Cisco AP1142N Radius Issue

vobpcdcisco · ‎12-14-2012

Greetings,

I currenly have a cisco AP1142N configured to work with our radius server (It was already configured when I took over the network). I order two additional access points for building coverage on multiple floors. Currently, I uploaded the config of the orginal access point to the new device and I can access the device via web and the ssid is being broadcasted. I then added in the access point into IAS with the radius secret key to our Radius server. When I go to connec to the new access point w/ domain credentials I am not able to establish a connection. I am not very familiar with CISCO products. I followed a video to get the access point up and running w/ an IP from CLI so I could access the web interface and upload the edited config.txt file. Are there any issues with setting up multiple access points w/ a single windows radius (IAS) server?

Regards,

John

John Blakley · ‎12-14-2012

You can use a single radius server with no issues. Can you post the config? Are your others working with eap authentication?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

vobpcdcisco · ‎12-14-2012

Yes, we are using EAP Open Auth. Below is the conf of my access point. Also, the orginal wifi ap is working properly.

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname vhall-1

!

logging rate-limit console 9

enable secret 5 $1$8rxD$XTK4A5n7UjtiJWRKaUCu8.

!

aaa new-model

!

aaa group server radius rad_eap

server 10.0.0.2 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip name-server 10.0.0.2

!

dot11 syslog

dot11 activity-timeout unknown default 360

dot11 activity-timeout client default 360

!

dot11 ssid vhall-1

vlan 1

authentication open eap eap_methods

authentication key-management wpa version 2

guest-mode

!

username Cisco password 7 01300F175804

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

ssid vhall-1

!

antenna gain 0

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

ssid vhall-1

!

antenna gain 0

dfs band 3 block

speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel dfs

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.0.0.251 255.255.255.0

no ip route-cache

!

ip default-gateway 10.0.0.7

ip http server

no ip http secure-server

ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

snmp-server community bvilleprivate RO

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key 7 132247420C00570D7B742F3F66

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname vhall-1

!

logging rate-limit console 9

enable secret 5 $1$8rxD$XTK4A5n7UjtiJWRKaUCu8.

!

aaa new-model

!

aaa group server radius rad_eap

server 10.0.0.2 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip name-server 10.0.0.2

!

dot11 syslog

dot11 activity-timeout unknown default 360

dot11 activity-timeout client default 360

!

dot11 ssid vhall-1

vlan 1

authentication open eap eap_methods

authentication key-management wpa version 2

guest-mode

!

username Cisco password 7 01300F175804

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

ssid vhall-1

!

antenna gain 0

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

ssid vhall-1

!

antenna gain 0

dfs band 3 block

speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel dfs

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.0.0.251 255.255.255.0

no ip route-cache

!

ip default-gateway 10.0.0.7

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

snmp-server community bvilleprivate RO

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key 7 132247420C00570D7B742F3F66

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

John Blakley · ‎12-14-2012

I don't see anything obviously wrong. Have you looked at event viewer for the audit failure for when connecting to this AP?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

vobpcdcisco · ‎12-14-2012

There are no audit failures, but each time I try to conenc to the device, the following error occurs:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 18
Date: 12/14/2012
Time: 12:14:53 PM
User: N/A
Computer: svr01
Description:
An Access-Request message was received from RADIUS client WAP-1 with a message authenticator attribute that is not valid.

I'm assuming that this might have to do with a certificiate? Will I have to generate a new cert for both new access points?

John Blakley · ‎12-14-2012

I had the same type issue with an older Dell switch. The switch was sending out a malformed packet, and I never got around it. Check to make sure that you have the same IOS version on both APs and, if not update the one that isn't working to the version of the one that is. Here's more information on the event code:

http://technet.microsoft.com/en-us/library/cc735343%28v=ws.10%29.aspx

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Mandlenkosi Nkiwane · ‎12-14-2012

In this instance I think the ones that are not working actually have a newer IOS.

Try following this documentation to configure the new APs

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

vobpcdcisco · ‎01-17-2013

Hello again. Sorry for the long delay but I was in a accident and am finally back to work. I am able to connect w/ my network credentials but never get an ip from my dhcp server. I have a windows 7 sp1 laptop w/ my radius server cert installed. The laptop just sits on identifying and i never successfully get an IP. When i check my IAS logs they show authentication was successful. Any idea's?