cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5124
Views
0
Helpful
16
Replies

AP problem Cisco aironet 1040

htennapel
Level 1
Level 1

I have a Cisco aironet 1040.

On my Accespoint i have 2 vlans: 1 for my wifi phones and 1 for my network.

Wifi Lan has the SSID LAN with WPA enterprise authentication to a radius server(ms server 2008).

Wifi Phone has SSID PHONE and vlan 50 with local radius authentication.

This Works all fine, Except when i enable AP for my wifi phones.

When AP is enabled the authentication for my lan doesn’t go to my server but local.

How do I configure my accesspoints so that the cisco phones use the local radius server with AP and my windows computers connect using the ms radius server?

Hope some one can help

Attached is my current config.

16 Replies 16

Stephen Rodriguez
Cisco Employee
Cisco Employee

aaa group server radius rad_eap

server auth-port 1645 acct-port 1646

!

aaa group server radius WDS-AUTH

server auth-port 1812 acct-port 1813

!

aaa group server radius VOICE-AUTH

server auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

Both of the SSID are calling to eap_methods.  What you need to do is configure another aaa authentication line:

** aaa authentication login phone_method group VOICE-AUTH**

then call that as your network-eap:

dot11 ssid VOICE

   vlan 50

   authentication network-eap **phone_method**

   authentication key-management cckm

Change/add the lines between the **.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Steve,

Thanks for your help!

we change the config to your example, but the windows client can't connect to the network.

There is no authentication with the autentication server.

A wireless Cisco Phone connect correct to the voice ssid

Some how the windows client do not connect “ms radius server” for autentication.

Debugging Station 38e7.d8d3.3b0a Authentication failed

Can you post your current config?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Steve,

attached the config file

ok, so the config2 matches config1 with the exception of the ssid names which shouldn't matter.  If the client could connecet before, it should still be conecting now, unless you were matching on the SSID name in the AAA server.

Can you take a look at the eventvwr of the NPS and see what the System log says when the device failed to connect?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hello Steve,

I am sorry that was the wrong config file.

Hereby the correct one.

Problem is, when wlccp is configured, the client / ap never reaches the server.

try doing a:

no aaa authentication default local

and see if that allows everything to work as it should. 

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hello Steve,

I tried what you told,

but I still get the error "Station 001c.bf69.65d5 Authentication failed" for my windows clients

What does your NPS say is the reason for the failure?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Steve,

Nothing, the client doesn't reach the NPS server so there is no logging on the NPS server.

The config looks fine, it should be working.  Can you try:

test aaa radius group rad_eap new user test pass cisco

It doesnt' matter if we get a pass or fail, just that we see something back from the server.  Do you know if your NPS is configured to use 1645/1646 or 1812/1813?

You may also want to do a span of the AP port when you have a client trying to authenticate and see if the packet is being sent or not.

Alternately, you can debug the radius as well.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hi Steve,

The authentication goes well until

wlccp ap username AUTH-WDS password 7 xxxxxxxxxxxxxxxxxxxx

wlccp authentication-server infrastructure method_WDS-AUTH

wlccp authentication-server client eap eap_methods

wlccp authentication-server client leap method_VOICE

wlccp wds priority 61 interface BVI1

is loaded,my windows clients can't connect

Do you have more than one AP? If not there is no need to do WDS.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Steve,

We got more then 5 AP's in our network

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: