Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6442
Views
10
Helpful
6
Replies

Cisco AIR-AP1242AG setup and authentication

Go to solution
totusdotus
Level 1
Level 1

‎12-12-2010 04:20 PM - edited ‎07-03-2021 07:32 PM

I have one of these and I'm needing to set it up to use our dhcp server and authenticate off an IAS Radius server.

Can anyone provide some direction?  I have it in default mode.

Our local network 10.10.50.0 and our VPN is 10.10.20.0 on a Cisco ASA 5210.  Our DHCP / DNS server and Radius server are 10.10.50.90

Do I have to setup the AIR as a bridge?

Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(7)JA5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 27-Jul-07 14:03 by kehsiao

ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)

ap uptime is 21 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w7-mx.123-7.JA5/c1240-k9w7-mx.123-7.JA5"

The IOS seems old, do I need to upgrade this as well?

Many thanks!

Troy

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎12-12-2010 05:46 PM

Hi,

Do I have to setup the AIR as a bridge?

"No need to set this as a bridge.. it should be a Root AP.. NOT ROOT BRIDGE.."

The below link will help you out in provoiding info on how to configure the AP for external auth..

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

The IOS seems old, do I need to upgrade this as well?

"Yes the IOS is not just old its very old" so the below link will help you out in upgrading..

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap22-trouble.html#wp1038660

Lemme know if this helps you!!

Regards

Surendra

===

Please dont forget to rate the posts which answered your question or was helpfull

Regards
Surendra BG

View solution in original post

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to totusdotus

‎12-14-2010 07:51 AM

Yes thats right!! the link which i provided has the configurations that is supposed to be done on the AP and on the server as well.. but ACS.. here is the link which gives you the example config using IAS and PEAP.. search for IAS and you will find..

http://www.dweezlenation.com/

Regards

Surendra

===

Please dont forget to rate the post which answered your question or was helpfull

Regards
Surendra BG

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎12-12-2010 05:46 PM

Hi,

Do I have to setup the AIR as a bridge?

"No need to set this as a bridge.. it should be a Root AP.. NOT ROOT BRIDGE.."

The below link will help you out in provoiding info on how to configure the AP for external auth..

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

The IOS seems old, do I need to upgrade this as well?

"Yes the IOS is not just old its very old" so the below link will help you out in upgrading..

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap22-trouble.html#wp1038660

Lemme know if this helps you!!

Regards

Surendra

===

Please dont forget to rate the posts which answered your question or was helpfull

Regards
Surendra BG

Go to solution
totusdotus
Level 1
Level 1
In response to Surendra BG

‎12-13-2010 12:12 PM

Thank you Surendra, that was extremely helpful.

I've upgraded and at the latest IOS version.  We are able to see the WAP and get prompted for uname and pass but still can't authenticate.

I have added EAP to the IAS Radius server policy however am getting an error stating:

Authentication-Type = EAP
EAP-Type =
Reason-Code = 22
Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

In a nutshell, I'd like for our users to be able to authenticate with their Windows AD unames and passes.  I'd also like for people to be able to connect without it though and then be prompted with a webpage explaining that this is our network and ask guest for credentials.

Cheers,

Troy

pp-wap#sh run
Building configuration...

Current configuration : 4338 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname pp-wap
!
logging rate-limit console 9
enable secret 5 $1$G097$3nd1cBPeq7VZYF1IZHAts.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.50.90 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name personalizedprevention.com
ip name-server 10.10.50.90
!
!
dot11 syslog
!
dot11 ssid wp-wap
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
!
dot11 ids mfp distributor
dot11 ids mfp detector
dot11 ids mfp generator
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-3298881700
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3298881700
revocation-check none
rsakeypair TP-self-signed-3298881700
!
!
crypto pki certificate chain TP-self-signed-3298881700
certificate self-signed 01
  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323938 38383137 3030301E 170D3032 30333031 30313135
  32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393838
  38313730 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ADC6 CCC03F50 44F76E05 182B9F1B A9F6BA38 E7AD1922 A31C5D13 B65EDB34
  0F1360F9 25183C64 7F365DCE 9FA80E6E EB6E4D39 C450FB77 6F2D76A5 59035091
  F4EA57D3 312DEC55 443DC6B4 0754EA95 0BEB57A5 E6C8BA7B 5D68AA1C D97F54AF
  5EF0D7C0 8552A635 65B55A2F 2A7AEAA0 FE710AA0 9A47AF59 9DC64443 FF410BD9
  B0F70203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
  03551D11 04253023 82217070 2D776170 2E706572 736F6E61 6C697A65 64707265
  76656E74 696F6E2E 636F6D30 1F060355 1D230418 30168014 A2859BDF 3B23A662
  6C68591A E1C371B7 C3C0C0DD 301D0603 551D0E04 160414A2 859BDF3B 23A6626C
  68591AE1 C371B7C3 C0C0DD30 0D06092A 864886F7 0D010104 05000381 81002CBB
  92394427 4D53003D A6166FB4 A324A7D0 F4A24F60 AC30B3B1 F95A1F9D 863B081D
  54D31232 DF2FC5A5 991B1ACC C6371066 B75FEF64 320C1672 8C5005F4 A18B9C44
  0407748A D28E5575 E4882C34 D4D9397D 0841F3E0 37F27AB1 386C9540 C20FCC2F
  3F881502 EF20B17C A0D052CC 556C4E1B E7CBC3FC DADF5C82 FF4D8AA2 730F
  quit
username Cisco password 7 106D000A0618
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory
!
ssid wp-wap
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption mode wep mandatory
!
ssid wp-wap
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.10.50.20 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.50.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.50.90 auth-port 1645 acct-port 1646 key 7 100F0C0B02181D0F550A2B3F2720
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
transport output all
line vty 0 4
transport input all
transport output all
line vty 5 15
transport input all
transport output all
!
end

pp-wap#sh ver
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 09-Dec-10 15:39 by prod_rel_team

ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)

pp-wap uptime is 1 hour, 53 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w7-mx.124-25d.JA/c1240-k9w7-mx.124-25d.JA"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1242AG-A-K9    (PowerPCElvis) processor (revision A0) with 25590K/7168K bytes of memory.
Processor board ID FTX1330B4GD
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:24:C4:A0:F0:A4
Part Number                          : 73-9925-07
PCA Assembly Number                  : 800-26579-06
PCA Revision Number                  : A0
PCB Serial Number                    : FOC132605LV
Top Assembly Part Number             : 800-29232-02
Top Assembly Serial Number           : FTX1330B4GD
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1242AG-A-K9

Configuration register is 0xF

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to totusdotus

‎12-13-2010 04:51 PM

Did we configure the corresponding configurations on the IAS as well?? What type or EAP are we trying to configure?

Regards
Surendra

Regards
Surendra BG

Go to solution
totusdotus
Level 1
Level 1
In response to Surendra BG

‎12-14-2010 07:43 AM

I'm assuming that EAP-PEAP is what would be best practice in this case considering we are using Microsoft AD accounts and IAS Radius as the athentication server.

Here is reference: http://articles.techrepublic.com.com/5100-10878_11-6148579.html

Below is the latest event log from the IAS server:

User troy.perkins was denied access.
Fully-Qualified-User-Name = PersonalizedPrevention.local/MyBusiness/Users/SBSUsers/Troy Perkins
NAS-IP-Address = 10.10.50.20
NAS-Identifier = pp-wap
Called-Station-Identifier = 0026.0aef.3e60
Calling-Station-Identifier = 0023.1546.4680
Client-Friendly-Name = PP-WAP
Client-IP-Address = 10.10.50.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 367
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Wi-Fi Access
Authentication-Type = PEAP
EAP-Type =
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Not sure why EAP-Type is showing as undetermined.  Would this be a config issue on the AP side or IAS side?  The reason it gives as unknown user may be a group policy issue.  Looking into it now.  More later.

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to totusdotus

‎12-14-2010 07:51 AM

Yes thats right!! the link which i provided has the configurations that is supposed to be done on the AP and on the server as well.. but ACS.. here is the link which gives you the example config using IAS and PEAP.. search for IAS and you will find..

http://www.dweezlenation.com/

Regards

Surendra

===

Please dont forget to rate the post which answered your question or was helpfull

Regards
Surendra BG
0 Helpful

Go to solution
totusdotus
Level 1
Level 1
In response to Surendra BG

‎12-14-2010 09:32 AM

OK, getting closer.  It seems the groups added on the IAS were not correct.  I added Domain Users and Domain Computers.  Now our laptops are logging on with no Authentiation needed (not sure if that good).

Any ideas as to what is causing these KEY_MGMT notices below?

*Mar  1 23:04:54.691: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:05:43.712: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS
*Mar  1 23:05:47.734: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:05:54.273: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS
*Mar  1 23:05:54.684: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:05:57.845: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS
*Mar  1 23:06:21.615: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:07:03.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS
*Mar  1 23:07:04.081: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:08:33.745: %DOT11-4-MAXRETRIES: Packet to client 0023.1546.4680 reached max retries, removing the client
*Mar  1 23:08:33.745: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Previous authentication no longer valid
*Mar  1 23:08:33.752: %DOT11-4-MAXRETRIES: Packet to client 0023.1546.4680 reached max retries, removing the client
*Mar  1 23:08:34.905: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:08:44.578: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS
*Mar  1 23:08:45.455: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:09:27.073: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS
*Mar  1 23:09:27.488: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TEST-PC 0023.1546.4680 Associated KEY_MGMT[NONE]
*Mar  1 23:09:58.523: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.1546.4680 Reason: Sending station has left the BSS

Those that have logged on can see our intranet and get outside to the interenet now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card