topic Hi,Hope you have not modified in Wireless

AP Client Authentication Issues

cayoung81 — Mon, 05 Jul 2021 08:01:01 GMT

Hello. I have three 1200 series access points running in autonomous mode that need to allow handheld computers to connect. The handhelds need to authenticate using EAP. The AP's are properly listed and configured in the ACS and the handhelds are properly set up as well, but when I do "show dot11 association" it shows them authenticated with aaa instead of eap. As I said, these are autonomous, so there is no WLC. The vlan being used for the AP's is properly trunked all the way back to where the traffic needs to go. Here is a configuration example:

interface Dot11Radio0
no ip address
no shut
no ip route-cache
!
encryption mode wep mandatory
!
ssid portableclient
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
channel 2412
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!

aaa new-model
!
!
aaa group server radius rad_eap
server x.x.x.x auth-port 1645 acct-port 1646
server x.x.x.x auth-port 1645 acct-port 1646
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_m
!
aaa group server radius rad_a
!
aaa group server radius rad_ad
!
aaa group server tacacs+ tac_ad
!
aaa group server radius rad_p
!
aaa group server radius dummy
!
ip http authentication aaa
no ip http secure-server
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key xxxxxxxx
radius-server attribute 32 include-in-access-req format %h
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server timeout 20
radius-server deadtime 3
radius-server key xxxxxxxxx
radius-server vsa send accounting
bridge 1 route ip
!

The Clients connect to the AP but authenticate with aaa and therefore do not transmit as the Handhelds require radius. Any ideas of what I might be missing?

Hi,Could you please share

kcnajaf — Mon, 16 Jun 2014 16:00:33 GMT

Hi,

Could you please share full AP configuration?

You have missed important parts of configurations.

Regards

Najaf

no service padservice tcp

cayoung81 — Thu, 19 Jun 2014 15:57:48 GMT

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname
!
logging buffered 1048576 debugging
enable secret
!
ip subnet-zero
no ip source-route
ip domain list
ip domain list
ip domain name
ip name-server
ip name-server
ip name-server
!
!
dot11 syslog
!
dot11 ssid
   authentication open eap eap_methods
   authentication network-eap eap_methods
   accounting acct_methods
   infrastructure-ssid
!
dot11 network-map
!
!
dot1x timeout reauth-period server
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no shut
no ip route-cache
!
encryption mode wep mandatory
!
ssid
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
channel 2412
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
!
ip default-gateway
no ip http server
!
logging trap notifications
logging source-interface BVI1
logging
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
snmp-server community
snmp-server ifindex persist
snmp-server trap-source BVI1
snmp-server host 1 snmp
snmp-server host 1 snmp
snmp-server host 1 snmp
!
!
banner motd ^

*******************************************************************************

*******************************************************************************
^
!
!
line con 0
exec-timeout 30 0
transport preferred telnet
login
password
stopbits 1
line vty 0 4
exec-timeout 30 0
transport preferred telnet
login
password
line vty 5 15
exec-timeout 30 0
transport preferred telnet
login
password
!
sntp server
!
aaa new-model
!
!
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
server auth-port 1645 acct-port 1646
server auth-port 1645 acct-port 1646
!
aaa group server radius rad_m
!
aaa group server radius rad_a
!
aaa group server radius rad_ad
!
aaa group server tacacs+ tac_ad
!
aaa group server radius rad_p
!
aaa group server radius dummy
!
ip http authentication aaa
no ip http secure-server
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host
tacacs-server host
tacacs-server host
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1645 acct-port 1646
radius-server host auth-port 1645 acct-port 1646
radius-server host auth-port 1645 acct-port 1646
radius-server timeout 20
radius-server deadtime 3
radius-server key
radius-server vsa send accounting
bridge 1 route ip
!
aaa authentication attempts login 4
aaa authentication password-prompt Password(local):
aaa authentication username-prompt User(local):
aaa authentication login default group tacacs+ enable
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
!
!
!
end

Hi,Hope you have not modified

kcnajaf — Thu, 19 Jun 2014 17:19:55 GMT

Hi,

Hope you have not modified the running configuration. For some reason i cannot find the radius server ip address any where. I hope you have removed it.

Do you have trouble with all wireless clients where they are not doing EAP or is it some clients only?

Can you enable "debug radius authentication" output please?

Regards

Najaf

Yes, all my radius ips were

cayoung81 — Tue, 24 Jun 2014 17:54:05 GMT

Yes, all my radius ips were removed before posting. It is all wireless devices that connect to this new ap.

Hi,Can you enable "debug

kcnajaf — Wed, 25 Jun 2014 10:13:27 GMT

Hi,

Can you enable "debug radius authentication" output please when a client try to connect?

Regards

Najaf

Hi Najaf, I met the same

leosketch — Mon, 18 Aug 2014 16:20:59 GMT

Hi Najaf,

I met the same issue. Could you please advise as below "sh log" inforamtion? Thanks.

RADIUS-4-RADIUS_DEAD: RADIUS server XX.XX.XX.XX:1645,1646 is not responding.
RADIUS-4-RADIUS_ALIVE: RADIUS server XX.XX.XX.XX:1645,1646 is being marked alive.
DOT11-7-AUTH_FAILED: Station XXXX.XXXX.XXXX Authentication failed

Hi Najaf,Could you please

leosketch — Tue, 19 Aug 2014 02:35:36 GMT

Hi Najaf,

Could you please advise as below:

Below is the debug information:

RADIUS/ENCODE: Best Local IP-Address XX.XX.XX.XX for Radius-Server XX.XX.XX.XX

RADIUS(00000C77): Send Access-Request to XX.XX.XX.XX:1645 id 1645/126, len 149

User-Name [1] 13 "XXXX"
RADIUS: Framed-MTU [12] 6 1400
RADIUS: Called-Station-Id [30] 16 "XXXX"
RADIUS: Calling-Station-Id [31] 16 "XXXX"
RADIUS: Service-Type [6] 6 Login [1]
RADIUS: Message-Authenticato[80] 18

NAS-Port-Type [61] 6 802.11 wireless [19]
RADIUS: NAS-Port [5] 6 3429
RADIUS: NAS-Port-Id [87] 6 "3429"
RADIUS: NAS-IP-Address [4] 6 XX.XX.XX.XX
RADIUS: Nas-Identifier [32] 12 "XXXX-AP-01"

RADIUS: no sg in radius-timers: ctx 0x15EBA14 sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/118
RADIUS: no sg in radius-timers: ctx 0x1505D6C sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/120

RADIUS: no sg in radius-timers: ctx 0x15F30E4 sg 0x0000
RADIUS-4-RADIUS_DEAD: RADIUS server XX.XX.XX.XX :1645,1646 is not responding.
RADIUS-4-RADIUS_ALIVE: RADIUS server XX.XX.XX.XX :1645,1646 is being marked alive.
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/126
RADIUS: no sg in radius-timers: ctx 0x116DEE8 sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/121

Please refer the link :https:

mohanak — Wed, 20 Aug 2014 02:15:05 GMT

Please refer the link :https://learningnetwork.cisco.com/thread/34542