cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

556
Views
0
Helpful
1
Replies
pswinczak
Beginner

Aironet 1600 and RADIUS EAP-TTLS

Hello,

I'm trying to configure WLAN authorization with RADIUS (EAP-TTLS) on my Cisco Aironet 1600.

At the datasheet (

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1600-series/data_sheet_c78-715702.html) it an information that this model can handle this.

Sadly I can't configure... Coud anybody help mi with that case?

My config is:

Current configuration : 4013 bytes

!

! Last configuration change at 18:22:15 UTC Wed Feb 19 2014

! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014

! NVRAM config last updated at 18:22:15 UTC Wed Feb 19 2014

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

!

logging rate-limit console 9

enable secret 5 $1$BPWA$C5uySGSrxxkQzUodYDhXq/

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.55.22 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 192.168.55.22 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

!

!

!

!

aaa session-id common

ip cef

!

!

!

dot11 syslog

dot11 vlan-name TP_VLAN vlan 50

!

dot11 ssid TEST

   vlan 2

   authentication open eap eap_methods1

   authentication shared eap eap_methods1

   authentication network-eap eap_methods1

   dot1x eap profile eapttls

   mbssid guest-mode

!

!

eap profile eapttls

!

crypto pki token default removal timeout 0

!

!

dot1x test timeout 3

username Cisco password 7 01300F175804

!

!

bridge irb

!

!

!

interface Dot11Radio0

no ip address

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TEST

!

antenna gain 0

stbc

beamform ofdm

mbssid

channel 2472

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 spanning-disabled

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

!

interface Dot11Radio1

no ip address

shutdown

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TEST

!

antenna gain 0

no dfs band block

stbc

beamform ofdm

mbssid

channel dfs

station-role root

!

interface Dot11Radio1.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 spanning-disabled

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface GigabitEthernet0.50

encapsulation dot1Q 50

bridge-group 50

bridge-group 50 spanning-disabled

no bridge-group 50 source-learning

!

interface BVI1

ip address 192.168.55.19 255.255.255.0

!

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip route 0.0.0.0 0.0.0.0 172.20.0.2

ip route 0.0.0.0 0.0.0.0 172.22.0.1

ip radius source-interface BVI1

!

radius-server local

  no authentication mac

  nas 192.168.55.22 key 7 131112011F5D5679

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.55.22 auth-port 1812 acct-port 1813 key 7 044F0E151B701E1D

radius-server vsa send accounting

!

bridge 1 route ip

!

!

wlccp ap eap profile eapttls

!

line con 0

line vty 0 4

password 7 072C285F4D06

authorization exec local

transport input all

!

end

Thank you in advance,

Pawel

1 REPLY 1
eschinzer
Beginner

I am also having this problem with only the Aironet 1600 series APs in our environment.  We're using EAP-TLS and everything looks configured correctly, all clients have the cert installed, but it will not connect to the Aironet 1600s.

Content for Community-Ad