09-17-2012 04:53 AM - edited 07-03-2021 10:40 PM
Hello
I am trying to configure repeater mode on an AP, but the authentication is not working.
It seems the authentication is seen as EAP-TLS on the ACS 5.2, but im trying to do LEAP.
Relevant config root AP:
!
dot11 ssid Auto3
authentication open eap eap_methods
authentication network-eap eap_methods1
guest-mode
infrastructure-ssid
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid Auto3
!
Relevant config repeater AP:
!
dot11 ssid Auto3
authentication network-eap eap_methods
authentication client username otherAP password 7 104D000A0618
guest-mode
infrastructure-ssid
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid Auto3
!
antenna gain 0
station-role repeater
!
Full configs attached.
Debugs on Root AP attached.
Versions:
Cisco IOS Software, C1260 Software (AP3G1-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1) - Repeater
Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1) - Root
09-18-2012 05:30 AM
Hi,
looks like a special configuration on top of 1.1.07
Attached mine which is working - both the repeater and the client (which is connected to repeater) are auth against my ACS with LEAP.
Could be that there are some lines in the config that are not necessary but I'd need to take a closer look.
AP1242b#sh dot11 ass
802.11 Client Stations on Dot11Radio0:
SSID [Auto3] :
MAC Address IP address Device Name Parent State
0013.cebf.d58d 10.10.100.91 unknown - self EAP-Assoc
003a.98b5.d770 10.10.100.101 ap1240-Parent AP1242a - EAP-Assoc
AP1242b#
my IPs are....
AP1242a = 10.10.100.101
AP1242b = 10.10.100.102
ACS = 10.10.50.53
09-18-2012 05:47 AM
Why do you say special config on top of 1.1.0.7? It is 1.1.0.7 without any extras I was trying to do
Im gonna test your solution and find the difference.
09-18-2012 06:13 AM
Can you post a pic of your "Default Network Access" -> Allowed Protocols tab from ACS.
I believe your problem is there.
1. Verify LEAP is checked
2. Also verify that LEAP is the preferred EAP protocol (It appears if other options are there ACS has its own adgenda on what it wants to use unless told otherwise by you)
I ran into this in another lab where I was trying to do things a little different on ACS and consolidate as much into an Access Service as possible to really understand ACS better.
It would appear the AP doesn't exactly have the last word in negotiation of the protocol to use as I elude to above.
The above should work... however you could also force the protocol by removing the line:
Auto3
authentication client username otherAP password 7 104D000A0618
And Replacing it with the following config:
eap_profile LEAPONLY
method leap
dot1x credentials OtherAPcreds
username OtherAP
password whateveritis
dot11 ssid Auto3
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
dot1x credentials OtherAPcreds
dot1x eap profile LEAPONLY
Looking forward to seeing what you find out!!
09-18-2012 06:28 AM
you are getting accesss accept at the end.
*Mar 1 08:36:00.902: RADIUS: Received from id 1645/170 10.1.255.106:1812, Access-Accept, len 201
*Mar 1 08:36:00.902: RADIUS: authenticator 46 EC DD 23 95 79 8D 2B - 6C 94 F0 6A E2 D1 06 40
*Mar 1 08:36:00.902: RADIUS: User-Name [1] 9 "otherAP"
*Mar 1 08:36:00.902: RADIUS: Class [25] 23
it took too long to have it authenticated.
Also too many fragments in the eap-messages, also worth to check Antennas directions..
maybe also worth to try having the root as local auehtnicated for sake of testing..
regards
09-18-2012 07:56 AM
Hey Steven,
You say that you see TLS in ACS, and yet the authentication is supposed to occur on the AP... strange, isn't it? In your config, I see that your root AP has 2 RADIUS methods defined for the same SSID, one rad_eap points to local auth, one rad_eap1 points to the ACS. If you client picks the ACS first, then your authentication jumps there, and it all depends on your ACS config...
I would redo the config clean if I were you, removing the ACS things (and maybe also WDS first, then re-add it once you are happy your repeater part works)...
Just a thought...
09-18-2012 08:11 AM
Jerome Henry is in the HOUSE. The man, the myth, the legend!
Is that a Cisco tag next to your name ? No more Fastlane?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-18-2012 08:29 AM
lol! Oh no! I thought I was posting anonymously! Hope no bounty hunter reads this forum!
For now... let's say I am a red badge! Honored to be read by you, George!
10-01-2012 07:44 AM
The problem seems only to occur when WDS is active. Something about LEAP and WDS that is not working on my configuration.
UPDATE: Found the problem. The WDS Server Groups Client Authentication Profile needs to allow EAP authentication also, not only LEAP authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide