Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

After upgrading an AP1200 from VxWorks to IOS, clients can no longer authenticate using PEAP.

Core Issue

The problem is associated with the NAS-port-type exchanged between the AP1200 and RADIUS. Under the VxWorks operating system on the AP1200, the NAS-port-type value is 19 and under the IOS version, the NAS-port-typebeing sent is 5. The RADIUS server expects to receive a value of 19 which is the RADIUS value for Wireless - IEEE 802.11. See the following RADIUS debug on the AP1200 by issuing debug dot11 aaa dot1x all, debug aaa authentication and debug radius.

Jun 5 20:02:44.437: RADIUS: Send to unknown id 20 10.32.230.23:1645,
Access-Request, len 136

Jun 5 20:02:44.437: RADIUS: authenticator 05 1A 59 32 72 24 FA 2B -
EC 62 12 07 3E 15 5A 5C

Jun 5 20:02:44.437: RADIUS: User-Name [1] 13 "KNOX\NetMan"

Jun 5 20:02:44.437: RADIUS: Framed-MTU [12] 6 1400

Jun 5 20:02:44.437: RADIUS: Called-Station-Id [30] 16 "000c.ce21.1d96"

Jun 5 20:02:44.438: RADIUS: Calling-Station-Id [31] 16 "000c.ce5a.51ff"

Jun 5 20:02:44.438: RADIUS: Message-Authenticato[80] 18 *

Jun 5 20:02:44.438: RADIUS: EAP-Message [79] 18

Jun 5 20:02:44.438: RADIUS: 02 02 00 10 01 4B 4E 4F 58 5C 4E 65 74
4D 61 6E [?????KNOX\NetMan]

Jun 5 20:02:44.439: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Jun 5 20:02:44.439: RADIUS: NAS-Port [5] 6 290

Jun 5 20:02:44.439: RADIUS: NAS-IP-Address [4] 6 10.1.225.3

Jun 5 20:02:44.439: RADIUS: Nas-Identifier [32] 11 "CC-IOS-AP"

Jun 5 20:02:44.447: RADIUS: Received from id 20 10.32.230.23:1645,
Access-Reject, len 20

Jun 5 20:02:44.448: RADIUS: authenticator FD 4A 27 A5 D5 C1 C4 77 -
4C B6 B3 6F BF 1A E0 85

Jun 5 20:02:44.448: RADIUS: Received from id 16

Jun 5 20:02:44.449: dot11_dot1x_parse_aaa_resp: Received server response:
FAIL

Resolution

This issue is documented in bug ID: CSCeb36095.

To workaround this issue, re-configure your RADIUS server settings so that it expects the more generic value of 5. To make this configuration change, do the following on the RADIUS server:

  1. Add the match condition "NAS-Port-Type" must be "Virtual"
  2. Edit the profile and add "Virtual" to "Restrict dial-in media" setting

Note:This workaround assumes you are running only IOS-based access points.

Problem Type

Client / Device cannot authenticate

Products

AP 1200

840
Views
0
Helpful
0
Comments