HWIC-AP + PEAP + RADIUS

I've configured a 2811 ISR with an HWIC-AP-G-A for LEAP w/ RADIUS authentication. I am searching for documentation for configuring PEAP but am having a hard time finding what I am looking for.
Could anyone point me in the right direction, and tell me if it is possible to accomplish all on the router? I made a root cert through IIS tools and am not quite sure how to go about uploading it and associating it with AAA/RADIUS. Thanks in advance.

Ok. I was unaware that you could only use LEAP or EAPFAST on a local authenticator.
That being said.. Anyone have suggestions for documentation on EAPFAST? I used the Cisco default configuration which is printed in 2-3 manuals for it on a local authenticator and cannot get it to work. Word for word step by step.. I'm just trying to see what my options are on an ISR with everything built in and don't want to use an external server. Thanks in advance.

Similar Messages

802.1x EAP-PEAP - Radius Question

We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
getting a Cisco ACS to run a simple RADIUS server which is all I need.
Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
and how does it differ from the username you provide after the secure TLS tunnel has been configured.

Hey John,
Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
http://www.youtube.com/watch?v=YIxG4OEfwtY
The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
So yes it sounds right and you should be good.
Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
Thanks John!
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Wpa peap radius problem

Hi,
i try to setup wpa with peap user auth with a 1130 AP and cisco secure acs 4.2 server.
auth keeps failing and I even don't see failes attempts in my acs server. The AP is in the AAA section of the ACS and the have the same shared secret.
The ACS server is working corectly because I use it the authenticate users to log in the the routers
I enabled all possible authentication methods but no luck.
I use the windows xp suplicant and even tried with funk software.
in the dot11 authenticator debug i can't see any radius lines see attached file
can anybody help me out ?

Is this Aironet or LWAPP?
In aironet, there is a way to test authentication via the access points..."test aaa radius " or something like that...sorry I forget since I converted to LWAPP..
Also, make sure the DB (LDAP/AD,etc..) is configured and mapped correctly in ACS but you should see something like "NAS errors" or DB errors in ACS if the access points were somewhat communicating with ACS..
Post the configs if you can...

WLC Radius Credentials Caching

We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.
We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop.
Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/AD

I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.
More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.
What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)

Does WLC 5508 (7.2) support PEAP to MS radius?

Hi,
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers.
On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ???
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
Thanks in advance,
Michel

you're right +5. looks like it sort of gives more granular selection/priority, if we don't want to use any AAA from global when all the configured AAA on WLAN failed then it will be useful.
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html
Step 16
Select the
Network User
check box to enable network user authentication (or accounting), or unselect it to disable this feature. The default value is selected. If you enable this feature, this entry is considered the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users.

Wired PC's with PEAP and RADIUS - how to join to a domain?

I realize this seems like a 'chicken vs. egg' question, but I'm wondering if there is an answer.
 
 We're in the process of implementing RADIUS authentication using PEAP and IAS on our network.
 
 (Server 2003, WinXP Pro, and Cisco hardware)
 
 My test network is working well, however the one glitch that we've come across is joining new PC's to the domain. Because the switch will not authenticate the machine or the user - we can't get access to join the machine to the domain controller.
 
 Is there a simple workaround for this, or do we have to disable AAA on the switch temporarily, every time we want to join/rejoin and machine?
 
 Thanks in advance!
 Rob

If you are running 802.1x on your switches for wired users, then you either need to stage the machines first by having them join the domain and then pushing out the appropriate certificates to the machine. You can always have ports that don't have 802.1x configured to get this working.

ACS Radius + Peap + MSChapV2

I am using a wireless setup
Aironet 1100, ACS 4.0, 3rd party Client adapter
I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
Doubts: In ACS logs - Radius accounting is empty.
Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
But i am able to authenticate my users successfully into the wireless network. What went wrong?

Hi
Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
Darran

WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
thanks !!!

WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
WPA and WPA2 are actually are of 2 types respectively.
WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
The following document might clarify your doubts.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

802.1x, PEAP, WinXP, and 3550 (Radius)

I have everything configured according to Cisco documentation, but I am getting two different errors in ACS's log.
For a user it says: External DB account Restriction
For a machine it says: EAP-TLS or PEAP authentication failed during SSL handshake
Does anyone have any idea what those mean? I can provide the 3550 debug logs as well if that will help.

I didn't understand your answer. I also face similar problem like you, do you have any info on this.
Thanks,
Siddu
When "Authentication using computer" ie. machine authentication is selected in
Windows XP (SP1 or SP2) client, authentication are
failing for EAP type - Protected EAP (PEAP).
The server log is showing " No password found in the
request,” indicating during challenge/response, XP
client is not sending password in its response.
Since authentication will be done during computer boot up, I am not getting how to store the machine
password, I assume machine will use admin password by
default.
I order to send admin password during machine
authentication, do I need to store admin credentials?
If that is the case where and how?
Other than this do I need to do any other setup at XP
client and AAA Server side?
Did any one face similar problem?

Blackberry Z10/Q10 - WPA2 PEAP MSCHAPv2 RADIUS failure

Hello,
we don't get our Z10/Q10 Smartphones to work with our RADIUS infrastructure.
All other phones (Windows Phones, iPhones, Androids, BB 9800,9810,8900) work without problems.
We always get an authentification failure. We don't need/have an certification check.
We also tested all possible options, but it won't work.
This is very disapointing and frustrating.
Regards

Just to let you know, we've found the problem.
It seems that the Z10 (Q10) have a problem with passwords which have special characters...
Maybe our security policies are too strong for the self-named high-security systems from Blackberry.
It's a pitty that it works on all other plattforms (iOS, Android, Windows Phone) but not on the Blackberry Z10,Q10 series.

ACS 5.3 Stripping Radius User Prefix

Hi,
I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
Rgds

Hi Steven,
this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
Nicolas

Having a problem with PEAP and Cisco 2960 Switch

Hi All,
    I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
    The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?

Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828   Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843   Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps.

I am trying to get NAT working on a Cisco 2801 with HWIC-4ESW.

I have a 2801 that had a failed Fe0/1 port. The Fe0/1 port was used to give sub-interface Fe0/0.200 access to internet. We installed a HWIC-4ESW into the 2801. I have successfully moved the sub-interfaces ( 0/0.1 , 0/0.100 , and 0/0.200 ) from the Fe0/0 to the HWIC-4ESW. I have reconfigured the Fe0/0 to connect to my ISP. However, I cannot get traffic from vlan200 to pass to the internet over Fe0/0. I have a guest wireless network set for vlan 200. Clients get an IP address in the appropriate range (192.168.200.0), but they cannot get to the internet. Below I have included the results of "sh ip int brief" and some of the "sh run". I think that it is something simple, but I canot get it working.
Help would be appreciated.
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 ***.**.244.194 YES manual up up
FastEthernet0/0.200 unassigned YES unset deleted down
Service-Engine0/0 192.168.100.254 YES TFTP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
FastEthernet0/1/0 unassigned YES unset up up
FastEthernet0/1/1 unassigned YES unset up up
FastEthernet0/1/2 unassigned YES unset administratively down down
FastEthernet0/1/3 unassigned YES unset administratively down down
Serial0/3/0:0 unassigned YES unset down down
Serial0/3/0:1 unassigned YES unset down down
Serial0/3/0:2 unassigned YES unset down down
Serial0/3/0:3 unassigned YES unset down down
Serial0/3/0:4 unassigned YES unset down down
Serial0/3/0:5 unassigned YES unset down down
Serial0/3/0:6 unassigned YES unset down down
Serial0/3/0:7 unassigned YES unset down down
Serial0/3/0:8 unassigned YES unset down down
Serial0/3/0:9 unassigned YES unset down down
Serial0/3/0:10 unassigned YES unset down down
Serial0/3/0:11 unassigned YES unset down down
Serial0/3/0:12 unassigned YES unset down down
Serial0/3/0:13 unassigned YES unset down down
Serial0/3/0:14 unassigned YES unset down down
Serial0/3/0:15 unassigned YES unset down down
Serial0/3/0:23 unassigned YES NVRAM up up
Vlan1 192.168.1.254 YES NVRAM up up
Vlan100 192.168.100.254 YES NVRAM up up
Vlan200 192.168.200.254 YES NVRAM up up
NVI0 ***.12.244.194 YES unset administratively down down
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.99
ip dhcp excluded-address 192.168.100.200 192.168.100.254
ip dhcp excluded-address 192.168.200.1 192.168.200.99
ip dhcp excluded-address 192.168.200.200 192.168.200.254
ip dhcp pool Phones
network 192.168.100.0 255.255.255.0
option 150 ip 192.168.100.254
default-router 192.168.100.254
dns-server 192.168.1.8
ip dhcp pool guestwireless
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 8.8.8.8 8.8.4.4
ip cef
no ip domain lookup
ip domain name pwa.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
controller T1 0/3/0
pri-group timeslots 1-16,24
controller T1 0/3/1
shutdown
gw-accounting aaa
gw-accounting syslog
interface FastEthernet0/0
description Guestwireless route to internet
ip address ***.**.244.194 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Service-Engine0/0
ip unnumbered Vlan100
service-module ip address 192.168.100.200 255.255.255.0
service-module ip default-gateway 192.168.100.254
no cdp enable
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1/0
description trunk to switch
switchport mode trunk
duplex full
speed 100
interface FastEthernet0/1/1
description voice
switchport access vlan 100
interface FastEthernet0/1/2
shutdown
interface FastEthernet0/1/3
shutdown
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
no cdp enable
interface Vlan1
description Data
ip address 192.168.1.254 255.255.255.0
interface Vlan100
description voice vlan
ip address 192.168.100.254 255.255.255.0
h323-gateway voip bind srcaddr 192.168.100.254
interface Vlan200
description Guestwireless Data
ip address 192.168.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
ip nat inside source list 10 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.100.200 255.255.255.255 Service-Engine0/0
ip route 192.168.200.0 255.255.255.0 FastEthernet0/0
ip radius source-interface Vlan100
access-list 10 permit 192.168.200.0 0.0.0.255

