Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
1
Replies

Aironet 1600 and RADIUS EAP-TTLS

pswinczak
Level 1
Level 1

‎02-19-2014 09:56 AM - edited ‎03-10-2019 09:25 PM

Hello,

I'm trying to configure WLAN authorization with RADIUS (EAP-TTLS) on my Cisco Aironet 1600.

At the datasheet (

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1600-series/data_sheet_c78-715702.html) it an information that this model can handle this.

Sadly I can't configure... Coud anybody help mi with that case?

My config is:

Current configuration : 4013 bytes

!

! Last configuration change at 18:22:15 UTC Wed Feb 19 2014

! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014

! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

!

logging rate-limit console 9

enable secret 5 $1$BPWA$C5uySGSrxxkQzUodYDhXq/

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.55.22 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 192.168.55.22 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

!

!

!

!

aaa session-id common

ip cef

!

!

!

dot11 syslog

dot11 vlan-name TP_VLAN vlan 50

!

dot11 ssid TEST

   vlan 2

   authentication open eap eap_methods1

   authentication shared eap eap_methods1

   authentication network-eap eap_methods1

   dot1x eap profile eapttls

   mbssid guest-mode

!

!

eap profile eapttls

!

crypto pki token default removal timeout 0

!

!

dot1x test timeout 3

username Cisco password 7 01300F175804

!

!

bridge irb

!

!

!

interface Dot11Radio0

no ip address

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TEST

!

antenna gain 0

stbc

beamform ofdm

mbssid

channel 2472

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 spanning-disabled

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

!

interface Dot11Radio1

no ip address

shutdown

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TEST

!

antenna gain 0

no dfs band block

stbc

beamform ofdm

mbssid

channel dfs

station-role root

!

interface Dot11Radio1.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 spanning-disabled

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface GigabitEthernet0.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 spanning-disabled

no bridge-group 50 source-learning

!

interface BVI1

ip address 192.168.55.19 255.255.255.0

!

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip route 0.0.0.0 0.0.0.0 172.20.0.2

ip route 0.0.0.0 0.0.0.0 172.22.0.1

ip radius source-interface BVI1

!

radius-server local

  no authentication mac

  nas 192.168.55.22 key 7 131112011F5D5679

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.55.22 auth-port 1812 acct-port 1813 key 7 044F0E151B701E1D

radius-server vsa send accounting

!

bridge 1 route ip

!

!

wlccp ap eap profile eapttls

!

line con 0

line vty 0 4

password 7 072C285F4D06

authorization exec local

transport input all

!

end

Thank you in advance,

Pawel

1 person had this problem
Labels:
0 Helpful
1 Reply 1

eschinzer
Level 1
Level 1

‎06-02-2015 03:35 PM

I am also having this problem with only the Aironet 1600 series APs in our environment.  We're using EAP-TLS and everything looks configured correctly, all clients have the cert installed, but it will not connect to the Aironet 1600s.

0 Helpful
Customers Also Viewed These Support Documents