Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with dot1x authentication in an authonomous AP

Hi,

I'm trying to have wireless customers authenticating the network access by dot1x to an authonomous AP 1131AG (c1130-k9w7-mx.124-10b.JA3). The idea is to have customers login to the network by login/password rotine instead of WPA/TKIP shared key.

When a customer tries to access the network though Windows XP, the Windows opens an pop-up window "click here to select a certificate or other credentials for connection to network kmichi". The customer then clicks on that balloon, types the login and password but then the authentication fails.

I've followed the configuration steps stated in Cisco manuals and configuration examples and I've issued the following configuration:

!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname dot1x
!
no logging console
enable secret 5 $1$b8C5$J9dauw4DPg6njh8WJPprk1
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.254 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 192.168.1.254 auth-port 1812 acct-port 1813
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login vty group radius
aaa authentication login radius_login group rad_eap
aaa authentication dot1x default group rad_eap
aaa authorization exec default local
aaa authorization exec vty group radius
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting system default start-stop group radius
!
aaa session-id common
clock timezone CET 1
no ip source-route
no ip gratuitous-arps
ip tcp selective-ack
ip tcp synwait-time 10
ip domain name spadhausen.local
!
!
ip ssh time-out 90
ip ssh version 2
!
dot11 ssid kimchi
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   dot1x credentials hubteste
   dot1x eap profile hubteste
   guest-mode
!
power inline negotiation prestandard source
eap profile hubteste
method mschapv2
!
!
!
dot1x credentials hubteste
username hubteste
password 7 04531E041B245F5A0C
!
username Cisco password 7 123A0C041104
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip unreachables
no ip proxy-arp
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid kimchi
!
speed  basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
power client 1
station-role root access-point fallback shutdown
payload-encapsulation dot1h
world-mode dot11d country IT indoor
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip unreachables
no ip proxy-arp
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community public RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.254 auth-port 1812 acct-port 1813 key 7 09445B0B0D0004060E
radius-server key 7 0829594C1D1C160317
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
transport output all
line vty 0 4
privilege level 15
authorization exec vty
login authentication vty
transport input all
transport output all
line vty 5 15
transport input all
transport output all
!

The network diagram is:

Router 1841  <-----> Switch 3560 <----> AP 1131AG

192.168.1.254        192.168.1.253        192.168.1.1

Radius Server

auth port: 1812

acct port: 1813

I know that the RADIUS server is working fine because I'm using it to authenticate the remote access to all the equipments and that is working fine.

Any ideias of what might be wrong? Is this scenario possible for authonomous AP's?

Thanks in advanced,

Vasco

Everyone's tags (3)
1 REPLY

Re: Problem with dot1x authentication in an authonomous AP

did you add the AP as a NAS cleint on the router?  And does the client support LEAP or EAP-Fast?  IOS radius server does not support PEAP.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
769
Views
0
Helpful
1
Replies
CreatePlease to create content