Autenticacion por Mac

leandro-avigliano · ‎04-18-2013

Estimados tengo problemas para poder configurar en un acess point Cisco AIR-LAP1242G-A-K9 laconexion de los clientes a traves del filtrado por Mac, el problema es con el SSID COCAFEM, el otro funciona. Les paso la configuracion del equipo:

AP-Prueba-1#sh run

Building configuration...

Current configuration : 3718 bytes

!

! Last configuration change at 12:31:48 Arg Wed Apr 17 2013 by CISCO

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-Prueba-1

!

logging console informational

enable secret 5 $1$H7f0$iNAkWbwwO3/bkUu6e.T2M1

!

aaa new-model

!

aaa group server radius rad_eap2

server 10.122.0.1 auth-port 1812 acct-port 1813

!

aaa authentication login default group tacacs+ local

aaa authentication login eap_methods2 group rad_eap2

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

clock timezone Arg -3

ip domain name sa

!

dot11 ssid COCAFEM

vlan 11

authentication open mac-address 703

mbssid guest-mode

!

dot11 ssid femsawl

vlan 10

authentication open eap eap_methods2

authentication network-eap eap_methods2

authentication key-management wpa

mbssid guest-mode

!

dot11 network-map

dot11 arp-cache

power inline negotiation prestandard source

!

username Cisco password 7 0802455D0A16

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

encryption vlan 11 mode ciphers aes-ccm tkip

!

ssid COCAFEM

!

ssid femsawl

!

mbssid

channel least-congested 2417 2427 2442

station-role root

beacon dtim-period 1

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

bridge-group 254 spanning-disabled

!

interface Dot11Radio0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 252

bridge-group 252 subscriber-loop-control

bridge-group 252 block-unknown-source

no bridge-group 252 source-learning

no bridge-group 252 unicast-flooding

bridge-group 252 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed auto

full-duplex

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 254

no bridge-group 254 source-learning

bridge-group 254 spanning-disabled

!

interface FastEthernet0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 252

no bridge-group 252 source-learning

bridge-group 252 spanning-disabled

!

interface BVI1

ip address 10.122.3.214 255.255.255.128

no ip route-cache

!

ip default-gateway 10.122.3.250

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

logging source-interface BVI1

access-list 703 permit 0022.5783.5dec 0000.0000.0000

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.122.0.1 auth-port 1812 acct-port 1813 key 7 0022160B175A5A545C

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

logging synchronous

line vty 0 4

!

sntp server 207.169.88.1

end

AP-Prueba-1#

bzendeja · ‎04-19-2013

Hola Leandro,

Al comando "authentication open mac-address 703" le estás pasando como parámetro el ACL 703 y eso no está soportado. Lo que tienes que pasar como parámetro es una lista de autenticación de AAA. Más información en este link:

http://www.cisco.com/en/US/partner/docs/wireless/access_point/12.4_10b_JA/command/reference/cr12410b-chap2.html#wp2448564

You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.

Para realizar esta configuración puedes usar el servidor de Radius local que tiene el AP:

http://www.cisco.com/en/US/partner/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap9-localauth.html

Un ejemplo de configuración puede ser el siguiente:

aaa group server radius MAC_Auth
 server 10.10.10.10 auth-port 1812 acct-port 1813
!
aaa authentication login MAC_Method group MAC_Auth
aaa session-id common
!
interface Dot11Radio0
 !
 ssid myssid
    vlan 1
    authentication open mac-address MAC_Method
!
ip radius source-interface BVI1  
!
radius-server local
  nas 10.10.10.10 key mykey
  user 123456789111 password 123456789111    
!
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key mykey

O también puedes intentar con autenticación local de usuarios:

aaa authentication login mac_methods local

username  password 
username  autocommand exit

 ssid junk2
  authentication open mac-address mac_methods

Déjame saber si esto te funciona.

Saludos,

Bernardo

leandro-avigliano · ‎04-24-2013

Gracias Bernardo por tu ayuda, pero te comento que tampoco funciono. Me sigue rechazando la conexion.

Saludos.

bzendeja · ‎04-24-2013

Hola Leandro,

¿Probaste con las 2 opciones? ¿Qué versión está corriendo tu AP? ¿Puedes anexar las 2 configuraciones que usaste para hacer las pruebas? Sería bueno que habilites unos debugs de AAA para ver porqué está rechazando la petición. En los links que te pasé vienen los comandos debug para poder ver la información.

Saludos,

Bernardo

leandro-avigliano · ‎04-25-2013

Hola Bernardo, te paso la configuracion que el quedo al equipo:

AP-Prueba-1#

AP-Prueba-1#sh run

Building configuration...

Current configuration : 4131 bytes

!

! Last configuration change at 09:09:38 Arg Thu Apr 25 2013 by cisco

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-Prueba-1

!

logging console informational

enable secret 5 $1$H7f0$iNAkWbwwO3/bkUu6e.T2M1

!

aaa new-model

!

aaa group server radius rad_eap2

server 10.122.0.1 auth-port 1812 acct-port 1813

!

aaa group server radius MAC_Auth

server 10.10.10.10 auth-port 1812 acct-port 1813

!

aaa authentication login default group tacacs+ local

aaa authentication login eap_methods2 group rad_eap2

aaa authentication login MAC_Method group MAC_Auth

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

clock timezone Arg -3

ip domain name sa

!

dot11 ssid COCAFEM

vlan 11

authentication open mac-address MAC_Method

mbssid guest-mode

!

dot11 ssid femsawl

vlan 10

authentication open eap eap_methods2

authentication network-eap eap_methods2

authentication key-management wpa

mbssid guest-mode

!

dot11 network-map

dot11 arp-cache

power inline negotiation prestandard source

!

username Cisco password 7 0802455D0A16

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

encryption vlan 11 mode ciphers aes-ccm tkip

!

ssid COCAFEM

!

ssid femsawl

!

mbssid

channel least-congested 2417 2427 2442

station-role root

beacon dtim-period 1

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

bridge-group 254 spanning-disabled

!

interface Dot11Radio0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 252

bridge-group 252 subscriber-loop-control

bridge-group 252 block-unknown-source

no bridge-group 252 source-learning

no bridge-group 252 unicast-flooding

bridge-group 252 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed auto

full-duplex

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 254

no bridge-group 254 source-learning

bridge-group 254 spanning-disabled

!

interface FastEthernet0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 252

no bridge-group 252 source-learning

bridge-group 252 spanning-disabled

!

interface BVI1

ip address 10.122.3.214 255.255.255.128

no ip route-cache

!

ip default-gateway 10.122.3.250

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

logging source-interface BVI1

access-list 703 permit 0022.5783.5dec 0000.0000.0000

radius-server local

nas 10.10.10.10 key 7 060B162A4957

user 0022.5783.5dec nthash 7 055D235A706968283F54424B2F595D7A09737017130342514F215706000D0B042B

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.122.0.1 auth-port 1812 acct-port 1813 key 7 0022160B175A5A545C

radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 05061F042455

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

logging synchronous

line vty 0 4

!

sntp server 207.169.88.1

end

AP-Prueba-1#

leandro-avigliano · ‎04-25-2013

Te comento que si probe las 2 opciones y con ninguna funciono. Te paso el show version del equipo:

AP-Prueba-1#sh ver

Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Sun 07-Jun-09 04:13 by prod_rel_team

ROM: Bootstrap program is C1240 boot loader

BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)

AP-Prueba-1 uptime is 2 days, 22 hours, 49 minutes

System returned to ROM by power-on

System restarted at 10:32:18 Arg Mon Apr 22 2013

System image file is "flash:/c1240-k9w7-mx.124-10b.JDA3/c1240-k9w7-mx.124-10b.JDA3"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-LAP1242G-A-K9 (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.

Processor board ID FTX1216B17H

PowerPCElvis CPU at 262Mhz, revision number 0x0950

Last reset from power-on

1 FastEthernet interface

1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:1E:BE:25:7C:CA

Part Number : 73-11567-01

PCA Assembly Number : 800-30151-01

PCA Revision Number : A0

PCB Serial Number : FOC121137ZX

Top Assembly Part Number : 800-29588-02

Top Assembly Serial Number : FTX1216B17H

Top Revision Number : A0

Product/Model Number : AIR-LAP1242G-A-K9

Configuration register is 0xF

AP-Prueba-1#

bzendeja · ‎04-26-2013

Hola Leandro,

Usaste la IP 10.10.10.10, esa IP sólo era demostrativa para el ejemplo. En lugar de esa IP tienes que usar la IP que tienes configurada en tu Access Point (10.122.3.214). ¿Puedes cambiar este parámetro en todas las instancias e intentar de nuevo?

Saludos,

Bernardo

leandro-avigliano · ‎04-26-2013

Hola Bernardo,ahi lo cambie pero me sigue rechazando.

Saludos.

bzendeja · ‎04-26-2013

Hola Leandro, ¿Puedes compartir tu configuración? Otro error que tienes es que configuraste el user con otro formato:

user 0022.5783.5dec nthash 7

Lo puedes cambiar a:

user 002257835dec password 002257835dec

To add a client device for MAC-based authentication, enter the client MAC address as both the username and password. Enter 12 hexadecimal digits without a dot or dash between the numbers as the username and the password. For example, for the MAC address 0009.5125.d02b, enter

00095125d02b

as both the username and the password.

Saludos,

Bernardo

leandro-avigliano · ‎04-29-2013

Bernardo, te comparto la configuracion:

AP-Prueba-1#sh run

Building configuration...

Current configuration : 4146 bytes

!

! Last configuration change at 08:45:01 Arg Mon Apr 29 2013 by cisco

! NVRAM config last updated at 08:45:03 Arg Mon Apr 29 2013 by cisco

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-Prueba-1

!

logging console informational

enable secret 5 $1$H7f0$iNAkWbwwO3/bkUu6e.T2M1

!

aaa new-model

!

aaa group server radius rad_eap2

server 10.122.0.1 auth-port 1812 acct-port 1813

!

aaa group server radius MAC_Auth

server 10.122.3.214 auth-port 1812 acct-port 1813

!

aaa authentication login default group tacacs+ local

aaa authentication login eap_methods2 group rad_eap2

aaa authentication login MAC_Method group MAC_Auth

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

clock timezone Arg -3

ip domain name sa

!

dot11 ssid COCAFEM

vlan 11

authentication open mac-address MAC_Method

mbssid guest-mode

!

dot11 ssid femsawl

vlan 10

authentication open eap eap_methods2

authentication network-eap eap_methods2

authentication key-management wpa

mbssid guest-mode

!

dot11 network-map

dot11 arp-cache

power inline negotiation prestandard source

!

username Cisco password 7 0802455D0A16

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

encryption vlan 11 mode ciphers aes-ccm tkip

!

ssid COCAFEM

!

ssid femsawl

!

mbssid

channel least-congested 2417 2427 2442

station-role root

beacon dtim-period 1

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

bridge-group 254 spanning-disabled

!

interface Dot11Radio0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 252

bridge-group 252 subscriber-loop-control

bridge-group 252 block-unknown-source

no bridge-group 252 source-learning

no bridge-group 252 unicast-flooding

bridge-group 252 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed auto

full-duplex

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 254

no bridge-group 254 source-learning

bridge-group 254 spanning-disabled

!

interface FastEthernet0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 252

no bridge-group 252 source-learning

bridge-group 252 spanning-disabled

!

interface BVI1

ip address 10.122.3.214 255.255.255.128

no ip route-cache

!

ip default-gateway 10.122.3.250

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

logging source-interface BVI1

radius-server local

nas 10.122.3.214 key 7 141A0B00091D

user 002257835dec nthash 7 115B3F55454A5D54217D72717F166401422144512707007D70705B5339417A7C06

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.122.0.1 auth-port 1812 acct-port 1813 key 7 0022160B175A5A545C

radius-server host 10.122.3.214 auth-port 1812 acct-port 1813 key 7 070238474B10

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

logging synchronous

line vty 0 4

!

sntp server 207.169.88.1

end

AP-Prueba-1#

Saludos.