Weird problem setting up APs in Root <> Repeater

steven.vandyk · ‎09-17-2012

Hello

I am trying to configure repeater mode on an AP, but the authentication is not working.

It seems the authentication is seen as EAP-TLS on the ACS 5.2, but im trying to do LEAP.

Relevant config root AP:

!

dot11 ssid Auto3

authentication open eap eap_methods

authentication network-eap eap_methods1

guest-mode

infrastructure-ssid

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Auto3

!

Relevant config repeater AP:

!

dot11 ssid Auto3

authentication network-eap eap_methods

authentication client username otherAP password 7 104D000A0618

guest-mode

infrastructure-ssid

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Auto3

!

antenna gain 0

station-role repeater

!

Full configs attached.

Debugs on Root AP attached.

Versions:

Cisco IOS Software, C1260 Software (AP3G1-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1) - Repeater

Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1) - Root

rdvorak · ‎09-18-2012

Hi,

looks like a special configuration on top of 1.1.07

Attached mine which is working - both the repeater and the client (which is connected to repeater) are auth against my ACS with LEAP.

Could be that there are some lines in the config that are not necessary but I'd need to take a closer look.

AP1242b#sh dot11 ass

802.11 Client Stations on Dot11Radio0:

SSID [Auto3] :

MAC Address IP address Device Name Parent State

0013.cebf.d58d 10.10.100.91 unknown - self EAP-Assoc

003a.98b5.d770 10.10.100.101 ap1240-Parent AP1242a - EAP-Assoc

AP1242b#

my IPs are....

AP1242a = 10.10.100.101

AP1242b = 10.10.100.102

ACS = 10.10.50.53

steven.vandyk · ‎09-18-2012

Why do you say special config on top of 1.1.0.7? It is 1.1.0.7 without any extras I was trying to do

Im gonna test your solution and find the difference.

stamper.brian1 · ‎09-18-2012

Can you post a pic of your "Default Network Access" -> Allowed Protocols tab from ACS.

I believe your problem is there.

1. Verify LEAP is checked

2. Also verify that LEAP is the preferred EAP protocol (It appears if other options are there ACS has its own adgenda on what it wants to use unless told otherwise by you)

I ran into this in another lab where I was trying to do things a little different on ACS and consolidate as much into an Access Service as possible to really understand ACS better.

It would appear the AP doesn't exactly have the last word in negotiation of the protocol to use as I elude to above.

The above should work... however you could also force the protocol by removing the line:

Auto3

authentication client username otherAP password 7 104D000A0618

And Replacing it with the following config:

eap_profile LEAPONLY

method leap

dot1x credentials OtherAPcreds

username OtherAP

password whateveritis

dot11 ssid Auto3

authentication network-eap eap_methods

guest-mode

infrastructure-ssid

dot1x credentials OtherAPcreds

dot1x eap profile LEAPONLY

Looking forward to seeing what you find out!!

Mohammad Abualroos · ‎09-18-2012

you are getting accesss accept at the end.

*Mar 1 08:36:00.902: RADIUS: Received from id 1645/170 10.1.255.106:1812, Access-Accept, len 201

*Mar 1 08:36:00.902: RADIUS: authenticator 46 EC DD 23 95 79 8D 2B - 6C 94 F0 6A E2 D1 06 40

*Mar 1 08:36:00.902: RADIUS: User-Name [1] 9 "otherAP"

*Mar 1 08:36:00.902: RADIUS: Class [25] 23

it took too long to have it authenticated.

Also too many fragments in the eap-messages, also worth to check Antennas directions..

maybe also worth to try having the root as local auehtnicated for sake of testing..

regards

Jerome Henry · ‎09-18-2012

Hey Steven,

You say that you see TLS in ACS, and yet the authentication is supposed to occur on the AP... strange, isn't it? In your config, I see that your root AP has 2 RADIUS methods defined for the same SSID, one rad_eap points to local auth, one rad_eap1 points to the ACS. If you client picks the ACS first, then your authentication jumps there, and it all depends on your ACS config...

I would redo the config clean if I were you, removing the ACS things (and maybe also WDS first, then re-add it once you are happy your repeater part works)...

Just a thought...

George Stefanick · ‎09-18-2012

Jerome Henry is in the HOUSE. The man, the myth, the legend!

Is that a Cisco tag next to your name ? No more Fastlane?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Jerome Henry · ‎09-18-2012

lol! Oh no! I thought I was posting anonymously! Hope no bounty hunter reads this forum!

For now... let's say I am a red badge! Honored to be read by you, George!

steven.vandyk · ‎10-01-2012

The problem seems only to occur when WDS is active. Something about LEAP and WDS that is not working on my configuration.

UPDATE: Found the problem. The WDS Server Groups Client Authentication Profile needs to allow EAP authentication also, not only LEAP authentication.