11-12-2019 04:54 AM - edited 07-05-2021 11:18 AM
Hi All
I'm struggeling with a AP issue. I have attach my anonymized config. In short the issue is that I have a Arionet AP with VLANs setup into multiple SSIDs. The main net is VLAN 1 where the radius server receives authentication requests. I have tested that the AP is connected to the radius, and I have done packet capture to verify that I see the authentication traffic. The AP reports the 2.4 and 5GHz radios as up and I can see all the SSIDs from the different clients.
If I change the config command "aaa authentication login rad_eap group radius" to "aaa authentication login default group radius" the AP will try to authenticate me through the external radius when I login to the AP via SSH. I understand that this is caused by the default behaviour of the Cisco AP to enable for all interfaces when the default list is used. I have verified this by doing packet capture, but it is also obvious from the prompt. This authentication fails even if I see the packets and know that the username and password is correct, but that is not the main issue right now.
The main issue is that when I try to connect to one of the SSIDs with a client it just fails. It dosn't show up in the APs log and there are no authentication packets sendt to the radius.
Can anyone see from my config why clients can't assosiate or connect to this AP? Why doesn't it show in the APs log when I try to connect a client to one of the SSIDs?
I have also tried to disable security on the WiFi, and run the AP as an open WiFi. That does not improve the situation.
I appreciate any ideas for a solution to this issue.
Solved! Go to Solution.
11-14-2019 10:05 AM
11-12-2019 09:02 AM
11-13-2019 02:01 AM
Thanks for your answer Scott Fella!
I did start over again yesterday evening and I got it to work with radius as long as I did not mix in VLANs.
Native VLAN is automatically said to have VLAN #1(untagged), but if I configure(tagged) native VLAN 1 (on both the AP and the connecting switch) it stops to work. On the switch it is not possible to specify native VLAN. I think it is always VLAN 1, but I don't know if that works on ports where VLAN 1 is tagged?
I suspect this is a result of the BVI1 interface (management interface and interface for radius traffic) that has a IP inside what originally belongs inside VLAN5 configured on the switch which the AP is connected to. Tagged VLAN1 on the switch has no DHCP or other user configured traffic, so in that VLAN there are no possibilities to connect to the radius server. If I configure VLAN5 as native VLAN it won't work of the same reason that it won't work with tagged VLAN1. VLAN1 untagged is the only untagged VLAN which can exist on the Aironet AP together with other VLANs. If you configure eg the VLAN 5 as native VLAN, then it will be tagged and the untagged VLAN 1 will be removed automatically.
There are a checkboks which says “management interface (if not native)” in the VLAN setup page. This indicates to me that someone that made this firmware intended it to be possible to use another interface than the native VLAN as management interface. If I do not configure any VLANs as native, I think I noticed that the VLAN 1 is automatically set as native. If I check the “management interface (if not native)” in VLAN 5 I got a warning/error message saying that native VLAN 1 would be removed (or something like that). Would someone explain how this feature is intended to work?
This properties of the Aironet APs seems problematic to more than me, as I found several forum post on this topic. What I know works is not configuring VLAN5 on the AP, just let that traffic pass along with the native untagged VLAN 1 traffic. On the switch I configure VLAN 5 as untagged on the connecting port. What I don't know is if it would be possible to get this untagged VLAN 1 on the AP configured together with a SSID to get WiFi in my VLAN5? It could be that this is possible, even if I don't think it is shown very good in the web GUI. There are some commands in the CLI running config that leads me to believe this is possible. I have not tested it yet though. I will show what I mean below:
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm (I think this line is related to the SSID for the untagged native lan?)
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
encryption vlan 3 mode ciphers aes-ccm tkip
Another solution would be to make the radius servers interface on an untagged VLAN1 (native) and configure this through my whole network(this includes setup of a new DHCP scope)? This solution would mean that I would either end up with a management interface of the AP in another subnet than I usually have my management interfaces in, or I would have to configure more than one management interface (BVI2) on the AP (if that is possible)?
As all the other forum posters that I have read have written: It is recommended to keep usertraffic on separate VLANs from the native VLAN1. Why doesn't it seem possible to have the management interface in another VLAN than the native VLAN 1 and at the same time get all the functionality of the AP (like radius) to work?
This explains in a good way why we don't want to use native VLAN1 for other traffic (like my VLAN5 traffic), etc: https://docs.netgate.com/pfsense/en/latest/book/vlan/vlans-and-security.html#using-the-default-vlan1
Does anyone have any solutions that I have not seen?
11-13-2019 04:00 AM
11-14-2019 02:44 AM
Yesterday evening I finally got it working with VLANs. As always it isn't difficult as long as you know what is possible and not. I ended up with VLAN5 as native VLAN on the AP. This is possibly not optimal, but works. I configured VLAN5 as I would if it should have ended up as a tagged VLAN, but then i checked the "native VLAN" check box. VLAN 1 was then disabled automatically as a result of this.
With that one solved I started to think about how I would configure the SSIDs for all this VLANs (12 ea). I ended up with one SSID on the native VLAN, and dynamically assigning VLAN for the users (everyone connects to the same SSID, but gets the VLAN the user is assigned from the user defenition in Radius). I was really surprised when I got this working after only trying one time:-) This will be a really nice setup where all users and certificates can be managed centrally on my Radius server.
The next issue is how to setup the WiFi access for guests? It is to much to ask guests to install certificates, So I guess I will need another SSID where I just run WPA2-PSK. It would be nice to control the password from radius though. Would that be possible on the same APs? At the same time I would like to get some statistics on how many unike MAC addresses have connected to the different networks, etc. What would your proposed solution for this be?
Best regards
11-14-2019 10:05 AM
11-12-2019 09:26 PM
I would remove that TKIP encryption & test it again. Here is some reference, when I test it long time back
https://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/
HTH
Rasika
*** Pls rate all useful responses ***
11-13-2019 01:55 AM
Thanks for your answer Rasika!
I got it to work yesterday evening with encryption AES-CCMP+TKIP. I guess it would have worked without TKIP also, but as I understand it TKIP is not added security, but rather less security and more options for the radius authentication to end up successful. Of this reason I guess I will disable TKIP when I have everything operating the way I like.
I don't know if that is why you wonted me to disable TKIP, or if it was a suggestion to get my radius athentication to start working?
Best regards
11-13-2019 04:04 AM
11-13-2019 05:02 AM
Is it a bug in the firmware that makes AES+TKIP a bad match or is it a bad decision of Cisco to put that choice into the menues of their APs? Could you give some more background on why the AES+TKIP is a bad couple?
11-14-2019 03:15 AM
I did disable TKIP, since this protocol has a bad security level compared to AES-CCMP. My clients still connected just fine. On the radius and client EAP setup I used EAP-TTLS with MS-Chapv2 which to me seems to be the only common supported by both Android and Windows. I hope Apple and Linux also have support for the same setup?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: