https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330923#M20683 <HTML><HEAD></HEAD><BODY><P>That worked! The confusing part here is the GUI picked those ports, not me. I have noticed that sometimes it will pick 1812/1813 and sometimes 1645/1646. Why would it pick ports that don't work?</P><P></P><P>Thanks for your help,</P><P>Serge</P></BODY></HTML> Fri, 03 Dec 2004 13:27:19 GMT s.vautour 2004-12-03T13:27:19Z https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330921#M20681 <P>Hello,</P><P></P><P>I recently upgraded my Cisco 1220 AP to 12.3(2)JA IOS. I also updated by Client (Toshiba Laptop running WinXP SP1) to the latest ACU Client using version 1.5 of the Wizard. The NIC is a 350 Series Cisco PCMCIA card. It is now on Firmware 5.60.08. The ACU is 6.4. </P><P></P><P>I have the ACU configured as a LEAP client (no WPA, no CCKM, default settings, saved U/P). I can attach the profile if necesary. My AP is configured as the Local Radius server. Here's the config:</P><P></P><P>----------------------------------------</P><P>LabAP1#show run</P><P>!</P><P>hostname LabAP1</P><P>!</P><P>logging buffered 8192 debugging</P><P>enable secret 5 xxxxxxxxxx</P><P>!</P><P>username cisco password 7 xxxxxxxxxxx</P><P>ip subnet-zero</P><P>ip dhcp excluded-address 10.100.1.9</P><P>ip dhcp excluded-address 10.100.1.10</P><P>!</P><P>ip dhcp pool DHCPPOOL</P><P> network 10.100.1.8 255.255.255.248</P><P> dns-server 192.168.254.2</P><P> default-router 10.100.1.9</P><P> lease 5</P><P>!</P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa group server radius rad_eap</P><P> server 10.100.1.10 auth-port 1645 acct-port 1646</P><P>!</P><P>aaa group server radius rad_mac</P><P>!</P><P>aaa group server radius rad_acct</P><P>!</P><P>aaa group server radius rad_admin</P><P>!</P><P>aaa group server tacacs+ tac_admin</P><P>!</P><P>aaa group server radius rad_pmip</P><P>!</P><P>aaa group server radius dummy</P><P>!</P><P>aaa group server radius rad_eap1</P><P> server 10.100.1.10 auth-port 1645 acct-port 1646</P><P>!</P><P>aaa authentication login eap_methods group rad_eap</P><P>aaa authentication login mac_methods local</P><P>aaa authentication login eap_methods1 group rad_eap1</P><P>aaa authorization exec default local</P><P>aaa accounting network acct_methods start-stop group rad_acct</P><P>aaa session-id common</P><P>!</P><P>!</P><P>bridge irb</P><P>!</P><P>!</P><P>interface Dot11Radio0</P><P> no ip address</P><P> no ip route-cache</P><P> !</P><P> encryption mode wep mandatory</P><P> !</P><P> broadcast-key change 300</P><P> !</P><P> !</P><P> ssid LEAPSSID</P><P> authentication network-eap eap_methods1</P><P> !</P><P> speed basic-1.0 basic-2.0 basic-5.5 basic-11.0</P><P> station-role root</P><P> bridge-group 1</P><P> bridge-group 1 subscriber-loop-control</P><P> bridge-group 1 block-unknown-source</P><P> no bridge-group 1 source-learning</P><P> no bridge-group 1 unicast-flooding</P><P> bridge-group 1 spanning-disabled</P><P>!</P><P>interface FastEthernet0</P><P> no ip address</P><P> no ip route-cache</P><P> speed 10</P><P> half-duplex</P><P> bridge-group 1</P><P> no bridge-group 1 source-learning</P><P> bridge-group 1 spanning-disabled</P><P>!</P><P>interface BVI1</P><P> ip address 10.100.1.10 255.255.255.248</P><P> no ip route-cache</P><P>!</P><P>ip default-gateway 10.100.1.9</P><P>ip http server</P><P>no ip http secure-server</P><P>ip http help-path <A class="jive-link-custom" href="http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag" target="_blank">http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag</A></P><P>ip radius source-interface BVI1</P><P>!</P><P>radius-server local</P><P> nas 10.100.1.10 key xxxxx</P><P> user test1 nthash xxxx</P><P>!</P><P>radius-server attribute 32 include-in-access-req format %h</P><P>radius-server host 10.100.1.10 auth-port 1645 acct-port 1646 key xxxx</P><P>radius-server vsa send accounting</P><P>bridge 1 route ip</P><P>!</P><P>!----------------------------------------</P><P></P><P>My Laptop will not associate with the AP. If I remove the Encryption settings and change the SSID to Open Auth, everything works with excellent signal strength. The Local Radius server is not showing any hits. The output of the debug is attached.</P><P></P><P>I had the same config working before. The only difference is the new IOS code and Client Firmware/ACU. Any suggestions?</P><P></P><P>Thanks,</P><P>Serge</P><P></P><P></P><P></P><P> </P><P></P> Sun, 04 Jul 2021 17:12:52 GMT https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330921#M20681 s.vautour 2021-07-04T17:12:52Z https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330922#M20682 <HTML><HEAD></HEAD><BODY><P>I have serious concerns on why it ever works. Local radius server only support UDP port 1812 (for authentication) and 1813 (for accounting). You configure 1645 and 1646 for radius authentication and accounting. Thus, the AP should never receive an response on the radius request from the local radius server.</P><P></P><P>Please try to use UDP port 1812 and 1813.</P></BODY></HTML> Thu, 02 Dec 2004 00:09:19 GMT https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330922#M20682 dixho 2004-12-02T00:09:19Z https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330923#M20683 <HTML><HEAD></HEAD><BODY><P>That worked! The confusing part here is the GUI picked those ports, not me. I have noticed that sometimes it will pick 1812/1813 and sometimes 1645/1646. Why would it pick ports that don't work?</P><P></P><P>Thanks for your help,</P><P>Serge</P></BODY></HTML> Fri, 03 Dec 2004 13:27:19 GMT https://community.cisco.com/t5/wireless/leap-with-local-radius-authentication-failed/m-p/330923#M20683 s.vautour 2004-12-03T13:27:19Z