Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1301
Views
0
Helpful
5
Replies

Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

Go to solution
cschear
Level 1
Level 1

‎08-31-2006 01:30 PM - edited ‎07-04-2021 12:57 PM

I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.

SSID: labssid (Open authentication with EAP)

Cipher: TKIP

Key management: Mandatory (WPA)

I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".

I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:

1. Network authentication: WPA

2. Data encryption: TKIP

3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)

3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)

4. Authenticate as computer whe computer information is avail (UNCHECKED)

5. Authenticate as guest when user or computer is unavailable (UNCHECKED)

When I attempt to provide my test/test credientials the Access Point logs the following:

Station 0016.6f77.9ccd Authentication failed

When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:

"Unknown EAP Type"

If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.

What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scottmac
Level 10
Level 10

‎08-31-2006 06:41 PM

The local RADIUS server cannot do PEAP (it cannot accept the certificate necessary to do so).

It can run LEAP or EAP-FAST. Of the two, I believe conventional wisdom says "use EAP-FAST," it's more secure.

To use EAP-Fast or LEAP, you'll need to use the IBM utilities, the MS Wireless Zero Config utilities don't do LEAP or EAP-Fast.

If you use ACS, then you can use PEAP, EAP-TLS, LEAP, EAP-Fast, MAC ... whater you want, and pull your user data from either a MS Active Directory or LDAP database.

Good Luck

Scott

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cschear
Level 1
Level 1

‎08-31-2006 01:41 PM

In the event it is relevant, I also have my wireless interface configured with the following options:

Aironet Extensions: ENABLED

Ethernet Encapsulation Transform: 802.1H

0 Helpful

Go to solution
cschear
Level 1
Level 1
In response to cschear

‎08-31-2006 01:51 PM

And, I suppose if I provided all the information in one post it would be easier...

When I attempt to authenticate, in addtion to the "Unknown EAP Type" stat log, I also log a "Invalid Packets from NAS". With the AP1200 using the Local RADIUS Server, isn't the "NAS" the AP, itself? This is what is confusing me.

0 Helpful

Go to solution
scottmac
Level 10
Level 10

‎08-31-2006 06:41 PM

The local RADIUS server cannot do PEAP (it cannot accept the certificate necessary to do so).

It can run LEAP or EAP-FAST. Of the two, I believe conventional wisdom says "use EAP-FAST," it's more secure.

To use EAP-Fast or LEAP, you'll need to use the IBM utilities, the MS Wireless Zero Config utilities don't do LEAP or EAP-Fast.

If you use ACS, then you can use PEAP, EAP-TLS, LEAP, EAP-Fast, MAC ... whater you want, and pull your user data from either a MS Active Directory or LDAP database.

Good Luck

Scott

0 Helpful

Go to solution
cschear
Level 1
Level 1
In response to scottmac

‎09-01-2006 04:57 AM

I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:

---

1. Station 0016.6f77.9ccd Authentication failed

2. RADIUS server 192.168.102.82:1645,1646 has returned.

3. RADIUS server 192.168.102.82:1645,1646 is not responding.

---

The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.

0 Helpful

Go to solution
scottmac
Level 10
Level 10
In response to cschear

‎09-01-2006 07:03 AM

As a somewhat reomote possibility (but I've seen it) ...

Check the power-save features of your ACS box. A lot of PCs (and servers) default to allowing the OS to put the NIC into hibernate/powersave mode after some period of inactivity.

Not all software can properly recover from the power-save mode and it basically ignores the NIC once activity has resumed.

That's all that comes to mind for me...

Good Luck, thanks for the rating!

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card