Aironet 1100 authentication open mac-address problems

admin_2 · ‎08-04-2003

I have a new C1100 series that is running 12.2(4). I am trying to get mac-address authentication to use my RADIUS Server (Funk SBR). I think I am close, but I have been close for about 12 hours now.

I am using an ssid for the dot11Radio 0 inetface...

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid INTECUSA

authentication open mac-address sbr

!

ssid tsunami

authentication open

guest-mode

...and I THINK I have the sbr list correctly defined.

aaa group server radius default

server 158.155.25.201 auth-port 1812 acct-port 1813

!

aaa authorization network sbr group radius

!

radius-server host 158.155.25.201 auth-port 1812 acct-port 1813

...The RADIUS server is up and responding client requests.

...and it looks as though the 1100 is trying to do the right thing, but I don't think I have the sbr method list correctly defined. I don't see any traffic actually go out over the network. Here are the debug messages...

CiscoCS1100#show debug

General OS:

AAA Authorization debugging is on

AAA Accounting debugging is on

dot11 aaa:

Mac Authentication debugging is on

Accounting debugging is on

(now I plug a card into a laptop.

06:51:07: AAA/ACCT/EVENT/(0000013D): CALL START

06:51:07: AAA/ACCT/NET(0000013D): Rec init, Session Id=126

06:51:07: dot11_aaa_mac_auth: method_list: sbr

06:51:07: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x64EA28

06:51:07: dot11_aaa_mac_auth: client->unique_id: 0x13D

06:51:07: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

06:51:07: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57

Thanks,

Bryan

derwin · ‎08-04-2003

Bryan,

The problem is on your AAA server

06:51:07: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

You need to look on it to find out while it is failing this client

David

Report Inappropriate Content · ‎08-05-2003

Thanks for the reply David, but there are no packets going out on the network to the AAA server. Also I think the debug messages I included were incomplete. I just tried to access the network (no setting were changed). here is the debug output. The message...

*21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up*

Is why I think I am messing up. Again no traffic on the Ethernet side of the 1100 going to the RADIUS server.

21:01:28: AAA/ACCT/EVENT/(00000155): CALL START

21:01:28: AAA/ACCT/NET(00000155): Rec init, Session Id=150

21:01:28: dot11_aaa_mac_auth: method_list: sbr

21:01:28: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x7AB8DC

21:01:28: dot11_aaa_mac_auth: client->unique_id: 0x155

21:01:28: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

21:01:28: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57

21:01:28: AAA/ACCT/EVENT/(00000155): CALL STOP

21:01:28: AAA/ACCT/CALL STOP(00000155): Sending stop requests

21:01:28: AAA/ACCT(00000155): Sending stop record for NET

21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up

21:01:28: AAA/ACCT(00000155):acctdb->rec_count = 0..sending signal

21:01:28: AAA/ACCT(00000155): Interface DB not enqueuedsuccess

21:01:29: dot11_mac_auth_process: remove 000c.3002.1f57 from mac hold list

Thanks again,

Bryan

derwin · ‎08-05-2003

Hi Bryan

21:01:28: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED

This message is a reply from a AAA server if the AP didnt get a reply from a AAA server then it would show a timeout after it retried a few times

Try a sniffer on the switch port to the AAA server i am sure you will see that the radius server is infact getting the AAA packets

A lot of radius servers will not show failed radius attemps as received requests unles you enable debugging on the AAA server

Report Inappropriate Content · ‎08-05-2003

Figured it out. I was lacking a few things...

The primary reason why traffic wasn't going to the radius server was because I left out this line...

aaa authentication login default group radius local

...I thought that this only applied to logging in for the CLI, but it doesn't. You need it go go to the radius (default server list?) or the auth will stay local to the access point.

Thanks for the help,

Bryan