EAP-FAST with local radius on 1242AG

I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
Any help or a basic example you be great.
thanks,
Simon

I think this is what you're looking for;
Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
HTH
Regards,
Jatin
Do rate helpful posts~

Similar Messages

EAP-FAST on Local Radius Server : Can't Get It Working

Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 0           Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Corrupted packet       : 0           Unknown RADIUS message : 0
No username attribute : 0           Missing auth attribute : 0
Shared key mismatch    : 0           Invalid state attribute: 0
Unknown EAP message    : 0           Unknown EAP auth type : 17
Auto provision success : 0           Auto provision failure : 0
PAC refresh            : 0           Invalid PAC received   : 0
Can anyone suggest what I might be doing wrong?
Regs, Tim

Thanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting

Autonomous AP, 12.3.8JE3. EAP-FAST on local radius failure

Hi all,
I've been trying to configure EAPFAST on Autonomous AP 1242 with the above firmware using local radius. Here are the config:
aaa new
aaa group server radius rad_eap
server x.x.x.x auth 1812 acct 1813
aaa authentication login eap_methods group rad_eap
dot11 ssid EAPFAST
vlan 10
authentication open eap eap_methods
authentication key wpa
int d0
encryption vlan 10 mode cipher aes
ssid EAPFAST
no shut
int d0.10
en do 10
bridge 10
int f0.10
en do 10
bridge 10
int f0.100
en do 100 na
bridge 1
int bvi
ip add x.x.x.x 255.255.255.0
radius-server local
eapfast authority info XYZ
eapfast server-key primary auto
nas x.x.x.x key ####
group FAST
eapfast pac expiry 2 grace 2
username eapfast password eapfast group FAST
radius-server host x.x.x.x auth 1812 acct 1813 key ####
For all my tests, I can get the 7921 phone to work. But using CSSC or even win7 supplicant, I can never get the authentication to go through. I think the eap authentication is stuck at pac provisioning. If i am to manual provision the pac using tftp, it will work. Any clue?
Alvin

Hi,
I was thinking it might be a firmware issue because during some debugs with pac provisoning, there are some errors reporting of some missing cipher suites. I shall try with a new firmware.
Alvin

AppV 5 slow to refresh with roaming profile (no redirects) but fast with local profile

Hi,
I have an issue I can't get thought out. I have an AppV5 SP3 full infra, with SMB share and local caching of packages enabled. Everything works from a functional level. However I have an issue where users with a roaming profile get a very slow AppV refresh
during login.
I created a few testaccounts, a few with local profile and a few with roaming profiles. For these testusers there are NO folder redirects. The only difference between them is local profile or roaming profile.
When I login with a local-profile user initially, the AppV client rather slowly refreshes the applications and shortcuts. It generates quite some CPU load on the RDS host, but as soon as the shortcuts are placed everything is fine. When I log that user off,
and log in again, the shortcuts are there immediately and I can immediately start the applications (Office 2010 for example). Blazing fast. Also when logging in, the refresh-UI is there for about half a second, it really flashes and it's done.
Then with a testuser with roaming profile, the initial refresh is about the same. But when I logoff that user and login again, it's all very slow. The shortcuts are there but blank initially, it takes about 5-10 seconds to get the correct icon. It takes
much longer before the refresh actually starts (sometimes up to 30 seconds after login), and it takes 5-10 seconds to do the refresh, with 100% cpu load on the thread AppVclient.exe is running on. Also right after loging in when the shortcuts are blank they
don't work until they get the proper icon. WHen everything is refreshed it works all fine though. It's just painfully slow at start.
I don't understand this. I can reproduce this every single time. Without folder redirects I don't see the difference between roaming and local profile from AppV perspective, as the roaming profile is of course copied to the server and in that sense the server
just works with a local copy anyway.
Anyone encountered this, and how to troubleshoot, or better fix this?

So is the fact that there is a 5-10 second delay during refresh actually an issue? What I mean by that is - are any users comparing the local profiles with roaming profiles experience, or complaining that the delay is there?
Roaming profiles and Folder redirection are of course very simple to configure; however for the best user experience I recommend managing profiles with a real profile management solution.
If you have MDOP, then you'll also have access to UE-V. You've mentioned your environment is RDS, which sadly doesn't get UE-V, even though you have App-V.
Here are some resources on UE-V + App-V and what's required when managing App-V with roaming users:
How To Use Microsoft User Experience Virtualization With App-V Applications
Application Publishing and Client Interaction: Roaming registry and data
Here's also some resources on App-V performance worth looking at:
Performance Guidance for Application Virtualization 5.0
App-V Performance Best Practices: New Project VRC White Paper
Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
answer your question). This can be beneficial to other community members reading the thread.
This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
Twitter:
@stealthpuppy | Blog:
stealthpuppy.com |
The Definitive Guide to Delivering Microsoft Office with App-V

Limitations/Issues to use LEAP/EAP-Fast with Airespace

Hello
are there any important limitations or issues to use with cisco a/b/g Card the authentication methodes LEAP or EAP-FAST.
Any input is welcome
Oliver

I would suggest that you use LEAP for the client adapters. It is easy to implement and is also secure.

1100 with Local Radius Server problems Atheros Client

I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
Xcon-ap1100#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Xcon-ap1100(config)#radius
Xcon-ap1100(config)#radius-server local
Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
Xcon-ap1100(config-radsrv)#end
Xcon-ap1100#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Xcon-ap1100#term mon
Xcon-ap1100#
*Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:26.962: RADIUS: 32 [2]
*Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
*Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
*Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS(000000FC): sending
*Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
*Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
*Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
*Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
*Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
*Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
*Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
*Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
*Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
*Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
*Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
*Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
*Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
*Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
*Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:50.071: RADIUS: 32 [2]
*Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
*Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
*Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
Cheers
Bernhard

Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

Hello,
I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
The eror message I recieved on a debug is:
*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
But of course there is a user configured on my ipphone !
Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
Note2: When I use LEAP it is OK
Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
See attacehement for more detail.
Many thanks in advance.
Michel Misonne
*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

ABSOLUTLEY DO NOT DO THIS!
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
Please take a look at
https://supportforums.cisco.com/docs/DOC-12110
config advanced eap identity-request-timeout 5
config advanced eap identity-request-retries 12
config advanced eap request-timeout 5
config advanced eap request-retries 12
would be much better, as it is only 60 seconds. No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
HTH,
Steve

How to set local radius with AP 1240AG series

Hi,
I have been trying to set up a AP with AIR-AP1242AG-Ak9 as a local authenticator radius but with no success. I have followed the steps from a lot of posts but no go, even with the most simple and understanable post like this one:
https://supportforums.cisco.com/document/101121/configuring-autonomous-ap-local-radius-authentication
The guy at the end of the post says:
Configuring AP
1. Go to Security>Encryption Manager
2. Specify Encryption (can be WEP or WPA)
3. Specify that WEP is Mandatory
4. Specify the key accordingly
5. Click Apply
6. Go to Security>SSID Manage
7. Select the desired SSID
But when I go via GUI fist of all:
I dont understand why it says it can be WEP o WPA because if I select WEP and follow the rest of the steps, I got an error message: WPA mandatory is supported only with Cipher TKIP or AES CCMP or AES CCMP +TKIP <see encryption managerpage>
Besides WEP, as far as I kknow it only works with a password only and I want the PC clients to aunthenticate with the AP itself as a Radius local server so it should ask for a username and password defined in the AP.
Second of all, the steps from the guy states on item 4, specfy the key acordinly? what this means? I only see keys filed in hexa.
third of all, if I do the steps in the error above, it allows me to set WPA with key management Mandatory but only by selecting the Cipher drop down menu, so which item should I pick ?there are a lot like AES CCMP, AES CCMP+TKIP, etc
But whenever another PC tries to login, it asks for the username and password, but it never get passed just saying error on the network.
I include the debug for the local radius below
I also included the config of the AP
All I want is the AP ask for a username and password, login successfully and thats it.
anybody else or someone that has a function config to share with me? I would appreciate it, cause I have been more than 12 hours in a row trying to set it up but no go

Here is a one of my post related to this topic,see if that helps,
http://mrncciew.com/2013/03/03/autonomous-ap-as-local-radius-server/
If supported use WPA2 with AES as that is most secure. Do not use WEP. If WPA2/AES is not supported then try to use WAP with TKIP.
Here is other useful configuration example on the same topic
https://rscciew.wordpress.com/2014/07/24/autonomous-ap-with-local-radius-server-eap-fast/
HTH
Rasika
**** Pls rate all useful responses ***

EAP-FAST, local Authentication and PAC provisioning

Hi everybody,
I have a litte understanding problem with the deployment of EAP-FAST.
So here's the deal:
I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
Would server sided certificates resolve my concerns here?
I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
Thanks in advance!

From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
Is that what you are trying to get clarification on.
Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
Sent from Cisco Technical Support iPad App

Local RADIUS in AP1242 with non-cisco WinXP wireless clients

I'd like to configure local RADIUS in AP1242 and connect non-cisco WinXP wireless clients (for example notebook with integrated radio) with it. I did configuration (config1.txt) like in instruction: http://cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
But I can't connect non-cisco WinXP wireless client with AP1242 anyway. At once Cisco wireless client with Aironet Desktop Utility connects with it without any problem. I've done some other configuration (config2.txt), but with the same result. Second configuration is rather then first.
How can I connect non-cisco WinXP wireless clients with AP1242 with local RADIUS?

Hi Stephen,
Thanks for the quick reply. Below is the switchport config. I am able to ping the AP from the switch and connect to its web page from any workstations.
interface GigabitEthernet0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 151
switchport mode trunk
end

EAP-Fast or PEAP ??

Dear All,
we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.

Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
regards. Kristjan Edvardsson
Sensa ehf. Cisco Silver Partner

Local radius question?

Hi,
I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
This is my config:
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip radius source-interface Loopback0
aaa group server radius LOCAL-RADIUS
server 192.168.0.1 auth-port 1812 acct-port 1813
aaa authentication login default group LOCAL-RADIUS
radius-server local
nas 192.168.0.1 key 0 <removed>
user mwhittle nthash 0 <removed>
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
radius-server vsa send accounting
Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
Any ideas?
Kind regards,
Mike

Hi,
What kind of RADIUS client application are you using with the IOS local RADIUS server? Please note that this server supports *only* wireless clients,
and only for the LEAP and EAP-FAST EAP types, and also MAC authentication. It does not provide support for other kinds of RADIUS clients.
The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
is always equal to password.
If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Wireless local radius authentication

Greetings,
I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
show ver
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen
ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number                          : 73-7886-07
PCA Assembly Number                  : 800-21481-07
PCA Revision Number                  : A0
PCB Serial Number                    : XXX
Top Assembly Part Number             : 800-22053-04
Top Assembly Serial Number           : XXX
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1121G-A-K9
Configuration register is 0xF
show run
Current configuration : 4240 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXX
ip subnet-zero
ip domain name XXX!
ip ssh version 2
aaa new-model
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid YYY
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 172.16.1.1
no ip route-cache
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid YYY
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.1.35 255.255.255.0
ip helper-address 172.16.1.1
no ip route-cache
ip default-gateway 172.16.1.1
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 172.16.1.35 key 7 VVV
group YYY
    ssid YYY
    block count 3 time 30
    reauthentication time 300
user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 10 in
line vty 5 15
end
Debug Output:
331: AAA/ACCT(00000000): add node, session 4
*Mar 1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar 1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar 1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar 1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar 1 21:37:37.332: EAPOL pak dump tx
*Mar 1 21:37:37.332: EAPOL Version: 0x1 type: 0x0 length: 0x0036
*Mar 1 21:37:37.332: EAP code: 0x1 id: 0x1 length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72 ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543 asid=YYY
00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
*Mar 1 21:37:37.333: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar 1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_send_msg: sending data to requestor status 0
*Mar 1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar 1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar 1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar 1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar 1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
0023.6c85.32cd
*Mar 1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar 1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar 1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar 1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar 1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar 1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar 1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar 1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar 1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar 1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar 1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar 1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar 1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
ocal'
*Mar 1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar 1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
Thank you,

You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics". You could also run "debug radius local-server client" and "debug radius local-server error".

EAP-FAST Security level

Hi all,
I use EAP-FAST in my network and I have some questions about it.
1) is there any vulnerability detected with EAP-FAST?
2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
3) Can I use EAP-FAST with MAC address filtering through ACS?
4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
Thanks for your reply.
Thanks.

1)
Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
What will happen? see
The in-band provisioning mode operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key agreement.
To minimize the risk of exposing the user's credentials, a clear text password should not be used outside of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials within the protected tunnel. The information contained in the PAC is also available for further authentication sessions after the inner EAP method has completed.
Automatic In-Band PAC Provisioning, which is the same as EAP-FAST phase zero, sends a new PAC to an end-user client over a secured network connection. Automatic In-Band PAC Provisioning requires no intervention of the network user or an ACS administrator, provided that you configure ACS and the end-user client to support Automatic In-Band PAC Provisioning.
In general, phase zero of EAP-FAST does not authorize network access. In this general case, after the client has successfully performed phase zero PAC provisioning, the client must send a new EAP-FAST request in order to begin a new round of phase one tunnel establishment, followed by phase two authentication.
However, if you choose the Accept Client on Authenticated Provisioning option, ACS sends a RADIUS Access-Accept (that contains an EAP Success) at the end of a successful phase zero PAC provisioning, and the client is not forced to reauthenticate again. This option can be enabled only when the Allow Authenticated In-Band PAC Provisioning option is also enabled.
Because transmission of PACs in phase zero is secured by MSCHAPv2 authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we recommend that you limit use of Automatic In-Band PAC Provisioning to initial deployment of EAP-FAST.
After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
EAP-FAST has been enhanced to support an authenticated tunnel (by using the server certificate) inside which PAC provisioning occurs. The new cipher suites that are enhancements to EAP-FAST, and specifically the server certificate, are used.
2) Max user sessions
3)Yes
4)PEAP ( EAP TLS )
Side note:
EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
Please make sure to rate correct answers and rate the thread as answered

Vista EAP-FAST Module

Anyone know where I can get this module?
http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
Thanks,
Todd

The following link allows you to download the EAP-FAST module for vista:
http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time.

EAP-FAST with local radius on 1242AG

Similar Messages

Maybe you are looking for