LEAP and WPA on Small Home LAN

plemieux72 · ‎11-23-2003

Hi,

I am trying to implement WPA and LEAP on small home network. I use a Windows XP Pro laptop with PCM352 client and an Aironet 350 Access Point.

I've upgraded the 350 to IOS and also did the PCM352 card software upgrade to the latest 1.2 version.

Since I don't have a RADIUS server, I want to use the AP as local authenticator.

I added the following to the AP:

aaa new-model

aaa authentication login default local

radius-server local

nas 192.168.1.20 key xxxxxxxxxxxxxxx

user yyyyyyy password zzzzzzzzzzzz

interface Dot11Radio0

encryption mode ciphers tkip wep128

!

ssid xxxxxxx

authentication network-eap default

authentication key-management wpa

However, LEAP authentication times out. I think I configured it correctly in ACU 6.2 so it has to be something I did wrong on the AP.

Can anyone point me in the right direction to what I am missing? I read the Software Configuration guide several times and I am unable to put all pieces together. Any sample configs for what I want to do? Thank you very much in advance.

ED CARMODY · ‎11-24-2003

You're missing a couple things...

=====================================

Even tho your AP is configured as a local authenticator, you still need to define what server-group to use for what:

aaa group server radius rad_eap

server x.x.x.x auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap

=====================================

Even tho your AP is configured as a local authenticator, you still need to tell him who his RADIUS server is:

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key whatever

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

=====================================

Also, I don't think you set up the authentication correctly under the ssid. Mine looks like this:

ssid xxxxx

# allow static WEP clients

authentication open

# allow LEAP clients

authentication network-eap eap_methods

=====================================

The first couple times, you should probably use the web gui to set this up; the IOS config is arcane unless your strong with it. Also, you might want to back off the tkip and wpa until you get LEAP authentication working correctly, then add those in after.

It helps greatly if you have a wired pc that you can telnet into the AP with then:

terminal monitor

debug aaa authentication

You'll see what's bombing this way....

Good Luck!

plemieux72 · ‎11-26-2003

Thank you so much for your reply! I have worked on this some more but still can't get it to work. The LEAP Authentication always times out. I reset the AP to factory defaults several times trying different things. Here is my latest config. This is the way I think it "should" be but I am obviously wrong! I've used the GUI to do this...

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname ap

!

username uuuuuuuu privilege 15 password 7 00000000000

clock timezone R -5

clock summer-time R recurring

ip subnet-zero

ip domain name ddddddddddddd.com

ip name-server 192.168.1.40

!

aaa new-model

!

aaa group server radius rad_eap

server 192.168.1.20 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip wep128

!

ssid ssssssssss

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

power local 50

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.1.20 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.1.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

/ivory/1100

ip http authentication aaa

ip radius source-interface BVI1

no logging trap

radius-server local

nas 192.168.1.20 key 7 000000000000

user uuuuuuuuu nthash 7 0000000000000000000000000000000000000

!

radius-server host 192.168.1.20 auth-port 1645 acct-port 1646 key 7 000000000000

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

stopbits 1

line vty 5 15

!

end

plemieux72 · ‎11-26-2003

I forgot to mention that I used debug aaa authentication:

Nov 26 23:04:53.288 R: %DOT11-7-AUTH_FAILED: Station 000a.f44a.4dac Authenticati

on failed

Nov 27 04:04:53.405: AAA/AUTHEN/PPP (00000039): Pick method list 'eap_methods'

...and also debug radius which shows no server found???

Nov 27 04:08:20.296: RADIUS(00000046): Retransmit id 21645/68

Nov 27 04:08:25.304: RADIUS: Tried all servers.

Nov 27 04:08:25.304: RADIUS: No valid server found. Trying any viable server

Nov 27 04:08:25.304: RADIUS: Tried all servers.

Nov 27 04:08:25.304: RADIUS: No response from (192.168.1.20:1645,1646) for id 21

645/68

Nov 27 04:08:25.304: RADIUS/DECODE: parse response no app start; FAIL

Nov 27 04:08:25.304: RADIUS/DECODE: parse response; FAIL

Nov 26 23:08:25.308 R: %DOT11-7-AUTH_FAILED: Station 000a.f44a.4dac Authenticati

on failed

Nov 27 04:08:25.513: RADIUS: AAA Unsupported [143] 3

Nov 27 04:08:25.513: RADIUS: 33

[3]

Nov 27 04:08:25.513: RADIUS(00000047): Storing nasport 326 in rad_db

Nov 27 04:08:25.513: RADIUS: Pick NAS IP for uid=71 tableid=0 cfg_addr=192.168.1

.20 best_addr=0.0.0.0

Nov 27 04:08:25.517: RADIUS/ENCODE(00000047): acct_session_id: 71

Nov 27 04:08:25.517: RADIUS: Pick NAS IP for uid=71 tableid=0 cfg_addr=192.168.1

.20 best_addr=0.0.0.0

Nov 27 04:08:25.517: RADIUS(00000047): sending

Nov 27 04:08:25.517: RADIUS(00000047): Send Access-Request to 192.168.1.20:1645

id 21645/69, len 127

Nov 27 04:08:25.521: RADIUS: authenticator E5 B6 54 2F F8 9E F6 50 - AB 52 AF B

A 7C 5C E3 8D

Nov 27 04:08:25.521: RADIUS: User-Name [1] 8 "uuuuuuu"

Nov 27 04:08:25.521: RADIUS: Framed-MTU [12] 6 1400

Nov 27 04:08:25.521: RADIUS: Called-Station-Id [30] 16 "0040.9645.d18f"

Nov 27 04:08:25.521: RADIUS: Calling-Station-Id [31] 16 "000a.f44a.4dac"

Nov 27 04:08:25.525: RADIUS: Message-Authenticato[80] 18 *

Nov 27 04:08:25.525: RADIUS: EAP-Message [79] 13

Nov 27 04:08:25.525: RADIUS: 02 02 00 0B 01 70 69 65 72 72 65

[?????uuuuuuu]

Nov 27 04:08:25.525: RADIUS: NAS-Port-Type [61] 6 802.11 wireless

[19]

Nov 27 04:08:25.525: RADIUS: NAS-Port [5] 6 326

Nov 27 04:08:25.529: RADIUS: Service-Type [6] 6 Framed

[2]

Nov 27 04:08:25.529: RADIUS: NAS-IP-Address [4] 6 192.168.1.20

Nov 27 04:08:25.529: RADIUS: Nas-Identifier [32] 6 "ap"

plemieux72 · ‎12-05-2003

Well, I was able to use LEAP with the local RADIUS authentication and mandatory dynamic WEP. However, I was not successful in migrating this working solution to WPA.

Here is what I did. Maybe someone will find my error?

1) In the GUI, encryption manager, choose cipher suite of TKIP WEP128

2) clear the WEP key 1 and choose transmit key 2 leaving the actual key blank

3) clear network EAP and enable open auth with EAP in SSID manager

4) Enable mandatory WPA

5) Updated ACU 6.2 on Win XP on client to "LEAP (WPA)"

6) Reauthenticated ... which timed out on first step.

dsidley · ‎12-09-2003

I believe the AP uses ports 1812 for Auth

Dave S.

plemieux72 · ‎12-09-2003

Yes, that was the problem. I had left the defaults of 1645/1646 in the config. When I changed them to 1812/1813, LEAP started working.

WPA is what I am having a problem with right now.

plemieux72 · ‎12-15-2003

Well, I opened a TAC Case. It looks like WPA with LEAP may require a "real" RADIUS server like ACS instead of the local AP authenticator. I am still waiting to hear back from the engineer working on my case.

plemieux72 · ‎12-16-2003

LEAP with WPA -DOES- work ok with local RADIUS authenticator. I was using the wrong Cipher... the only Cipher that works in this situation is TKIP.