08-13-2014 03:05 AM - edited 07-05-2021 01:22 AM
Hi,
the following config works on AIR-AP1142N-E-K9, AIR-AP1242AG-E-K9 and AIR-AP1242AG-E-K9, but it works not on several tested AIR-SAP1602I-E-K9.
The config is the same, except for "FastEthernet" replaced by "GigabitEthernet" depending on hardware, and some ofdm/stbc commands IOS self-added, details of radius server commands that changed in IOS versions.
On the working APs Clients will do WAP2/AES/PEAP/MS-CHAP with a freeradius server and get back a VLAN-ID. On the nonworking AIR-SAP1602i, the problem seems to be BEFORE the radius is even asked: There is no radius request.
However "test aaa group rad_eap user pass new" gives a successful authentication, so radius seems to work fine.
On the AIR-SAP1602I-E-K9 i tested with IOS 15.2(2)JB2 and 15.2(4)JB5. Same result.
The config:
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname xxxxxx
!
logging rate-limit console 9
enable secret ...
!
aaa new-model
!
aaa group server radius rad_eap
server xx.xx.xx.12 auth-port 1812 acct-port 1813
server xx.xx.xx.11 auth-port 1812 acct-port 1813
!
aaa authentication login default group rad_eap local
aaa authentication login lokal local
aaa authentication login eap_method group rad_eap
aaa authentication ppp default group rad_eap
aaa authentication ppp eap_method group rad_eap
aaa authentication dot1x default group rad_eap
aaa authentication dot1x eap_method group rad_eap
aaa authorization network default group rad_eap
aaa authorization network eap_method group rad_eap
aaa accounting network eap_method start-stop group rad_eap
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip routing
no ip cef
no ip domain lookup
ip domain name xxxxxxx
!
dot11 syslog
!
dot11 ssid PROBLEM
vlan 1
authentication open eap eap_method
authentication network-eap eap_method
authentication key-management wpa version 2
accounting default
guest-mode
!
!
dot11 network-map
power inline negotiation prestandard source
crypto pki token default removal timeout 0
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 10 mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
encryption vlan 60 mode ciphers aes-ccm
encryption vlan 120 mode ciphers aes-ccm
encryption vlan 130 mode ciphers aes-ccm
encryption vlan 240 mode ciphers aes-ccm
!
ssid PROBLEM
!
antenna gain 0
stbc
beamform ofdm
packet retries 128
channel 2412
station-role root
rts threshold 2312
world-mode dot11d country-code DE both
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 701
bridge-group 1 output-address-list 701
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
no cdp enable
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.60
encapsulation dot1Q 60
no ip route-cache
no cdp enable
bridge-group 60
bridge-group 60 subscriber-loop-control
bridge-group 60 spanning-disabled
bridge-group 60 block-unknown-source
no bridge-group 60 source-learning
no bridge-group 60 unicast-flooding
!
interface Dot11Radio0.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 subscriber-loop-control
bridge-group 120 spanning-disabled
bridge-group 120 block-unknown-source
no bridge-group 120 source-learning
no bridge-group 120 unicast-flooding
!
interface Dot11Radio0.130
encapsulation dot1Q 130
no ip route-cache
no cdp enable
bridge-group 130
bridge-group 130 subscriber-loop-control
bridge-group 130 spanning-disabled
bridge-group 130 block-unknown-source
no bridge-group 130 source-learning
no bridge-group 130 unicast-flooding
!
interface Dot11Radio0.240
encapsulation dot1Q 240
no ip route-cache
no cdp enable
bridge-group 240
bridge-group 240 subscriber-loop-control
bridge-group 240 spanning-disabled
bridge-group 240 block-unknown-source
no bridge-group 240 source-learning
no bridge-group 240 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 10 mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
encryption vlan 60 mode ciphers aes-ccm
encryption vlan 120 mode ciphers aes-ccm
encryption vlan 130 mode ciphers aes-ccm
encryption vlan 240 mode ciphers aes-ccm
!
ssid PROBLEM
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
packet retries 128
channel dfs
station-role root
rts threshold 2312
world-mode dot11d country-code DE both
no cdp enable
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 701
bridge-group 1 output-address-list 701
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
no cdp enable
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.60
encapsulation dot1Q 60
no ip route-cache
no cdp enable
bridge-group 60
bridge-group 60 subscriber-loop-control
bridge-group 60 spanning-disabled
bridge-group 60 block-unknown-source
no bridge-group 60 source-learning
no bridge-group 60 unicast-flooding
!
interface Dot11Radio1.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 subscriber-loop-control
bridge-group 120 spanning-disabled
bridge-group 120 block-unknown-source
no bridge-group 120 source-learning
no bridge-group 120 unicast-flooding
!
interface Dot11Radio1.130
encapsulation dot1Q 130
no ip route-cache
no cdp enable
bridge-group 130
bridge-group 130 subscriber-loop-control
bridge-group 130 spanning-disabled
bridge-group 130 block-unknown-source
no bridge-group 130 source-learning
no bridge-group 130 unicast-flooding
!
interface Dot11Radio1.240
encapsulation dot1Q 240
no ip route-cache
no cdp enable
bridge-group 240
bridge-group 240 subscriber-loop-control
bridge-group 240 spanning-disabled
bridge-group 240 block-unknown-source
no bridge-group 240 source-learning
no bridge-group 240 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
bridge-group 60 spanning-disabled
no bridge-group 60 source-learning
!
interface GigabitEthernet0.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 spanning-disabled
no bridge-group 120 source-learning
!
interface GigabitEthernet0.130
encapsulation dot1Q 130
no ip route-cache
bridge-group 130
bridge-group 130 spanning-disabled
no bridge-group 130 source-learning
!
interface GigabitEthernet0.240
encapsulation dot1Q 240
no ip route-cache
bridge-group 240
bridge-group 240 spanning-disabled
no bridge-group 240 source-learning
The debug output:
003374: Aug 13 09:42:24.571: dot11_auth_add_client_entry: Create new client 3423.bab9.9568 for application 0x1
003375: Aug 13 09:42:24.571: dot11_auth_initialize_client: 3423.bab9.9568 is added to the client list for application 0x1
003376: Aug 13 09:42:24.571: dot11_auth_add_client_entry: req->auth_type 0
003377: Aug 13 09:42:24.571: dot11_auth_add_client_entry: auth_methods_inprocess: 2
003378: Aug 13 09:42:24.571: dot11_auth_add_client_entry: eap list name: eap_method
003379: Aug 13 09:42:24.571: dot11_run_auth_methods: Start auth method EAP or LEAP
003380: Aug 13 09:42:24.571: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
003381: Aug 13 09:42:24.571: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 3423.bab9.9568
003382: Aug 13 09:42:24.571: EAPOL pak dump tx
003383: Aug 13 09:42:24.571: EAPOL Version: 0x1 type: 0x0 length: 0x002F
003384: Aug 13 09:42:24.571: EAP code: 0x1 id: 0x1 length: 0x002F type: 0x1
0E020390: 0100002F 0101002F .../.../
0E0203A0: ................... ..networkid=PROB
0E0203B0: .................. LEM,nasid=xxxxxx
0E0203C0: .................. xx,portid=0
003385: Aug 13 09:42:24.571: dot11_auth_send_msg: sending data to requestor status 1
003386: Aug 13 09:42:24.571: dot11_auth_send_msg: Sending EAPOL to requestor
003387: Aug 13 09:42:24.571: dot11_auth_dot1x_send_id_req_to_client: Client 3423.bab9.9568 timer started for 30 seconds
003388: Aug 13 09:42:54.571: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 3423.bab9.9568
003389: Aug 13 09:42:54.571: dot11_auth_dot1x_send_client_fail: Authentication failed for 3423.bab9.9568
003390: Aug 13 09:42:54.571: dot11_auth_send_msg: sending data to requestor status 0
003391: Aug 13 09:42:54.571: dot11_auth_send_msg: client FAILED to authenticate 3423.bab9.9568, node_type 64 for application 0x1
003392: Aug 13 09:42:54.571: dot11_auth_delete_client_entry: 3423.bab9.9568 is deleted for application 0x1
