11-29-2004 12:35 PM - edited 07-04-2021 10:12 AM
Hello,
I recently upgraded my Cisco 1220 AP to 12.3(2)JA IOS. I also updated by Client (Toshiba Laptop running WinXP SP1) to the latest ACU Client using version 1.5 of the Wizard. The NIC is a 350 Series Cisco PCMCIA card. It is now on Firmware 5.60.08. The ACU is 6.4.
I have the ACU configured as a LEAP client (no WPA, no CCKM, default settings, saved U/P). I can attach the profile if necesary. My AP is configured as the Local Radius server. Here's the config:
----------------------------------------
LabAP1#show run
!
hostname LabAP1
!
logging buffered 8192 debugging
enable secret 5 xxxxxxxxxx
!
username cisco password 7 xxxxxxxxxxx
ip subnet-zero
ip dhcp excluded-address 10.100.1.9
ip dhcp excluded-address 10.100.1.10
!
ip dhcp pool DHCPPOOL
network 10.100.1.8 255.255.255.248
dns-server 192.168.254.2
default-router 10.100.1.9
lease 5
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.100.1.10 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 10.100.1.10 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory
!
broadcast-key change 300
!
!
ssid LEAPSSID
authentication network-eap eap_methods1
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 10
half-duplex
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.100.1.10 255.255.255.248
no ip route-cache
!
ip default-gateway 10.100.1.9
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
nas 10.100.1.10 key xxxxx
user test1 nthash xxxx
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.100.1.10 auth-port 1645 acct-port 1646 key xxxx
radius-server vsa send accounting
bridge 1 route ip
!
!----------------------------------------
My Laptop will not associate with the AP. If I remove the Encryption settings and change the SSID to Open Auth, everything works with excellent signal strength. The Local Radius server is not showing any hits. The output of the debug is attached.
I had the same config working before. The only difference is the new IOS code and Client Firmware/ACU. Any suggestions?
Thanks,
Serge
12-01-2004 04:09 PM
I have serious concerns on why it ever works. Local radius server only support UDP port 1812 (for authentication) and 1813 (for accounting). You configure 1645 and 1646 for radius authentication and accounting. Thus, the AP should never receive an response on the radius request from the local radius server.
Please try to use UDP port 1812 and 1813.
12-03-2004 05:27 AM
That worked! The confusing part here is the GUI picked those ports, not me. I have noticed that sometimes it will pick 1812/1813 and sometimes 1645/1646. Why would it pick ports that don't work?
Thanks for your help,
Serge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide