08-07-2006 10:39 AM - edited 07-04-2021 12:48 PM
Hi,
I posted a question a week or so ago about setting up an 877W with wireless and VPN back to headend site. The requirement is for the remote site (5 + users) to VPN to main site but have wireless locally with authentication via PEAP into headend site were ACS into AD is configured. I have installed the Router, but at the minute only with VPN access. I was not able to get the wireless working! I'm having issues with the BVI/Radio/Vlan interfaces. The remote site is to only have one subnet with some wireless and some not. My subnet is 172.16.0.96/28. Do i only need one Ip address on the router, as i can't assign the Vlan and BVI interface in the same subnet? Should my Default Gateway be the BVI Interface? I have also configured WEP 128 (Customer asked for) but Windows displays this an 'Open Network' and only one laptop can see it? And this can't connect. i tried to forget the PEAP and just get wireless working locally for some security but with no luck
I have posted the config, can somebody help me and tell me what i have done wrong?
Any help is appreciated!!
Andy
08-11-2006 06:20 AM
Two subnets one for each interface.If only one laptop can see it,try changing the channel numbers.PEAP is supported only in win Xp.Laptops not running win XP cant connect.
02-09-2007 05:43 AM
I'm struggling with excatly the same problem. Got a few access points on our LAN using PEAP fine but can't seem to get it working on a 877w. Can get the VPN connection back to our concentrator working. Has anyone got any ideas.
Thanks,
Phil
02-09-2007 05:57 PM
Hi Andy,
The common configuration for this type of scenario is to bridge the VLAN1 and Dot11radio interfaces together in order to place both wired and wireless clients on the same VLAN/network.
If the customer's requirement is to allow both static WEP128 and PEAP clients to co-exist on a single SSID, then that's not going to work. PEAP uses dynamic encryption keys, so when EAP is configured on the SSID, the encryption keys are dynamic. You'd have to create a separate SSID on a separate VLAN to support static WEP in addition to PEAP on the same router.
Try reconfiguring (based upon your attached configs) as follows to support PEAP on VLAN 1 (use CONSOLE port, not telnet when configuring):
!
conf t
bridge irb
!
int do 0
no encryption key 1
no encryption mode wep mandatory
encryption vlan 1 mode wep mandatory
no bridge-group 1
!
int do 0.1
bridge-group 1
!
int vlan 1
no ip address
bridge-group 1
!
int bvi 1
ip address 172.16.0.97 255.255.255.240
!
ip radius source-interface bvi 1
!
bridge 1 route ip
bridge 1 protocol ieee
end
*******************
The 'radius source-interface bvi 1' forces the router to use 172.0.16.97 as the source of all RADIUS packets; therefore, you want to make sure the ACS Server has this router configured as an AAA Client with ip address 172.0.16.97.
Try this out, if it works, then do a 'wr mem' on the router to save the config to nvram.
Best Regards,
Ben
02-13-2007 03:54 AM
Hi,
That?s a great help, but I'm still having problems getting peap working. I have checked our firewall and the ACS server and am not getting any failed attempts but I am getting failed attempts when I remove the AAA account so I know it's hitting the ACS server. According to the debugging on the router It looks to be a problem with the shared key, but I have checked and doubled checked that. I have attached both the router config and the debugging. Can anyone shed any light? Thanks is advance,
Phil
02-13-2007 04:22 AM
Hi Phil,
Are you using NDG's on your AAA server? Your Pre-shared key is that of the NDG?
Andy
02-13-2007 05:09 AM
Yes it sits in the NDG authenticating using RADIUS (cisco aironet)
Thanks,
Phil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide