

!

aaa authentication login eap_methods group rad_eap

aaa authentication login method_Infrastructure group Infrastructure

aaa authentication login mac_methods local

aaa authentication login method_clients group clients

aaa authentication login method_client group clients

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

!

!

!

!

aaa session-id common

no ip routing

no ip cef

no ip domain lookup

!

!

!

!

dot11 syslog

!

dot11 ssid testz

   authentication open eap method_client

   authentication network-eap method_client

   authentication key-management wpa

   guest-mode

!

!

dot11 guest

!

eap profile fast

method peap

!

!

!

dot1x credentials mange

username mange

password 7 1104180B1017

!

dot1x timeout supp-response 110

username Cisco password 7 14341B180F0B

!

!

bridge irb

!

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid testz

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface BVI1

ip address 192.168.1.5 255.255.255.0

no ip route-cache

ipv6 address dhcp

ipv6 address autoconfig

ipv6 enable

!

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

!

radius-server local

  no authentication mac

  nas 192.168.1.5 key 7 1403171818

  nas 192.168.1.4 key 7 1403171818

  user wds1 nthash 7 1542282E52737F7C70636004445E412127047800010C5E5441410A7A0F0A070603

  user wds2 nthash 7 06562C031A175D415D47472D5B5D7D09027A126D704B57415A56057B000A015D54

  user mange nthash 7 0021305E5178535356021F165A405D424B295954790F000E63627B36574425220F

  user test nthash 7 025627795D5F5B79141E5C3F524E45292A560B73767063627B4454345B58030A0F

!

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

!

radius server 192.168.1.5

address ipv4 192.168.1.5 auth-port 1812 acct-port 1813

key 7 051F031C35

!

bridge 1 route ip

!

!

wlccp ap username wds1 password 7 044F0E151B

wlccp authentication-server infrastructure method_Infrastructure

wlccp authentication-server client eap method_clients

  ssid testz

wlccp wds priority 254 interface BVI1

!

line con 0

line vty 0 4

transport input all

!

end

WDS info from the master:

ap#show wlccp wds

      MAC: 2c54.2d9e.21e9, IP-ADDR: 192.168.1.5    , IPV6-ADDR: ::                                     , Priority: 254

      Interface BVI1, State: Administratively StandAlone - ACTIVE

      AP Count: 2   , MN Count: 1

ap#show wlccp ap

       WDS = 2c54.2d9e.21e9, IP: 192.168.1.5     , IPV6: ::

state = wlccp_ap_st_registered

IN Authenticator = IP: 192.168.1.5      IPV6: ::

MN Authenticator = IP: 192.168.1.5      IPv6:

When I'm trying to connect via a client i'm receving:

*Mar  1 08:25:52.214: AAA/BIND(00000926): Bind i/f

*Mar  1 08:25:52.215: AAA/BIND(00000927): Bind i/f

*Mar  1 08:25:52.217: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 08:25:52.241: dot1x-ev(Do0): Role determination not required

*Mar  1 08:25:52.241: dot1x-packet(Do0): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 08:25:52.243: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 08:25:54.976: dot1x-ev(Do0): Role determination not required

*Mar  1 08:25:54.976: dot1x-packet(Do0): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 08:25:54.977: AAA/AUTHEN/PPP (00000927): Pick method list 'method_clients'

*Mar  1 08:25:54.978: RADIUS/ENCODE(00000927):Orig. component type = Dot11 Auth

*Mar  1 08:25:54.978: RADIUS(00000927): Config NAS IP: 192.168.1.5

*Mar  1 08:25:54.978: RADIUS(00000927): Config NAS IPv6: ::

*Mar  1 08:25:54.978: RADIUS(00000927): Config NAS IP: 192.168.1.5

*Mar  1 08:25:54.979: RADIUS(00000927): Sending a IPv4 Radius Packet

*Mar  1 08:25:54.979: RADIUS(00000927): Send Access-Request to 192.168.1.5:1812 id 1645/76,len 138

*Mar  1 08:25:54.979: RADIUS(00000927): Started 5 sec timeout

*Mar  1 08:25:54.981: RADIUS: Received from id 1645/76 192.168.1.5:1812, Access-Challenge, len 116

*Mar  1 08:25:54.981: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes

*Mar  1 08:25:54.982: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 08:25:54.989: dot1x-ev(Do0): Role determination not required

*Mar  1 08:25:54.989: dot1x-packet(Do0): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 08:25:54.991: AAA/AUTHEN/PPP (00000927): Pick method list 'method_clients'

*Mar  1 08:25:54.991: RADIUS/ENCODE(00000927):Orig. component type = Dot11 Auth

*Mar  1 08:25:54.991: RADIUS(00000927): Config NAS IP: 192.168.1.5

*Mar  1 08:25:54.992: RADIUS(00000927): Config NAS IPv6: ::

*Mar  1 08:25:54.992: RADIUS(00000927): Config NAS IP: 192.168.1.5

*Mar  1 08:25:54.992: RADIUS(00000927): Sending a IPv4 Radius Packet

*Mar  1 08:25:54.993: RADIUS(00000927): Send Access-Request to 192.168.1.5:1812 id 1645/77,len 185

*Mar  1 08:25:54.993: RADIUS(00000927): Started 5 sec timeout

*Mar  1 08:25:54.993: RADSRV: Unknown type 25 received for EAP NAK

*Mar  1 08:25:54.994: RADIUS: Received from id 1645/77 192.168.1.5:1812, Access-Reject, len 94

*Mar  1 08:25:54.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

*Mar  1 08:25:54.997: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 08:25:54.997: %DOT11-7-AUTH_FAILED: Station d0df.9afa.683a Authentication failed

*Mar  1 08:25:55.907: AAA/BIND(00000928): Bind i/f

*Mar  1 08:25:55.909: AAA/BIND(00000929): Bind i/f

*Mar  1 08:25:55.910: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 08:25:55.920: dot1x-ev(Do0): Role determination not required

*Mar  1 08:25:55.920: dot1x-packet(Do0): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 08:25:55.922: dot1x-registry:registry:dot1x_ether_macaddr called


Any ideas what could be wrong? Also is it possible to just use WPA with a shared key and be able to fast-roam as I understand this is not possible.

Kind Regards

  • Security and Network Management
Everyone's tags (4)
3 REPLIES

Need help to troubleshoot WDS configuration.

Ok, so what cleint are you using and does it support LEAP or EAP-FAST?  If you are using the AP as the AAA for the clients it can only do LEAP or EAP-FAST.

Fom the debug, it looks like you are wanting to use PEAP for the client

"Unknown type 25 received for EAP NAK"

If you want to do PEAP for the clients you'll need ACS/IAS/NPS/etc

But your WDS setup looks good, as you have two AP registered in.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Need help to troubleshoot WDS configuration.

Hello,

Thanks for you answer. We're using the "built in client" in windows 7. I guess we would need some other(cisco?) client to get it working with LEAP or EAP-FAST?

Kind regards

Need help to troubleshoot WDS configuration.

Win7 should be able to support EAP-FAST

http://www.intel.com/support/wireless/wlan/sb/CS-032728.htm

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
768
Views
0
Helpful
3
Replies
This widget could not be displayed.