Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1109
Views
0
Helpful
4
Replies

Aironet 1100 authentication open mac-address problems

admin_2
Level 3
Level 3

‎08-04-2003 03:09 PM - edited ‎07-04-2021 08:54 AM

I have a new C1100 series that is running 12.2(4). I am trying to get mac-address authentication to use my RADIUS Server (Funk SBR). I think I am close, but I have been close for about 12 hours now.

I am using an ssid for the dot11Radio 0 inetface...

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid INTECUSA

authentication open mac-address sbr

!

ssid tsunami

authentication open

guest-mode

...and I THINK I have the sbr list correctly defined.

aaa group server radius default

server 158.155.25.201 auth-port 1812 acct-port 1813

!

aaa authorization network sbr group radius

!

radius-server host 158.155.25.201 auth-port 1812 acct-port 1813

...The RADIUS server is up and responding client requests.

...and it looks as though the 1100 is trying to do the right thing, but I don't think I have the sbr method list correctly defined. I don't see any traffic actually go out over the network. Here are the debug messages...

CiscoCS1100#show debug

General OS:

AAA Authorization debugging is on

AAA Accounting debugging is on

dot11 aaa:

Mac Authentication debugging is on

Accounting debugging is on

(now I plug a card into a laptop.

06:51:07: AAA/ACCT/EVENT/(0000013D): CALL START

06:51:07: AAA/ACCT/NET(0000013D): Rec init, Session Id=126

06:51:07: dot11_aaa_mac_auth: method_list: sbr

06:51:07: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x64EA28

06:51:07: dot11_aaa_mac_auth: client->unique_id: 0x13D

06:51:07: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

06:51:07: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57

Thanks,

Bryan

Labels:
0 Helpful
4 Replies 4

derwin
Level 5
Level 5

‎08-04-2003 07:17 PM

Bryan,

The problem is on your AAA server

06:51:07: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

You need to look on it to find out while it is failing this client

David

0 Helpful

Not applicable
In response to derwin

‎08-05-2003 05:33 AM

Thanks for the reply David, but there are no packets going out on the network to the AAA server. Also I think the debug messages I included were incomplete. I just tried to access the network (no setting were changed). here is the debug output. The message...

*21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up*

Is why I think I am messing up. Again no traffic on the Ethernet side of the 1100 going to the RADIUS server.

21:01:28: AAA/ACCT/EVENT/(00000155): CALL START

21:01:28: AAA/ACCT/NET(00000155): Rec init, Session Id=150

21:01:28: dot11_aaa_mac_auth: method_list: sbr

21:01:28: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x7AB8DC

21:01:28: dot11_aaa_mac_auth: client->unique_id: 0x155

21:01:28: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

21:01:28: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57

21:01:28: AAA/ACCT/EVENT/(00000155): CALL STOP

21:01:28: AAA/ACCT/CALL STOP(00000155): Sending stop requests

21:01:28: AAA/ACCT(00000155): Sending stop record for NET

21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up

21:01:28: AAA/ACCT(00000155):acctdb->rec_count = 0..sending signal

21:01:28: AAA/ACCT(00000155): Interface DB not enqueuedsuccess

21:01:29: dot11_mac_auth_process: remove 000c.3002.1f57 from mac hold list

Thanks again,

Bryan

0 Helpful

derwin
Level 5
Level 5
In response to

‎08-05-2003 05:54 AM

Hi Bryan

21:01:28: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

This message is a reply from a AAA server if the AP didnt get a reply from a AAA server then it would show a timeout after it retried a few times

Try a sniffer on the switch port to the AAA server i am sure you will see that the radius server is infact getting the AAA packets

A lot of radius servers will not show failed radius attemps as received requests unles you enable debugging on the AAA server

0 Helpful

Not applicable
In response to derwin

‎08-05-2003 07:09 AM

Figured it out. I was lacking a few things...

The primary reason why traffic wasn't going to the radius server was because I left out this line...

aaa authentication login default group radius local

...I thought that this only applied to logging in for the CLI, but it doesn't. You need it go go to the radius (default server list?) or the auth will stay local to the access point.

Thanks for the help,

Bryan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card