003393: Aug 13 09:42:54.571: %DOT11-7-AUTH_FAILED: Station 3423.bab9.9568 Authentication failed
003394: Aug 13 09:42:54.571: dot11_auth_client_abort: Received abort request for client 3423.bab9.9568
003395: Aug 13 09:42:54.571: dot11_auth_client_abort: No client entry to abort: 3423.bab9.9568 for application 0x1
003396: Aug 13 09:42:54.911: AAA/BIND(000001A7): Bind i/f
003397: Aug 13 09:42:54.911: dot11_auth_add_client_entry: Create new client 3423.bab9.9568 for application 0x1
003398: Aug 13 09:42:54.911: dot11_auth_initialize_client: 3423.bab9.9568 is added to the client list for application 0x1
003399: Aug 13 09:42:54.911: dot11_auth_add_client_entry: req->auth_type 0
003400: Aug 13 09:42:54.911: dot11_auth_add_client_entry: auth_methods_inprocess: 2
003401: Aug 13 09:42:54.911: dot11_auth_add_client_entry: eap list name: eap_method
003402: Aug 13 09:42:54.911: dot11_run_auth_methods: Start auth method EAP or LEAP
003403: Aug 13 09:42:54.911: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
003404: Aug 13 09:42:54.911: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 3423.bab9.9568
003405: Aug 13 09:42:54.911: EAPOL pak dump tx
003406: Aug 13 09:42:54.911: EAPOL Version: 0x1 type: 0x0 length: 0x002F
003407: Aug 13 09:42:54.911: EAP code: 0x1 id: 0x1 length: 0x002F type: 0x1
0E021100: 0100002F 0101002F 01006E65 74776F72 .../.../..networ
0E021110: ................. kid=PROBLEM,nas
0E021120: ................. id=xxxxx,porti
0E021130: 643D30 d=0
003408: Aug 13 09:42:54.911: dot11_auth_send_msg: sending data to requestor status 1
003409: Aug 13 09:42:54.911: dot11_auth_send_msg: Sending EAPOL to requestor
003410: Aug 13 09:42:54.911: dot11_auth_dot1x_send_id_req_to_client: Client 3423.bab9.9568 timer started for 30 seconds
003411: Aug 13 09:43:24.910: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 3423.bab9.9568
003412: Aug 13 09:43:24.910: dot11_auth_dot1x_send_client_fail: Authentication failed for 3423.bab9.9568
003413: Aug 13 09:43:24.910: dot11_auth_send_msg: sending data to requestor status 0
003414: Aug 13 09:43:24.910: dot11_auth_send_msg: client FAILED to authenticate 3423.bab9.9568, node_type 64 for application 0x1
003415: Aug 13 09:43:24.910: dot11_auth_delete_client_entry: 3423.bab9.9568 is deleted for application 0x1
003416: Aug 13 09:43:24.910: %DOT11-7-AUTH_FAILED: Station 3423.bab9.9568 Authentication failed
For "Action(CLIENT_WAIT,TIMEOUT)" i found this doc: http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/50843-debug-authen.html
However various very same clients work fine with the identical config on other models of accesspoints. What is different with the 1602i ?
Any ideas what the problem is?
Best Regards
Matthias
08-14-2014 11:06 PM
Hello,
here i am back, answering my own question:
All my authorized WLAN users are in one of the configured VLANs. That VLAN ID is assigned by radius.
VLAN1 is configured for the SSID, but never used for authorized users, radius will always override it with the users correct VLAN ID. If a user is not authorized for WLAN, he will be put into VLAN1, which is unusable because of the ACL.
In previous versions of IOS i could shutdown the subinterface dot x1 or filter all traffic and authorized users still can connect. The subinterface would be used for users traffic only, not for EAP.
e.g.
interface dot x.1
shutdown
bridge-group 1 input-address-list 701
bridge-group 1 output-address-list 701
In IOS 15.2, the native WLAN subinterface dot x.1 seems to be used by IOS for EAP traffic!
So all EAP traffic got filtered by the MAC ACL and never reached the client.
If i remove the ACL and enable the subinterface dot x.1, everything works fine.
e.g.
interface dot x.1
no shutdown
no bridge-group 1 input-address-list 701
no bridge-group 1 output-address-list 701
However now i have to find a new solution for the unauthorized users...
Best Regards
Matthias
P.S. please somebody mark this as solved, i cannot mark my own problems solved in this forum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide