Re: LEAP with Local Radius - Authentication Failed

s.vautour · ‎11-29-2004

Hello,

I recently upgraded my Cisco 1220 AP to 12.3(2)JA IOS. I also updated by Client (Toshiba Laptop running WinXP SP1) to the latest ACU Client using version 1.5 of the Wizard. The NIC is a 350 Series Cisco PCMCIA card. It is now on Firmware 5.60.08. The ACU is 6.4.

I have the ACU configured as a LEAP client (no WPA, no CCKM, default settings, saved U/P). I can attach the profile if necesary. My AP is configured as the Local Radius server. Here's the config:

----------------------------------------

LabAP1#show run

!

hostname LabAP1

!

logging buffered 8192 debugging

enable secret 5 xxxxxxxxxx

!

username cisco password 7 xxxxxxxxxxx

ip subnet-zero

ip dhcp excluded-address 10.100.1.9

ip dhcp excluded-address 10.100.1.10

!

ip dhcp pool DHCPPOOL

network 10.100.1.8 255.255.255.248

dns-server 192.168.254.2

default-router 10.100.1.9

lease 5

!

aaa new-model

!

aaa group server radius rad_eap

server 10.100.1.10 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 10.100.1.10 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode wep mandatory

!

broadcast-key change 300

!

ssid LEAPSSID

authentication network-eap eap_methods1

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed 10

half-duplex

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.100.1.10 255.255.255.248

no ip route-cache

!

ip default-gateway 10.100.1.9

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

nas 10.100.1.10 key xxxxx

user test1 nthash xxxx

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.100.1.10 auth-port 1645 acct-port 1646 key xxxx

radius-server vsa send accounting

bridge 1 route ip

!

!----------------------------------------

My Laptop will not associate with the AP. If I remove the Encryption settings and change the SSID to Open Auth, everything works with excellent signal strength. The Local Radius server is not showing any hits. The output of the debug is attached.

I had the same config working before. The only difference is the new IOS code and Client Firmware/ACU. Any suggestions?

Thanks,

Serge

dixho · ‎12-01-2004

I have serious concerns on why it ever works. Local radius server only support UDP port 1812 (for authentication) and 1813 (for accounting). You configure 1645 and 1646 for radius authentication and accounting. Thus, the AP should never receive an response on the radius request from the local radius server.

Please try to use UDP port 1812 and 1813.

s.vautour · ‎12-03-2004

That worked! The confusing part here is the GUI picked those ports, not me. I have noticed that sometimes it will pick 1812/1813 and sometimes 1645/1646. Why would it pick ports that don't work?

Thanks for your help,

Serge