So, I just built this in the lab, and it seemed to work ok. I attached a sparse config, but it does let my host on the GuestWireless get the internet via NAT.
R2#sh ip nat translations vrf GuestWireless
Pro Inside global Inside local Outside local Outside global
icmp 17.12.244.194:5 192.168.200.1:5 1.1.1.1:5 1.1.1.1:5
R2#sh ip route vrf GuestWireless
Routing Table: GuestWireless
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 17.12.244.195 to network 0.0.0.0
17.0.0.0/28 is subnetted, 1 subnets
C 17.12.244.192 is directly connected, FastEthernet0/0
C 192.168.200.0/24 is directly connected, Vlan200
S* 0.0.0.0/0 [1/0] via 17.12.244.195

After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

Hello,
I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.
I am currently using ISE to authenticate wireless connectivity.
I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".
Any ideas?
Bob

The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching. Just turning off wireless and back on doesn't do it. Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients. What type of certificate is presented, public or private?

WPA PEAP No working under 10.4.8 and Macbook Pro C2D

After the Core 2 Duo upgrade I finally decided to buy a Macbook Pro to use at work.
Everything working fine so far (Love the MBP) except that at work we are using a Radius Server to authenticate with PEAP under WPA for wireless.
I created the 802.1x connection and after giving it the Network name and UID and pwd (SID is not broad casted) it sees the network and connects OK (after accepting the certificate) but I do not get an IP from the DHCP.
I looked at the forum discussions and apparently this has been an issue before o certain Intel machines but was fixed on 10.4.6 or so, well apparently is brocken again.
Called Apple Support but they did not know how to resolve.
Anyone else having the problem?

If anyone is interested the problem of instability resurfaced despite doing an archive and instal to reinstal 10.4.8 and then go through the upgrade process from there to instal the updates to bring it back to 10.4.10. Even after that the instability got to the stage that I only had to sneeze and it would crash.
Ultimately I resorted to backing up all my data onto a 120Gb USB HD, erased the HD drive and started from the beginning again with the discs that came with the MBP. As you can imagine that was a long process and took me from about 4pm in the afternoon to 1am in the morning. Eyes were hanging out of my head after that effort.
So far I have not had any further problems.
I really don't know now to what extent that Safari 3 Beta was the cause of all my instability problems but the crash logs seemed to point to it. Some people are reporting no problems with Safari 3 whatsoever so that begs the question if there was a conflict with some 3rd party application I was running or something got corrupted that could not be repaired for whatever the reason.
After the rebuild I was thinking that re-establishing my iPhoto and iTunes library would be a slow nightmarish process by having to import each photo group or each iTunes album one at a time. I chose to gamble on copying the entire directory for iPhoto and the entire directory for iTunes across from my USB HD. Well I needn't have worried because it worked perfectly. I also had copied out some user/library/.... folders and gambled on copying them back after rebuild in the hope of restoring various setups etc and that worked too. Things like Application Support files, Mail files, selected Preferences, Safari bookmarks and history and Widgets. That sort of approach worked on my well used Windows XP box so thought it would work on the MBP. Worst case is that I would have had to start all over again if I messed it up.

HWIC-AP + PEAP + RADIUS

Similar Messages

Maybe you are looking for