12-14-2012 09:28 AM - edited 03-07-2019 10:36 AM
Greetings,
I currenly have a cisco AP1142N configured to work with our radius server (It was already configured when I took over the network). I order two additional access points for building coverage on multiple floors. Currently, I uploaded the config of the orginal access point to the new device and I can access the device via web and the ssid is being broadcasted. I then added in the access point into IAS with the radius secret key to our Radius server. When I go to connec to the new access point w/ domain credentials I am not able to establish a connection. I am not very familiar with CISCO products. I followed a video to get the access point up and running w/ an IP from CLI so I could access the web interface and upload the edited config.txt file. Are there any issues with setting up multiple access points w/ a single windows radius (IAS) server?
Regards,
John
12-14-2012 09:35 AM
You can use a single radius server with no issues. Can you post the config? Are your others working with eap authentication?
HTH,
John
*** Please rate all useful posts ***
12-14-2012 09:57 AM
Yes, we are using EAP Open Auth. Below is the conf of my access point. Also, the orginal wifi ap is working properly.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vhall-1
!
logging rate-limit console 9
enable secret 5 $1$8rxD$XTK4A5n7UjtiJWRKaUCu8.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip name-server 10.0.0.2
!
!
dot11 syslog
dot11 activity-timeout unknown default 360
dot11 activity-timeout client default 360
!
dot11 ssid vhall-1
vlan 1
authentication open eap eap_methods
authentication key-management wpa version 2
guest-mode
!
!
!
username Cisco password 7 01300F175804
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid vhall-1
!
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid vhall-1
!
antenna gain 0
dfs band 3 block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.251 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.7
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community bvilleprivate RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key 7 132247420C00570D7B742F3F66
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vhall-1
!
logging rate-limit console 9
enable secret 5 $1$8rxD$XTK4A5n7UjtiJWRKaUCu8.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip name-server 10.0.0.2
!
!
dot11 syslog
dot11 activity-timeout unknown default 360
dot11 activity-timeout client default 360
!
dot11 ssid vhall-1
vlan 1
authentication open eap eap_methods
authentication key-management wpa version 2
guest-mode
!
!
!
username Cisco password 7 01300F175804
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid vhall-1
!
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid vhall-1
!
antenna gain 0
dfs band 3 block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.251 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.7
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community bvilleprivate RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key 7 132247420C00570D7B742F3F66
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
12-14-2012 10:10 AM
I don't see anything obviously wrong. Have you looked at event viewer for the audit failure for when connecting to this AP?
HTH,
John
*** Please rate all useful posts ***
12-14-2012 10:18 AM
There are no audit failures, but each time I try to conenc to the device, the following error occurs:
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 18
Date: 12/14/2012
Time: 12:14:53 PM
User: N/A
Computer: svr01
Description:
An Access-Request message was received from RADIUS client WAP-1 with a message authenticator attribute that is not valid.
I'm assuming that this might have to do with a certificiate? Will I have to generate a new cert for both new access points?
12-14-2012 11:37 AM
I had the same type issue with an older Dell switch. The switch was sending out a malformed packet, and I never got around it. Check to make sure that you have the same IOS version on both APs and, if not update the one that isn't working to the version of the one that is. Here's more information on the event code:
http://technet.microsoft.com/en-us/library/cc735343%28v=ws.10%29.aspx
HTH,
John
*** Please rate all useful posts ***
12-14-2012 12:33 PM
In this instance I think the ones that are not working actually have a newer IOS.
Try following this documentation to configure the new APs
01-17-2013 10:02 AM
Hello again. Sorry for the long delay but I was in a accident and am finally back to work. I am able to connect w/ my network credentials but never get an ip from my dhcp server. I have a windows 7 sp1 laptop w/ my radius server cert installed. The laptop just sits on identifying and i never successfully get an IP. When i check my IAS logs they show authentication was successful. Any idea's?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide