01-19-2012 09:13 AM - edited 07-03-2021 09:24 PM
See below config. All IP Addresses are correct and I have other AP which works. However, this one does not. They are using the same RADIUS settings.
On the client machine I am getting a EAP/TTLS box asking for Domain/Username and Password (Token). If I add my username and passord. it still does not authenticate.
The client settigns is correct too since the same computer can connect to oother AP using the User credentials.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FRD-WAP01-1
!
aaa new-model
!
!
aaa group server radius rad_eap
server 172.16.0.43 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name aa.corp
ip name-server 172.16.1.53
ip name-server 172.16.1.50
!
!
ip dhcp-server 172.16.1.50
ip dhcp-server 172.16.1.53
!
dot11 ssid Test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
!
power inline negotiation prestandard source
!
!
username Cisco password 7 01300F175804
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid Test
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid Test
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.16.0.81 255.255.0.0
ip helper-address 172.16.1.50
ip helper-address 172.16.1.53
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.0.43 auth-port 1645 acct-port 1646 key 7 ****************
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
sntp server 172.16.1.50
sntp broadcast client
end
01-19-2012 11:01 AM
The config looks ok. You don't need the network EAP as you aren't doing LEAP, but that shouldn't hurt you here.
If the client is getting prompted for credentials it sounds like the AAA and client aren't negotiating the eap type properly. Can you look at the NPS logs when the client is failing and see what the error is?
Steve
Sent from Cisco Technical Support iPad App
01-19-2012 12:16 PM
Below if the event from the NPS Server. Instead of "guest" it normally says the user login name.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/19/2012 11:51:45 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PLN-NPS.aa.corp
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: AA\Guest
Account Name:
Account Domain: AA
Fully Qualified Account Name: AA\Guest
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 7081.0545.4bd0
Calling Station Identifier: 0022.5f5f.31e1
NAS:
NAS IPv4 Address: 172.16.0.81
NAS IPv6 Address: -
NAS Identifier: FRD-WAP01-1
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 363
RADIUS Client:
Client Friendly Name: FRD-WAP01-1
Client IP Address: 172.16.0.81
Authentication Details:
Connection Request Policy Name: AA Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: PLN-NPS.aa.corp
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 34
Reason: The user or computer account that is specified in the RADIUS Access-Request message is disabled.
Event Xml:
S-1-5-21-3370326106-2379687522-1592785168-501
AA
AA\Guest
S-1-0-0
-
-
-
7081.0545.4bd0
0022.5f5f.31e1
172.16.0.81
-
FRD-WAP01-1
Wireless - IEEE 802.11
363
FRD-WAP01-1
172.16.0.81
Aa Secure Wireless Connections
-
Windows
PLN-NPS.aa.corp
EAP
-
-
34
The user or computer account that is specified in the RADIUS Access-Request message is disabled.
Accounting information was written to the local log file.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: