Re: I don't understand wds authentication. Please Help.

gwcrook · ‎10-13-2004

I am trying to perform mac-address authentication before allowing connection to a SSID on vlan 85. The client equipment (InFocus Lite Show) is dumb and can not perform any type of login in functions. The AP1200 carrying the SSID and vlan has registered with the WDS and has been validated with ACS 3.3.

WLSE (2.7.1) can manage the AP and WDS. All AP's are 1200's with (12.2(15)JA).

sh dot11 assoc client returns

MAC Address IP address Device Name Parent state

0002.b3d0.0b20 0.0.0.0 - - self AAA_Auth

0002.b3e1.4ee1 0.0.0.0 - - self AAA_Auth

Does this mean the liteshow mac has been authenticated?

If I change the authentication method to open on the same AP the liteshow receives an IP from the DHCP server but doesn't when authentication is set to open with mac. Does this mean the liteshow is being denied access to the SSID?

Below are what I think is the relevant portions of the AP1200 config.

aaa new-model

!

aaa group server radius rad_eap

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad-mac

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login mac-methods group rad_mac

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 aaa csid unformatted

dot11 network-map

dot11 arp-cache optional

no dot11 igmp snooping-helper

iapp standby timeout 5

iapp standby poll-frequency 1

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 76 key 1 size 128bit 7 xxxx transmit-key

encryption vlan 76 mode wep mandatory

!

encryption vlan 79 key 1 size 128bit 7 xxxx transmit-key

encryption vlan 79 mode wep mandatory

!

ssid Augusta_Infrastructure

vlan 3

authentication open

mobility network-id 3

!

ssid Faculty

vlan 76

authentication open

authentication network-eap eap_methods

mobility network-id 76

!

ssid Staff

vlan 75

authentication open

mobility network-id 75

!

ssid Student

vlan 79

authentication open eap eap_methods

authentication network-eap eap_methods

mobility network-id 79

!

ssid Thomson

vlan 80

authentication open

mobility network-id 80

!

ssid VOIP

vlan 77

authentication open

mobility network-id 77

!

ssid WaveLAN Network

vlan 78

authentication open

guest-mode

mobility network-id 78

!

ssid WiFi Projectors

vlan 85

authentication open mac-address mac_methods

mobility network-id 85

!

interface Dot11Radio0.85

encapsulation dot1Q 85

no ip route-cache

bridge-group 85

bridge-group 85 subscriber-loop-control

bridge-group 85 block-unknown-source

no bridge-group 85 source-learning

no bridge-group 85 unicast-flooding

bridge-group 85 spanning-disabled

!

interface FastEthernet0.85

encapsulation dot1Q 85

no ip route-cache

bridge-group 85

no bridge-group 85 source-learning

bridge-group 85 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

radius-server vsa send authentication

bridge 1 route ip

!

wlccp ap username xxxxxxxxxx password xxxxx

!

If anyone can point me in the right direction I would appreciate it. I have read all the articles about this I can find and none of them have explained it in a way that I comprehend.

dcavanaugh · ‎10-13-2004

If you are using Cisco ACS for authentication then you would specify ports 1645 and 1646 for radius authentication not 1812 and 1813. Those ports are used for a local radius service on the AP. Also, did you set up an account on ACS for the projector? I believe you will need to set up an account with a login: MAC_ADDRESS and password: MAC_ADDRESS. Hope this gets you started.

gwcrook · ‎10-13-2004

The ACS user account with mac name and mac address is set up. I changed to port numbers to 1645 and 1646. Still not association or IP address. The ACS passed and failed log do not show any activity for the mac(s).

Thanks you for the suggestion.

Any other ideas will be appreciated.

dixho · ‎10-13-2004

ACS supports both 1645/1646 and 1812/1813. The local radius server on the AP supports only 1645/1646.

As you configure WDS, the radius server defined in "aaa group server radius rad-mac." All authentication goes to the AP (WDS device or WDS master). Please go to the WDS AP. Look at the wlccp authentication-server client statement(s) and find out if you allow MAC authentication.

gwcrook · ‎10-14-2004

I have attached the configuration from the WDS ap1200. I have a wlccp tat allows mac authentication (I think).

!

aaa new-model

!

aaa group server radius rad_eap

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius rad_acct

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius rad_admin

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius dummy

!

aaa group server radius augusta_infrastructure

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius visitor

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius student

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac3

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac

aaa authentication login method_augusta_infrastructure group augusta_infrastructure

aaa authentication login method_visitor group visitor

aaa authentication login method_student group student

aaa authentication login mac_methods3 group rad_mac3

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 network-map

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption vlan 79 key 1 size 128bit 7 xxxx transmit-key

encryption vlan 79 mode wep mandatory

!

ssid Student

vlan 79

authentication open eap eap_methods

authentication network-eap eap_methods

mobility network-id 79

!

ssid WaveLAN Network

vlan 78

authentication open

accounting acct_methods

guest-mode

mobility network-id 78

!

ssid WiFi_Projectors

vlan 85

authentication open mac-address mac_methods3

mobility network-id 85

!

interface Dot11Radio0.85

encapsulation dot1Q 85

no ip route-cache

bridge-group 85

bridge-group 85 spanning-disabled

!

interface FastEthernet0.85

encapsulation dot1Q 85

no ip route-cache

bridge-group 85

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.2.57.82 auth-port 1812 acct-port 1813 key xxxx

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

wlccp authentication-server infrastructure method_augusta_infrastructure

wlccp authentication-server client mac mac_methods3

ssid WiFi_Projectors

wlccp authentication-server client eap method_guest

ssid WaveLAN Network

ssid tsunami

ssid guest

wlccp authentication-server client eap method_visitor

ssid WaveLAN Network

wlccp authentication-server client eap method_student

ssid Student

wlccp authentication-server client leap method_guest

ssid WaveLAN Network

ssid tsunami

ssid guest

wlccp authentication-server client leap method_visitor

ssid WaveLAN Network

wlccp authentication-server client leap method_student

ssid Student

wlccp wds priority 254 interface BVI1

!

wlccp ap username xxxxxxxx password xxxxxx

wlccp wnm ip address 10.2.87.200

!

Thanks for helping.

gwcrook · ‎10-15-2004

You state that All authentication goes to the AP (WDS device or WDS master). Would I need any mention of the Radus Server in the Infrastructure AP (the non WDS AP)? Could that be my problem ? I am telling the Client AP to do MAC authentication directly with the ACS server. I have been unclear on the authentication flow in WDS.Documentation clearly states that the client AP authenticates through the WDS but it does not mention associated (Mobile Nodes) other than to say the client AP (non WDS)sends registation information to the WDS.

dixho · ‎10-15-2004

If WDS/WLCCP is configured, all radius servers for EAP and MAC authentication in infrastructure APs are ignored.

Assume that all infrastructure APs are configured for EAP and/or MAC authentication. If a mobile node (i.e. wireless client) tries to associate to an infrastructure AP, the infrastrcuture AP just ignores the radius settings on EAP and MAC authentication. It sends the authentication request to the WDS AP using WLCCP protocol. The WDS AP relays the authentication request to the radius server, which is defined by the wlccp authentication-server client commands. Thus, you only need to define WDS AP as AAA NAS clients in the radius server.

I hope that the above information is clear. If not, please post your questions.

o-ziltener · ‎03-13-2005

good point...do you recommend still to configure the radius-groups on the infrastructure AP?

Because you have to define something when you configure the authentication...

ssid ABC

authentication open eap ->WORD<-

best regards

Oliver

setonhnet · ‎10-14-2004

I see multiple issues compared to what I have implemented.

Relavent lines from your config:

aaa group server radius rad-mac

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login mac-methods group rad_mac

int dot11radio0

ssid WiFi Projectors

vlan 85

authentication open mac-address mac_methods

Should be:

aaa group server radius rad_mac

server 10.2.57.82 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login mac_methods group rad_mac

int dot11radio0

ssid WiFi Projectors

vlan 85

authentication open mac-address mac_methods

Notice the difference b/w the "-" and "_"?

Also, I believe you need to define the radius server and key at the bottom of the config.

Sample from your config:

radius-server host 10.2.57.82 auth-port 1812 acct-port 1813 key "whatever key you setup on the acs server for this client"

Post an update if this helps you.

gwcrook · ‎10-14-2004

Thank you. You were very attentive to catch the difference between the '-' and the '_'. Thanks.

I changed the line

aaa group server radius rad-mac

to

aaa group server radius rad_mac

and I added

radius-server host 10.2.57.82 auth-port 1812 acct-port 1813 key password

using conf t. the line now shows up in the bottom of the configuration file.

This did not correct the issue, the client still indicates AAA_AUTH with an IP of 0.0.0.0

Thanks. Any help or suggestions would be appreciated.

gwcrook · ‎10-15-2004

An update on the Authentication issue with WDS and MAC autentication.

I had different aaa group names on the WDS. I thought the vlan ID number would be the common element in the validation process but it wasn't. In addition I had enterd WiFi_Projectors (with an underscore) on the WDS and WiFi Projectors (with a spce) on the AP1200's. WDS requires these to be the same. It is working great. Thank you for reading the configs and sharing your ideas with me because the different approaches helped clarify my understanding of this issue and allowed the problem to be solved.