01-11-2004 02:34 PM - edited 07-04-2021 09:16 AM
I'm attempting to setup a 1200 AP with 12.2(13)JA1 to locally authenticate WDS, but to have LEAP clients authenticate back to the ACS Server. I first get client auth working to the ACS server, then add the WDS config. At this point WDS registers correctly, but clients can no longer authenticate.
Is this a invalid design or a bug?
aaa new-model
!
aaa group server radius rad_eap
server 10.1.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius wlse_infra_rad
server 10.1.0.30 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login method_wlse_infra_rad group wlse_infra_rad
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit <WEP KEY> transmit-key
encryption mode wep mandatory
!
ssid tsunami
authentication open
authentication network-eap eap_methods
!
radius-server local
nas 10.1.0.30 key <SHARED KEY>
user wlse_user nthash <WLSE USER PSWD>
!
radius-server host 10.1.0.3 auth-port 1645 acct-port 1646 key <SHARED KEY>
radius-server host 10.1.0.30 auth-port 1812 acct-port 1813 key <SHARED KEY>
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
wlccp authentication-server infrastructure method_wlse_infra_rad
wlccp wds priority 255 interface BVI1
wlccp wnm ip address 10.1.0.11
wlccp ap username wlse_user password <WLSE USER PSWD>
01-11-2004 02:36 PM
FYI, the IP Address of this AP is 10.1.0.30 and I did cut out a number of lines from the sample config I used.
01-11-2004 06:47 PM
First let me state that I have only configured WDS once on 2 AP's for testing. So I am no expert.
But it seemed like I had to configure the WDS server groups. One for infrastructure authentication for the AP's. Then a second WDS server group for client authentication. I'm not sure if this is the required configuration, but that's the only way I got both clients and AP's to authenticate.
Let me know if it works.
01-14-2004 08:25 PM
GOT IT!!
aaa new-model
!
aaa group server radius rad_eap
server 10.1.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius wlccp_rad_infra
server 10.1.0.30 auth-port 1812 acct-port 1813
!
aaa group server radius wlccp_rad_leap
server 10.1.0.3 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authorization exec default local
aaa session-id common
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit
encryption mode wep mandatory
!
ssid tsunami
authentication open
authentication network-eap eap_methods
!
radius-server local
nas 10.1.0.30 key
user wlse_user nthash
!
radius-server host 10.1.0.3 auth-port 1645 acct-port 1646 key
radius-server host 10.1.0.30 auth-port 1812 acct-port 1813 key
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
wlccp authentication-server infrastructure wlccp_infra
wlccp authentication-server client leap wlccp_leap_client
wlccp wds priority 255 interface BVI1
wlccp wnm ip address 10.1.0.11
wlccp ap username wlse_user password
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide