06-16-2014 07:13 AM - edited 07-05-2021 01:01 AM
Hello. I have three 1200 series access points running in autonomous mode that need to allow handheld computers to connect. The handhelds need to authenticate using EAP. The AP's are properly listed and configured in the ACS and the handhelds are properly set up as well, but when I do "show dot11 association" it shows them authenticated with aaa instead of eap. As I said, these are autonomous, so there is no WLC. The vlan being used for the AP's is properly trunked all the way back to where the traffic needs to go. Here is a configuration example:
interface Dot11Radio0
no ip address
no shut
no ip route-cache
!
encryption mode wep mandatory
!
ssid portableclient
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
channel 2412
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
aaa new-model
!
!
aaa group server radius rad_eap
server x.x.x.x auth-port 1645 acct-port 1646
server x.x.x.x auth-port 1645 acct-port 1646
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_m
!
aaa group server radius rad_a
!
aaa group server radius rad_ad
!
aaa group server tacacs+ tac_ad
!
aaa group server radius rad_p
!
aaa group server radius dummy
!
ip http authentication aaa
no ip http secure-server
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key xxxxxxxx
radius-server attribute 32 include-in-access-req format %h
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server timeout 20
radius-server deadtime 3
radius-server key xxxxxxxxx
radius-server vsa send accounting
bridge 1 route ip
!
The Clients connect to the AP but authenticate with aaa and therefore do not transmit as the Handhelds require radius. Any ideas of what I might be missing?
06-16-2014 09:00 AM
Hi,
Could you please share full AP configuration?
You have missed important parts of configurations.
Regards
Najaf
06-19-2014 08:57 AM
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname
!
logging buffered 1048576 debugging
enable secret
!
ip subnet-zero
no ip source-route
ip domain list
ip domain list
ip domain name
ip name-server
ip name-server
ip name-server
!
!
dot11 syslog
!
dot11 ssid
authentication open eap eap_methods
authentication network-eap eap_methods
accounting acct_methods
infrastructure-ssid
!
dot11 network-map
!
!
dot1x timeout reauth-period server
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no shut
no ip route-cache
!
encryption mode wep mandatory
!
ssid
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
channel 2412
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
!
ip default-gateway
no ip http server
!
logging trap notifications
logging source-interface BVI1
logging
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
snmp-server community
snmp-server ifindex persist
snmp-server trap-source BVI1
snmp-server host 1 snmp
snmp-server host 1 snmp
snmp-server host 1 snmp
!
!
banner motd ^
*******************************************************************************
*******************************************************************************
^
!
!
line con 0
exec-timeout 30 0
transport preferred telnet
login
password
stopbits 1
line vty 0 4
exec-timeout 30 0
transport preferred telnet
login
password
line vty 5 15
exec-timeout 30 0
transport preferred telnet
login
password
!
sntp server
!
aaa new-model
!
!
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
server auth-port 1645 acct-port 1646
server auth-port 1645 acct-port 1646
!
aaa group server radius rad_m
!
aaa group server radius rad_a
!
aaa group server radius rad_ad
!
aaa group server tacacs+ tac_ad
!
aaa group server radius rad_p
!
aaa group server radius dummy
!
ip http authentication aaa
no ip http secure-server
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host
tacacs-server host
tacacs-server host
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1645 acct-port 1646
radius-server host auth-port 1645 acct-port 1646
radius-server host auth-port 1645 acct-port 1646
radius-server timeout 20
radius-server deadtime 3
radius-server key
radius-server vsa send accounting
bridge 1 route ip
!
aaa authentication attempts login 4
aaa authentication password-prompt Password(local):
aaa authentication username-prompt User(local):
aaa authentication login default group tacacs+ enable
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
!
!
!
end
06-19-2014 10:19 AM
Hi,
Hope you have not modified the running configuration. For some reason i cannot find the radius server ip address any where. I hope you have removed it.
Do you have trouble with all wireless clients where they are not doing EAP or is it some clients only?
Can you enable "debug radius authentication" output please?
Regards
Najaf
06-24-2014 10:54 AM
Yes, all my radius ips were removed before posting. It is all wireless devices that connect to this new ap.
06-25-2014 03:13 AM
Hi,
Can you enable "debug radius authentication" output please when a client try to connect?
Regards
Najaf
08-18-2014 09:20 AM
Hi Najaf,
I met the same issue. Could you please advise as below "sh log" inforamtion? Thanks.
RADIUS-4-RADIUS_DEAD: RADIUS server XX.XX.XX.XX:1645,1646 is not responding.
RADIUS-4-RADIUS_ALIVE: RADIUS server XX.XX.XX.XX:1645,1646 is being marked alive.
DOT11-7-AUTH_FAILED: Station XXXX.XXXX.XXXX Authentication failed
08-18-2014 07:35 PM
Hi Najaf,
Could you please advise as below:
Below is the debug information:
RADIUS/ENCODE: Best Local IP-Address XX.XX.XX.XX for Radius-Server XX.XX.XX.XX
RADIUS(00000C77): Send Access-Request to XX.XX.XX.XX:1645 id 1645/126, len 149
User-Name [1] 13 "XXXX"
RADIUS: Framed-MTU [12] 6 1400
RADIUS: Called-Station-Id [30] 16 "XXXX"
RADIUS: Calling-Station-Id [31] 16 "XXXX"
RADIUS: Service-Type [6] 6 Login [1]
RADIUS: Message-Authenticato[80] 18
NAS-Port-Type [61] 6 802.11 wireless [19]
RADIUS: NAS-Port [5] 6 3429
RADIUS: NAS-Port-Id [87] 6 "3429"
RADIUS: NAS-IP-Address [4] 6 XX.XX.XX.XX
RADIUS: Nas-Identifier [32] 12 "XXXX-AP-01"
RADIUS: no sg in radius-timers: ctx 0x15EBA14 sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/118
RADIUS: no sg in radius-timers: ctx 0x1505D6C sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/120
RADIUS: no sg in radius-timers: ctx 0x15F30E4 sg 0x0000
RADIUS-4-RADIUS_DEAD: RADIUS server XX.XX.XX.XX :1645,1646 is not responding.
RADIUS-4-RADIUS_ALIVE: RADIUS server XX.XX.XX.XX :1645,1646 is being marked alive.
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/126
RADIUS: no sg in radius-timers: ctx 0x116DEE8 sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/121
08-19-2014 07:15 PM
Please refer the link :https://learningnetwork.cisco.com/thread/34542
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide