Re: Using Peap w/ IAS

George.burtz · ‎07-18-2003

I have a 1200 AP w/ latest IOS trying to do PEAP for wireless clients. When pointing the 1200 to a Funk or ACS radius server it works great. When I point to an IAS server runnng on W2K SP3, I get an IAS error in the event viewer saying "The specified authentication type is not supported on this system"

When I use a Symbol AP with the same IAS server, it works fine.

I have sniffer traces comparing the 2 scenarios and the only difference I can see is the attributes for

NAS Port and NAS port type.

Bad auth (Cisco AP)

NAS Port Type - virtual

NAS Port - 414

Good auth (Symbol AP)

NAS Port Type - 0x00000013

NAS Port - 29

Anyone know what is going on here?

dhickey · ‎07-18-2003

This is a reply I received from Cisco when I asked this question..

This is actually a software bug CSCeb36095

Here is the release note from the bug

IOS based APs will pass Radius attribute 61 (NAS-Port-Type) with value 5 (virtual), while VxWorks based APs use value 19 (Wireless IEEE802.11)

Users may need to re-configure Radius server setting if this attribute is used to grant access to the user, when migrating AP from VxWorks to IOS.

No ETA on when this should be fixed yet but if the work around doesnt work then please contact the TAC and open a case have you case linked to the bug then you can be kept updated of when the fix will be released

What I had to do was change IAS from 802.11 in the policy to virtual. The user then authenticated...

However, I was also using per user VLANS and the VLAN assignment was not working and they opened another bug on it. This was with a VXworks AP that had been "upgraded" to the IOS version....Needless to say it is sitting on the shelf waiting for the next release of IOS for the 1220's.

Hope that helps some...

don

George.burtz · ‎07-23-2003

That did it. Thanks for the info. Added a new RAS policy and it worked fine.