Solved: Re: Bridge with 802.1X ACS Authentication

MatniBassam · ‎10-18-2010

Hi,

Guys i've been trying to authenticate a non-root bridge to a root using 802.1x with ACS authentication but with no luck.

i can see correct authentication but i keep on receiving the following error:

DOT1X_SHIM-3-PLUMB_KEY_ERR: Unable to plumb keys - Eap key struct is NULL

Any ideas!!

Thanks!!

Below the configs:

Non-Root:

========

aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.240.50 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
no ip domain lookup
!
!
dot11 syslog
!
dot11 ssid EAP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   dot1x credentials PEAP
   dot1x eap profile PEAP
   guest-mode
   infrastructure-ssid
!
eap profile PEAP
method md5
!
!
!
dot1x credentials PEAP
username test
password 7 08116C5D1A0E550516
anonymous-id test
!
username Cisco password 7 096F471A1A0A
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 53AC1681DE3E transmit-key
encryption mode wep mandatory
!
ssid EAP
!
antenna transmit right-a
antenna receive right-a
parent 1 001b.2ba4.3ef0
parent timeout 65535
station-role workgroup-bridge
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.240.242 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 32 include-in-accounting-req format %h
radius-server host 192.168.240.50 auth-port 1812 acct-port 1813 key 7 05080F1C2243
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!

Root:

====

!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.240.50 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
no ip domain lookup
!
!
dot11 syslog
!
dot11 ssid EAP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
!
!
!
username Cisco password 7 1531021F0725
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 F3AC1681DE3E transmit-key
encryption mode wep mandatory
!
ssid EAP
!
antenna transmit right-a
antenna receive right-a
channel 2412
station-role root bridge wireless-clients
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.240.30 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 32 include-in-accounting-req format %h
radius-server host 192.168.240.50 auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 192.168.240.50 auth-port 1812 acct-port 1813 key 7 104D000A0618
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
!

Tiago Antunes · ‎10-18-2010

Hi,

I see some confusion on the ssid configuration and dot11 interface...

Tipicaly in a root/non-root bridge setup, one device is the root and the other is the non-root.

You may want to try this config on your setup, I am attaching.

In this example i have FAST as the eap method, but if you want to use MD5, simply replace it.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎10-18-2010

Hi,

I see some confusion on the ssid configuration and dot11 interface...

Tipicaly in a root/non-root bridge setup, one device is the root and the other is the non-root.

You may want to try this config on your setup, I am attaching.

In this example i have FAST as the eap method, but if you want to use MD5, simply replace it.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

MatniBassam · ‎10-18-2010

Hi Tiago,

Thanks for your reply,

Your config is the same as mine but with eap fast instead of md5.can you tell me what IOS your using because its still giving me the same error.

Thanks!!

Tiago Antunes · ‎10-18-2010

Hi,

I am sorry but it is not the same...as mine is working and yours not...

And honestly it isn't due to the IOS version.

On your configuration you are putting together EAP-MD5 and static WEP...which will not work for sure...

The error message that you are seeing is due to the fact that EAP-MD5 does not handle the session keys.

You have to decide what you want exactly...

If you want to use static wep, you cannot use EAP-MD5.

If you want to use EAP method, you need to use dinamic WEP with PEAP or EAP-FAST.

So to make it working you have 3 options, even though i would not recomend usage of WEP as it is the weakest security method...WPA is much better. Anyway here are your options:

1 - Make a static wep config:

ROOT and NON-ROOT config are exactly the same:

...

!
dot11 ssid EAP
   authentication open
   guest-mode
   infrastructure-ssid
!

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 53AC1681DE3E transmit-key
encryption mode wep mandatory

...

2 - Make a dynamic wep config:

NON-ROOT

...

!
dot11 ssid EAP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   dot1x credentials PEAP
   dot1x eap profile PEAP
   guest-mode
   infrastructure-ssid
!
eap profile PEAP
method PEAP
!
!
!
dot1x credentials PEAP
username test
password 7 08116C5D1A0E550516
anonymous-id test
!

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers wep128

encryption mode wep mandatory
!

...

ROOT

...

!

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers wep128

encryption mode wep mandatory
!

...

3 - Or simply configure your devices with the sample configuration I sent. BTW, the security settings on my sample is WPA-AES with EAP-FAST, which is one of the most secure and fast methods.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

MatniBassam · ‎10-19-2010

Hi Tiago,

its only working when i remove the following from the SSID on the non-root AP:

authentication open eap eap_methods

knowing that i can see successful authentication on the ACS or IAS server i tried it with both.

Thanks for the help!!