cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
904
Views
15
Helpful
10
Replies

AIR-AP1142N-E-K9 Autonomus with VLANs,SSIDs visible by client but not able to assosiate or pass radius packets to external radius

ts01
Level 1
Level 1

Hi All

I'm struggeling with a AP issue. I have attach my anonymized config. In short the issue is that I have a Arionet AP with VLANs setup into multiple SSIDs. The main net is VLAN 1 where the radius server receives authentication requests. I have tested that the AP is connected to the radius, and I have done packet capture to verify that I see the authentication traffic. The AP reports the 2.4 and 5GHz radios as up and I can see all the SSIDs from the different clients.

If I change the config command "aaa authentication login rad_eap group radius" to "aaa authentication login default group radius" the AP will try to authenticate me through the external radius when I login to the AP via SSH. I understand that this is caused by the default behaviour of the Cisco AP to enable for all interfaces when the default list is used. I have verified this by doing packet capture, but it is also obvious from the prompt. This authentication fails even if I see the packets and know that the username and password is correct, but that is not the main issue right now.

The main issue is that when I try to connect to one of the SSIDs with a client it just fails. It dosn't show up in the APs log and there are no authentication packets sendt to the radius.

Can anyone see from my config why clients can't assosiate or connect to this AP? Why doesn't it show in the APs log when I try to connect a client to one of the SSIDs?

I have also tried to disable security on the WiFi, and run the AP as an open WiFi. That does not improve the situation.

 

I appreciate any ideas for a solution to this issue.

 

1 Accepted Solution

Accepted Solutions

Put yourself in a guest user shoes, you would not want an organization to touch your device. You would also want an easy way to access the guest network. I have seen a simple portal page with just accept button to where organizations just have an open SSID, which is the simplest way.
-Scott
*** Please rate helpful posts ***

View solution in original post

10 Replies 10

Scott Fella
Hall of Fame
Hall of Fame
Start simple... your radius sever might be failing due to your policies. First try to authenticate wireless users and not admin access. That is where it becomes tricky. Get one done, disable it and then try the other and look at your policies as you need to distinguish then one from the other to get that to work. Typically for admin access, you would use TACACS not radius and I believe that is where you are struggling.
-Scott
*** Please rate helpful posts ***

Thanks for your answer Scott Fella!

 

I did start over again yesterday evening and I got it to work with radius as long as I did not mix in VLANs.

 

Native VLAN is automatically said to have VLAN #1(untagged), but if I configure(tagged) native VLAN 1 (on both the AP and the connecting switch) it stops to work. On the switch it is not possible to specify native VLAN. I think it is always VLAN 1, but I don't know if that works on ports where VLAN 1 is tagged?

I suspect this is a result of the BVI1 interface (management interface and interface for radius traffic) that has a IP inside what  originally belongs inside VLAN5 configured on the switch which the AP is connected to. Tagged VLAN1 on the switch has no DHCP or other user configured traffic, so in that VLAN there are no possibilities to connect to the radius server. If I configure VLAN5 as native VLAN it won't work of the same reason that it won't work with tagged VLAN1. VLAN1 untagged is the only untagged VLAN which can exist on the Aironet AP together with other VLANs. If you configure eg the VLAN 5 as native VLAN, then it will be tagged and the untagged VLAN 1 will be removed automatically.

There are a checkboks which says “management interface (if not native)” in the VLAN setup page. This indicates to me that someone that made this firmware intended it to be possible to use another interface than the native VLAN as management interface. If I do not configure any VLANs as native, I think I noticed that the VLAN 1 is automatically set as native. If I check the “management interface (if not native)” in VLAN 5 I got a warning/error message saying that native VLAN 1 would be removed (or something like that). Would someone explain how this feature is intended to work?

 

This properties of the Aironet APs seems problematic to more than me, as I found several forum post on this topic. What I know works is not configuring VLAN5 on the AP, just let that traffic pass along with the native untagged VLAN 1 traffic. On the switch I configure VLAN 5 as untagged on the connecting port. What I don't know is if it would be possible to get this untagged VLAN 1 on the AP configured together with a SSID to get WiFi in my VLAN5? It could be that this is possible, even if I don't think it is shown very good in the web GUI. There are some commands in the CLI running config that leads me to believe this is possible. I have not tested it yet though. I will show what I mean below:

 

interface Dot11Radio0

 no ip address

 !

 encryption mode ciphers aes-ccm  (I think this line is related to the SSID for the untagged native lan?)

