03-25-2015 09:14 AM - edited 07-05-2021 02:47 AM
I have a new 1602i standalone AP trying to use RADIUS authentication. For some reason the 1602 cannot ping the RADIUS server, but will get a response from other devices. Both are on the same subnet, the new one at .213 and the RADIUS at .209.
AP6#ping xxx.xx.120.209
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx..120.209, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
AP6#ping xxx.xx.120.217
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx..120.217, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
The RADUIS server is able to ping the new AP successfully.
AP1#ping xxx.xx.120.213
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx.120.213, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
Any thoughts to why that AP is unable to ping that one particular client? Other APs are successfully contacting it for RADIUS authentication.
03-25-2015 10:36 AM
Hi,
Paste the complete conifg of AP.
Regards
03-25-2015 12:51 PM
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP6
!
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server xxx.xx.120.209 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone -0500 -5 0
clock summer-time -0400 recurring
no ip routing
no ip cef
!
!
!
dot11 syslog
!
dot11 ssid xxx.xx
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
!
!
crypto pki token default removal timeout 0
!
!
username Cisco privilege 15 password 7 xxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid MANH
!
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
snmp-server view dot11view ieee802dot11 included
snmp-server community RW
snmp-server chassis-id AP6
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server host .0.39 public
radius-server local
user user1 nthash 7
!
radius-server attribute 32 include-in-access-req format %h
radius-server host xxx.xx.120.209 auth-port 1812 acct-port 1813 key 7
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input all
!
sntp server xxx.xx.0.11
sntp broadcast client
end
03-25-2015 01:14 PM
Hi,
Did you tried with static IP address on BVI interface ?
Also add ip defult-gateway command in the config and share the result.
Regards
03-25-2015 01:31 PM
So far so good by adding the default gateway. Odd it would only impact one client and I can access the AP from another subnet no problem.
03-25-2015 02:27 PM
Went away again:
AP6#ping xxx.xx.120.209
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx.120.209, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
AP6#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide