Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Why doesn't AP 1131 authenticate station using EAP WPA2?

I've got one AP 1131ag, a Zyxel AP and Windows 2003 server running IAS. The Zyxel works as expected with Radius set to the server and WPA2 (RADIUS server set on the AP 192.168.1.7 port 1812, stations running Windows 7 EAP, MSCHAPv2, WPA2 AES).

However trying to set the same on Cisco AP 1131ag always fails. I have aleready tried numerous guides usig GUI to configure EAP WPA2 but no luck so far. 

The event log on the Windows 2003 server says that the stations trying to connect to the network using Cisco AP are allowed to do so (as they are in case of the Zyxel AP), but they are still refused by the Cisco AP (Station xxxx.xxxx.xxxx Authentication failed.)

Any hint on what I might be doing wrong appreciated.

 

Current configuration : 3494 bytes

!
! Last configuration change at 13:54:37 CET Fri Mar 14 2014 by Cisco
! NVRAM config last updated at 13:54:37 CET Fri Mar 14 2014 by Cisco
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap12_gymjablonec
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.1.7 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
!
aaa group server radius rad-eap
!
aaa group server radius rad_eap2
 server 192.168.1.7 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap2
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone CET 1
ip domain name sportgym.cz
!
!
dot11 syslog
!
dot11 ssid RANDANET-X
   vlan 5
   authentication open eap eap_methods1
   authentication key-management wpa version 2
   guest-mode
!
power inline negotiation prestandard source
!
!
dot1x timeout reauth-period server
username Cisco privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 5 mode ciphers aes-ccm
 !
 ssid RANDANET-X
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.5
 encapsulation dot1Q 5
 no ip route-cache
 bridge-group 5
 bridge-group 5 subscriber-loop-control
 bridge-group 5 block-unknown-source
 no bridge-group 5 source-learning
 no bridge-group 5 unicast-flooding
 bridge-group 5 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers tkip
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.5
 encapsulation dot1Q 5
 no ip route-cache
 bridge-group 5
 no bridge-group 5 source-learning
 bridge-group 5 spanning-disabled
!
interface BVI1
 ip address 192.168.7.21 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.7.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history size 100
radius-server local
  no authentication eapfast
  no authentication leap
  no authentication mac
!
radius-server attribute 32 include-in-access-req format %h.%d
radius-server host 192.168.1.7 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
sntp server 192.168.1.9
end

    • Security and Network Management
    Everyone's tags (1)
    2 REPLIES
    Hall of Fame Super Silver

    You need to post your show

    You need to post your show run-config.  From the CLI, you can configure WPA2/AES:

    dot11 ssid <ssid>
       authentication open
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii <pre-sahred key>

    interface Dot11Radio0
     encryption mode ciphers aes-ccm

    interface Dot11Radio1
     encryption mode ciphers aes-ccm

    Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
    New Member

    Here is the current config

    Here is the current config:

    Current configuration : 3494 bytes

    !
    ! Last configuration change at 13:54:37 CET Fri Mar 14 2014 by Cisco
    ! NVRAM config last updated at 13:54:37 CET Fri Mar 14 2014 by Cisco
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname ap12_gymjablonec
    !
    logging rate-limit console 9
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
     server 192.168.1.7 auth-port 1812 acct-port 1813
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa group server radius rad_eap1
    !
    aaa group server radius rad-eap
    !
    aaa group server radius rad_eap2
     server 192.168.1.7 auth-port 1812 acct-port 1813
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authentication login eap_methods1 group rad_eap2
    aaa authentication dot1x default group radius
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    !
    aaa session-id common
    clock timezone CET 1
    ip domain name sportgym.cz
    !
    !
    dot11 syslog
    !
    dot11 ssid RANDANET-X
       vlan 5
       authentication open eap eap_methods1
       authentication key-management wpa version 2
       guest-mode
    !
    power inline negotiation prestandard source
    !
    !
    dot1x timeout reauth-period server
    username Cisco privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxx
    !
    !
    bridge irb
    !
    !
    interface Dot11Radio0
     no ip address
     no ip route-cache
     !
     encryption mode ciphers aes-ccm
     !
     encryption vlan 5 mode ciphers aes-ccm
     !
     ssid RANDANET-X
     !
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !
    interface Dot11Radio0.5
     encapsulation dot1Q 5
     no ip route-cache
     bridge-group 5
     bridge-group 5 subscriber-loop-control
     bridge-group 5 block-unknown-source
     no bridge-group 5 source-learning
     no bridge-group 5 unicast-flooding
     bridge-group 5 spanning-disabled
    !
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     !
     encryption mode ciphers tkip
     no dfs band block
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     bridge-group 1
     no bridge-group 1 source-learning
     bridge-group 1 spanning-disabled
    !
    interface FastEthernet0.5
     encapsulation dot1Q 5
     no ip route-cache
     bridge-group 5
     no bridge-group 5 source-learning
     bridge-group 5 spanning-disabled
    !
    interface BVI1
     ip address 192.168.7.21 255.255.255.0
     no ip route-cache
    !
    ip default-gateway 192.168.7.1
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    logging history size 100
    radius-server local
      no authentication eapfast
      no authentication leap
      no authentication mac
    !
    radius-server attribute 32 include-in-access-req format %h.%d
    radius-server host 192.168.1.7 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    radius-server vsa send accounting
    bridge 1 route ip
    !
    !
    !
    line con 0
    line vty 0 4
    !
    sntp server 192.168.1.9
    end

    145
    Views
    0
    Helpful
    2
    Replies