Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4577
Views
0
Helpful
16
Replies

AP problem Cisco aironet 1040

htennapel
Beginner
Beginner

‎05-22-2012 03:24 AM - edited ‎07-03-2021 10:11 PM

I have a Cisco aironet 1040.

On my Accespoint i have 2 vlans: 1 for my wifi phones and 1 for my network.

Wifi Lan has the SSID LAN with WPA enterprise authentication to a radius server(ms server 2008).

Wifi Phone has SSID PHONE and vlan 50 with local radius authentication.

This Works all fine, Except when i enable AP for my wifi phones.

When AP is enabled the authentication for my lan doesn’t go to my server but local.

How do I configure my accesspoints so that the cisco phones use the local radius server with AP and my windows computers connect using the ms radius server?

Hope some one can help

Attached is my current config.

1 person had this problem
Labels:
128449-config.txt.zip
0 Helpful
16 Replies 16

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎05-22-2012 12:09 PM

aaa group server radius rad_eap

server auth-port 1645 acct-port 1646

!

aaa group server radius WDS-AUTH

server auth-port 1812 acct-port 1813

!

aaa group server radius VOICE-AUTH

server auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

Both of the SSID are calling to eap_methods.  What you need to do is configure another aaa authentication line:

** aaa authentication login phone_method group VOICE-AUTH**

then call that as your network-eap:

dot11 ssid VOICE

   vlan 50

   authentication network-eap **phone_method**

   authentication key-management cckm

Change/add the lines between the **.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

htennapel
Beginner
Beginner
In response to Stephen Rodriguez

‎05-23-2012 05:03 AM

Steve,

Thanks for your help!

we change the config to your example, but the windows client can't connect to the network.

There is no authentication with the autentication server.

A wireless Cisco Phone connect correct to the voice ssid

Some how the windows client do not connect “ms radius server” for autentication.

Debugging Station 38e7.d8d3.3b0a Authentication failed

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to htennapel

‎05-23-2012 05:05 AM

Can you post your current config?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

htennapel
Beginner
Beginner
In response to Stephen Rodriguez

‎05-23-2012 05:18 AM

Steve,

attached the config file

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to htennapel

‎05-23-2012 05:28 AM

ok, so the config2 matches config1 with the exception of the ssid names which shouldn't matter.  If the client could connecet before, it should still be conecting now, unless you were matching on the SSID name in the AAA server.

Can you take a look at the eventvwr of the NPS and see what the System log says when the device failed to connect?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

htennapel
Beginner
Beginner
In response to Stephen Rodriguez

‎05-23-2012 05:37 AM

Hello Steve,

I am sorry that was the wrong config file.

Hereby the correct one.

Problem is, when wlccp is configured, the client / ap never reaches the server.

128543-config.txt.zip
0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to htennapel

‎05-23-2012 08:14 AM

try doing a:

no aaa authentication default local

and see if that allows everything to work as it should. 

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

htennapel
Beginner
Beginner
In response to Stephen Rodriguez

‎05-23-2012 11:40 PM

Hello Steve,

I tried what you told,

but I still get the error "Station 001c.bf69.65d5 Authentication failed" for my windows clients

128609-config.txt.zip
0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to htennapel

‎05-24-2012 04:26 AM

What does your NPS say is the reason for the failure?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

htennapel
Beginner
Beginner
In response to Stephen Rodriguez

‎05-24-2012 05:34 AM

Steve,

Nothing, the client doesn't reach the NPS server so there is no logging on the NPS server.

0 Helpful

Stephen Rodriguez