topic Re: WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0 in Wireless

WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Luca Pecchiari — Mon, 05 Jul 2021 20:11:30 GMT

Hello,

i am trying to configure the ap1142 as WDS, using a local radius, but i have some issue conecting the client.

This is my conf

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MAIB-WDS-AP
!
!
logging rate-limit console 9
enable secret 9 xxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server name Local-Radius
!
aaa group server radius Infrastructure
 server name Local-Radius
!
aaa authentication login eap_methods group rad_eap
aaa authentication login method_Infrastructure group Infrastructure
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip name-server 192.168.1.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid WDS-EAP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode
!
!
!
no ipv6 cef
!
!
username Cisco password 7 01300F175804
username xxx privilege 15 secret 9 xxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid WDS-EAP
 !
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm
 !
 ssid WDS-EAP
 !
 antenna gain 0
 peakdetect
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 4055.3997.ce7b
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip ssh version 2
ip radius source-interface BVI1
!
!
radius-server local
  no authentication mac
  nas 192.168.1.100 key 7 105E080A16001D1908
  user pippo nthash 7 15422E2E20790D010A17177B4455345A250F780905002C544A300A0A0676010105
!
radius-server attribute 32 include-in-access-req format %h
!
radius server Local-Radius
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 7 140713181F13253920
!
bridge 1 route ip
!
!
wlccp ap username pippo password 7 071F285C5E06
wlccp ap wds ip address 192.168.1.100
wlccp authentication-server infrastructure method_Infrastructure
wlccp authentication-server client any client_devices
wlccp wds priority 254 interface BVI1
!
line con 0
line vty 0 4
 transport input all
!
end

This ap is also client of the WDS.

When i try to connect a wireless client it fails the connnection and from the debug i see this:

*Feb  4 14:16:54.295: (0000.0000.0000): dot11_auth_dot1x: in the dot11_auth_dot1x_start
*Feb  4 14:16:54.295: (0000.0000.0000): dot11_dot1x: Sending identity request to client
*Feb  4 14:16:54.295: (0000.0000.0000): dot11_dot1x: Client timer started for 30 seconds
*Feb  4 14:16:54.300: (0000.0000.0000): dot11_auth_dot1x: Received EAPOL packet from client
*Feb  4 14:16:54.300: (0000.0000.0000): dot11_dot1x: Executing Action [state: CLIENT_WAIT, event: CLIENT_REPLY] for client
*Feb  4 14:16:54.301: (0000.0000.0000): dot11_dot1x: Sending client data to server
*Feb  4 14:16:54.301: (0000.0000.0000): dot11_dot1x: Started timer server_timeout 60 seconds
*Feb  4 14:16:54.301: (0000.0000.0000): aaa_resp: Received server response: FAIL
*Feb  4 14:16:54.301: (0000.0000.0000): aaa_resp: client username pippo
*Feb  4 14:16:54.301: (0000.0000.0000): aaa_resp: found eap pak in server response
*Feb  4 14:16:54.302: (0000.0000.0000): aaa_resp_FAIL: failed client with EAP reason 0
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Executing Action [state: SERVER_WAIT, event: SERVER_FAIL] for client
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Forwarding server message to client
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Started timer client_timeout 30 seconds
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Authentication failed for station
*Feb  4 14:16:54.303: %DOT11-7-AUTH_FAILED: Station e4ce.8f59.296c Authentication failed

From this i get that the error code is aaa_resp_FAIL: failed client with EAP reason 0, but i am not able to understand the error or what i have to do to allow the clients to connect to the ap.

Do you have any idea?

Re: WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Scott Fella — Thu, 04 Feb 2021 16:39:37 GMT

The 1142 and WDS is so very old and many have not touched either in a very long time. Have you tried to follow some guides, also, do you really need to setup WDS?

WDS on Cisco Autonomous Access Points Version 15.2(4)JA with Local RADIUS Server Configuration Example - Cisco

Re: WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Luca Pecchiari — Thu, 04 Feb 2021 19:43:20 GMT

Yes Scott 1142 is pretty old, and thank you for your help. i am trying several guide to test it, and this is just for me to learn soemthing more.

i did some improvements that now i go to test on the ap3702, just to see if there it works better

Thank you

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 9 $9$gAyOEcGVnfQSEa$ce1uxxvCFlC/VJ8t57fkbi4cjZoJXM69rsgSTvgkVZk
!
aaa new-model
!
!
aaa group server radius rad_mac
 server name 192.168.1.100
!
aaa group server radius InfrastructureAuthentication
 server name 192.168.1.100
!
aaa group server radius ClientAuthentication
 server name 192.168.1.100
!
aaa authentication login method_InfrastructureAuthentica group InfrastructureAuthentication
aaa authentication login method_ClientAuthentication group ClientAuthentication
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip name-server 192.168.1.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
!         
dot11 ssid MacSSID
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   guest-mode
!
!
!
no ipv6 cef
!
!
username Cisco password 7 01300F175804
username xxx
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 !
 encryption mode ciphers aes-ccm 
 !
 ssid MacSSID
 !
 antenna gain 0
 station-role root access-point
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 ssid MacSSID
 !        
 antenna gain 0
 peakdetect
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 4055.3997.ce7b
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
!
!
radius-server local
  nas 192.168.1.100 key 7 13151601181B0B382F
  user user nthash 7 135040365E54570B0A707E1760754252465120777D0C717659223D370901740402
  user ap1 nthash 7 0322032D235C031A1A5F492441465E5A257F7A7C091114704121402051740F0805
!
radius-server attribute 32 include-in-access-req format %h
!
radius server 192.168.1.100
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 7 051B071C325B411B1D
!
bridge 1 route ip
!
!
wlccp ap username ap1 password 7 06071F70
wlccp authentication-server infrastructure method_InfrastructureAuthentication
wlccp authentication-server client any method_ClientAuthenticatio
wlccp wds priority 255 interface BVI1
!
line con 0
line vty 0 4
 transport input all
!
end

Re: WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Scott Fella — Thu, 04 Feb 2021 19:47:56 GMT

No worries.... I personally would not try to learn on autonomous access points. You are better off looking at a 2504/3504 (AireOS) controller on eBay and learning on that. Even if you decide to look for an 1800/2800/3800 ap, then you can take a look at the 9800-CL which is a free download if you have ESXi or Hyper-V. AireOS will eventually go away and autonomous was replaced with Mobility Express which is now replaced with EWC.

Re: WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Luca Pecchiari — Thu, 04 Feb 2021 19:58:44 GMT

Thank you very much for the suggestions. I really appreciate 🙂

Re: WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Vladyslav.Shvedenko — Fri, 23 Apr 2021 19:33:29 GMT

Hello,

Did you fix this issue?

I think you should edit the SSID definition to specify correct AAA methods:

dot11 ssid MacSSID
   authentication open eap eap_methods 
   authentication network-eap eap_methods

there another method was defined in the aaa section: method_ClientAuthentication

Please update the status of your research in this topic.

Thank you.