 !

 encryption vlan 2 mode ciphers aes-ccm tkip

 !

 encryption vlan 3 mode ciphers aes-ccm tkip

 

Another solution would be to make the radius servers interface on an untagged VLAN1 (native) and configure this through my whole network(this includes setup of a new DHCP scope)? This solution would mean that I would either end up with a management interface of the AP in another subnet than I usually have my management interfaces in, or I would have to configure more than one management interface (BVI2) on the AP (if that is possible)?

As all the other forum posters that I have read have written: It is recommended to keep usertraffic on separate VLANs from the native VLAN1. Why doesn't it seem possible to have the management interface in another VLAN than the native VLAN 1 and at the same time get all the functionality of the AP (like radius) to work?

 

This explains in a good way why we don't want to use native VLAN1 for other traffic (like my VLAN5 traffic), etc: https://docs.netgate.com/pfsense/en/latest/book/vlan/vlans-and-security.html#using-the-default-vlan1

 

Does anyone have any solutions that I have not seen?

Here is a simple explanation. Vlan 1 is default on many vendors as untagged. Native vlan means untagged. If you want to use another vlan as native, vlan 5 for example, you can’t use vlan 1. Many folks design their environment not using vlan 1 so that they can specify what vlan they want untagged as native. Also you are limited on the switch you use and what it allows you to change. Most modern enterprise switches allows you to define different ports to have different native vlans.
-Scott
*** Please rate helpful posts ***

Yesterday evening I finally got it working with VLANs. As always it isn't difficult as long as you know what is possible and not. I ended up with VLAN5 as native VLAN on the AP. This is possibly not optimal, but works. I configured VLAN5 as I would if it should have ended up as a tagged VLAN, but then i checked the "native VLAN" check box. VLAN 1 was then disabled automatically as a result of this.

With that one solved I started to think about how I would configure the SSIDs for all this VLANs (12 ea). I ended up with one SSID on the native VLAN, and dynamically assigning VLAN for the users (everyone connects to the same SSID, but gets the VLAN the user is assigned from the user defenition in Radius). I was really surprised when I got this working after only trying one time:-) This will be a really nice setup where all users and certificates can be managed centrally on my Radius server.

The next issue is how to setup the WiFi access for guests? It is to much to ask guests to install certificates, So I guess I will need another SSID where I just run WPA2-PSK. It would be nice to control the password from radius though. Would that be possible on the same APs? At the same time I would like to get some statistics on how many unike MAC addresses have connected to the different networks, etc. What would your proposed solution for this be?

 

Best regards

Put yourself in a guest user shoes, you would not want an organization to touch your device. You would also want an easy way to access the guest network. I have seen a simple portal page with just accept button to where organizations just have an open SSID, which is the simplest way.
-Scott
*** Please rate helpful posts ***

I would remove that TKIP encryption & test it again. Here is some reference, when I test it long time back

https://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/ 

 

HTH

Rasika

*** Pls rate all useful responses ***

Thanks for your answer Rasika!

 

I got it to work yesterday evening with encryption AES-CCMP+TKIP. I guess it would have worked without TKIP also, but as I understand it TKIP is not added security, but rather less security and more options for the radius authentication to end up successful. Of this reason I guess I will disable TKIP when I have everything operating the way I like.

I don't know if that is why you wonted me to disable TKIP, or if it was a suggestion to get my radius athentication to start working?

 

Best regards

You should not have AES and TKIP configured on the same ssid. This will cause issues with clients joining and possibly staying connected. Use only AES.
-Scott
*** Please rate helpful posts ***

Is it a bug in the firmware that makes AES+TKIP a bad match or is it a bad decision of Cisco to put that choice into the menues of their APs? Could you give some more background on why the AES+TKIP is a bad couple?

I did disable TKIP, since this protocol has a bad security level compared to AES-CCMP. My clients still connected just fine. On the radius and client EAP setup I used EAP-TTLS with MS-Chapv2 which to me seems to be the only common supported by both Android and Windows. I hope Apple and Linux also have support for the same setup?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: