02-19-2014 09:56 AM - edited 03-10-2019 09:25 PM
Hello,
I'm trying to configure WLAN authorization with RADIUS (EAP-TTLS) on my Cisco Aironet 1600.
At the datasheet (
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1600-series/data_sheet_c78-715702.html) it an information that this model can handle this.
Sadly I can't configure... Coud anybody help mi with that case?
My config is:
Current configuration : 4013 bytes
!
! Last configuration change at 18:22:15 UTC Wed Feb 19 2014
! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014
! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$BPWA$C5uySGSrxxkQzUodYDhXq/
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.55.22 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 192.168.55.22 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
ip cef
!
!
!
dot11 syslog
dot11 vlan-name TP_VLAN vlan 50
!
dot11 ssid TEST
vlan 2
authentication open eap eap_methods1
authentication shared eap eap_methods1
authentication network-eap eap_methods1
dot1x eap profile eapttls
mbssid guest-mode
!
!
eap profile eapttls
!
crypto pki token default removal timeout 0
!
!
dot1x test timeout 3
username Cisco password 7 01300F175804
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 50 mode ciphers aes-ccm tkip
!
ssid TEST
!
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2472
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.50
encapsulation dot1Q 50
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 spanning-disabled
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
encryption vlan 50 mode ciphers aes-ccm tkip
!
ssid TEST
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.2
encapsulation dot1Q 2 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.50
encapsulation dot1Q 50
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 spanning-disabled
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.50
encapsulation dot1Q 50
bridge-group 50
bridge-group 50 spanning-disabled
no bridge-group 50 source-learning
!
interface BVI1
ip address 192.168.55.19 255.255.255.0
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 172.20.0.2
ip route 0.0.0.0 0.0.0.0 172.22.0.1
ip radius source-interface BVI1
!
radius-server local
no authentication mac
nas 192.168.55.22 key 7 131112011F5D5679
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.55.22 auth-port 1812 acct-port 1813 key 7 044F0E151B701E1D
radius-server vsa send accounting
!
bridge 1 route ip
!
!
wlccp ap eap profile eapttls
!
line con 0
line vty 0 4
password 7 072C285F4D06
authorization exec local
transport input all
!
end
Thank you in advance,
Pawel
06-02-2015 03:35 PM
I am also having this problem with only the Aironet 1600 series APs in our environment. We're using EAP-TLS and everything looks configured correctly, all clients have the cert installed, but it will not connect to the Aironet 1600s.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide