Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
15
Helpful
5
Replies

WDS on ap1142 client access fail with aaa_resp_FAIL: failed client with EAP reason 0

Luca Pecchiari
Level 1
Level 1

‎02-04-2021 06:20 AM - edited ‎07-05-2021 01:11 PM

Hello,

i am trying to configure the ap1142 as WDS, using a local radius, but i have some issue conecting the client.

 

This is my conf

 

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MAIB-WDS-AP
!
!
logging rate-limit console 9
enable secret 9 xxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server name Local-Radius
!
aaa group server radius Infrastructure
 server name Local-Radius
!
aaa authentication login eap_methods group rad_eap
aaa authentication login method_Infrastructure group Infrastructure
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip name-server 192.168.1.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid WDS-EAP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode
!
!
!
no ipv6 cef
!
!
username Cisco password 7 01300F175804
username xxx privilege 15 secret 9 xxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid WDS-EAP
 !
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm
 !
 ssid WDS-EAP
 !
 antenna gain 0
 peakdetect
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 4055.3997.ce7b
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip ssh version 2
ip radius source-interface BVI1
!
!
radius-server local
  no authentication mac
  nas 192.168.1.100 key 7 105E080A16001D1908
  user pippo nthash 7 15422E2E20790D010A17177B4455345A250F780905002C544A300A0A0676010105
!
radius-server attribute 32 include-in-access-req format %h
!
radius server Local-Radius
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 7 140713181F13253920
!
bridge 1 route ip
!
!
wlccp ap username pippo password 7 071F285C5E06
wlccp ap wds ip address 192.168.1.100
wlccp authentication-server infrastructure method_Infrastructure
wlccp authentication-server client any client_devices
wlccp wds priority 254 interface BVI1
!
line con 0
line vty 0 4
 transport input all
!
end

This ap is also client of the WDS.

When i try to connect a wireless client it fails the connnection and from the debug i see this:

 

*Feb  4 14:16:54.295: (0000.0000.0000): dot11_auth_dot1x: in the dot11_auth_dot1x_start
*Feb  4 14:16:54.295: (0000.0000.0000): dot11_dot1x: Sending identity request to client
*Feb  4 14:16:54.295: (0000.0000.0000): dot11_dot1x: Client timer started for 30 seconds
*Feb  4 14:16:54.300: (0000.0000.0000): dot11_auth_dot1x: Received EAPOL packet from client
*Feb  4 14:16:54.300: (0000.0000.0000): dot11_dot1x: Executing Action [state: CLIENT_WAIT, event: CLIENT_REPLY] for client
*Feb  4 14:16:54.301: (0000.0000.0000): dot11_dot1x: Sending client data to server
*Feb  4 14:16:54.301: (0000.0000.0000): dot11_dot1x: Started timer server_timeout 60 seconds
*Feb  4 14:16:54.301: (0000.0000.0000): aaa_resp: Received server response: FAIL
*Feb  4 14:16:54.301: (0000.0000.0000): aaa_resp: client username pippo
*Feb  4 14:16:54.301: (0000.0000.0000): aaa_resp: found eap pak in server response
*Feb  4 14:16:54.302: (0000.0000.0000): aaa_resp_FAIL: failed client with EAP reason 0
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Executing Action [state: SERVER_WAIT, event: SERVER_FAIL] for client
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Forwarding server message to client
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Started timer client_timeout 30 seconds
*Feb  4 14:16:54.302: (0000.0000.0000): dot11_dot1x: Authentication failed for station
*Feb  4 14:16:54.303: %DOT11-7-AUTH_FAILED: Station e4ce.8f59.296c Authentication failed

From this i get that the error code is aaa_resp_FAIL: failed client with EAP reason 0, but i am not able to understand the error or what i have to do to allow the clients to connect to the ap.

 

Do you have any idea?

 

 

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎02-04-2021 08:39 AM

The 1142 and WDS is so very old and many have not touched either in a very long time.  Have you tried to follow some guides, also, do you really need to setup WDS?  

WDS on Cisco Autonomous Access Points Version 15.2(4)JA with Local RADIUS Server Configuration Example - Cisco

-Scott
*** Please rate helpful posts ***

Luca Pecchiari
Level 1
Level 1
In response to Scott Fella

‎02-04-2021 11:43 AM

Yes Scott 1142 is pretty old, and thank you for your help. i am trying several guide to test it, and this is just for me to learn soemthing more.

 

i did some improvements that now i go to test on the ap3702, just to see if there it works better

Thank you

 

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 9 $9$gAyOEcGVnfQSEa$ce1uxxvCFlC/VJ8t57fkbi4cjZoJXM69rsgSTvgkVZk
!
aaa new-model
!
!
aaa group server radius rad_mac
 server name 192.168.1.100
!
aaa group server radius InfrastructureAuthentication
 server name 192.168.1.100
!
aaa group server radius ClientAuthentication
 server name 192.168.1.100
!
aaa authentication login method_InfrastructureAuthentica group InfrastructureAuthentication
aaa authentication login method_ClientAuthentication group ClientAuthentication
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip name-server 192.168.1.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
!         
dot11 ssid MacSSID
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   guest-mode
!
!
!
no ipv6 cef
!
!
username Cisco password 7 01300F175804
username xxx
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 !
 encryption mode ciphers aes-ccm 
 !
 ssid MacSSID
 !
 antenna gain 0
 station-role root access-point
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 ssid MacSSID
 !        
 antenna gain 0
 peakdetect
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 4055.3997.ce7b
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
!
!
radius-server local
  nas 192.168.1.100 key 7 13151601181B0B382F
  user user nthash 7 135040365E54570B0A707E1760754252465120777D0C717659223D370901740402
  user ap1 nthash 7 0322032D235C031A1A5F492441465E5A257F7A7C091114704121402051740F0805
!
radius-server attribute 32 include-in-access-req format %h
!
radius server 192.168.1.100
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 7 051B071C325B411B1D
!
bridge 1 route ip
!
!
wlccp ap username ap1 password 7 06071F70
wlccp authentication-server infrastructure method_InfrastructureAuthentication
wlccp authentication-server client any method_ClientAuthenticatio
wlccp wds priority 255 interface BVI1
!
line con 0
line vty 0 4
 transport input all
!
end
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Luca Pecchiari

‎02-04-2021 11:47 AM

No worries.... I personally would not try to learn on autonomous access points.  You are better off looking at a 2504/3504 (AireOS) controller on eBay and learning on that.  Even if you decide to look for an 1800/2800/3800 ap, then you can take a look at the 9800-CL which is a free download if you have ESXi or Hyper-V.  AireOS will eventually go away and autonomous was replaced with Mobility Express which is now replaced with EWC.

-Scott
*** Please rate helpful posts ***

Luca Pecchiari
Level 1
Level 1

‎02-04-2021 11:58 AM

Thank you very much for the suggestions. I really appreciate

0 Helpful

Vladyslav.Shvedenko
Level 1
Level 1

‎04-23-2021 12:33 PM

Hello,

Did you fix this issue?

I think you should edit the SSID definition to specify correct AAA methods:

dot11 ssid MacSSID
   authentication open eap eap_methods 
   authentication network-eap eap_methods  

 there another method was defined in the aaa section: method_ClientAuthentication

Please update the status of your research in this topic.

Thank you.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card