Solved: issue with NPS server and Bridge Groups

jkay18041 · ‎05-15-2018

We have a Ubiquiti setup and an AP has started giving us trouble. Decided to put a Cisco in it's place. We currently have 2 SSID on different VLANs and 1 Management VLAN. A Windows Server 2012 R2 Box acts as the NPS server. It has a nic on VLAN 10 and VLAN 2

After getting the Cisco setup I think my bridge groups are wrong and I was hoping someone could shed some light.

Info

VLAN2 Corp

VLAN 5 Guest

VLAN 10 Management

NPS Server VLAN10 IP 192.168.10.100

Switch port is

switch trunk encap dot1q

switchport trunk native vlan 10

switch trunk allowed vlan 2,5,10

switchport mode trunk

I can ping the AP from the NPS server via the vlan 10 interface

Here is my AP config

! Last configuration change at 03:43:44 UTC Fri Mar 1 2002
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IT_Area
!
!
logging rate-limit console 9
no logging console
enable secret 5 $
!
aaa new-model
!
!
aaa group server radius rad_eap
server name Server
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server name Server
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip source-route
no ip routing
no ip cef
ip admission name webauth proxy http
ip admission name webpass consent
ip domain name lcompany.corp
!
!
!
!
dot11 syslog
!
dot11 ssid VLAN5-GUEST
vlan 5
authentication open
authentication key-management wpa version 2
mbssid guest-mode
!
dot11 ssid VLAN2
vlan 2
authentication open eap eap_methods1
authentication key-management wpa version 2
mbssid guest-mode
!
!
dot11 guest
!
eap profile PEAP
method peap
!
!
!
username john privilege 15 password 7
!
!
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 5 mode ciphers aes-ccm
!
ssid VLAN5-GUEST
!
ssid VLAN2
!
antenna gain 0
mbssid
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 5 mode ciphers aes-ccm
!
ssid VLAN5-GUEST
!
ssid VLAN2
!
antenna gain 0
peakdetect
dfs band 3 block
mbssid
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 192.168.10.210 255.255.255.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
!
!
!
radius server Server
address ipv4 192.168.10.100 auth-port 1812 acct-port 1813
key 7 03076F2F052D306E74203A074500052F30
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
privilege level 15
transport input ssh
!
end

Any thoughts or suggestions?

Thank you!

Rasika Nayanajith · ‎05-15-2018

Refer below post (in my case vlan 999 is management equivalent to vlan 10 in your case)

https://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/

You need to create readio sub-interface .10 & put it to bride-group1 & make it dot1q native

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎05-15-2018

Refer below post (in my case vlan 999 is management equivalent to vlan 10 in your case)

https://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/

You need to create readio sub-interface .10 & put it to bride-group1 & make it dot1q native

HTH

Rasika

*** Pls rate all useful responses ***

jkay18041 · ‎05-15-2018

added this

interface Dot11Radio1.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

I am still not able to connect.

Rasika Nayanajith · ‎05-15-2018

bridge-group 1 should be only under 0.10 sub-interfaces (G0.10, d0.10, d1.10), not under Radio0 & Radio1 interfaces.

Give it a try and see, if my previous response you will see a sample config, compare it with your one to identify differences.

HTH

Rasika

*** Pls rate all useful responses ***

jkay18041 · ‎05-16-2018

I think that's how I have it setup

!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 5 mode ciphers aes-ccm
!
ssid VLAN5-GUEST
!
ssid VLAN2
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 5 mode ciphers aes-ccm
!
ssid VLAN5-GUEST
!
ssid VLAN2
!
antenna gain 0
peakdetect
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 192.168.10.210 255.255.255.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig

The AP gives me this error when I try to connect to VLAN 2 using the NPS server

*Mar 1 03:27:56.155: %DOT11-7-AUTH_FAILED: Station fcdb.b3f9.f3fe Authentication failed