Local radius + mac-filter ?
Hi all,
could someone tell me how to configure a local radius plus mac-filter?
The config with the local radius is running perfekt, but I dont't know how to configure a filter addition ?
any ideas are welcome
Carsten
yes, you can do that, but you don't actually need those two first "authentication" commands. These two:
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
will overwrite these two:
authentication open eap EAP_LOCAL
authentication network-eap EAP_LOCAL
so you'll just be left with:
dot11 ssid wlan-ap
authentication key-management wpa
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.
You can also do local AP RADIUS authentication for this too ("radius-server local")
By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!
Similar Messages
-
I am setup a cisco WLC in ver 4.0
I setup a 40bits static wep key for user to use. it is work till i add the mac address filter. it can work with local mac filter. If I want to use Cisco ACS to auth mac address, the controller also have this message
RADIUS server "IP Address":1645 failed to respond to request (ID 24) for client "MAC Address: / user 'unknown'
Is it have something problem in the WLC, I am following the configure sample to config both of the WLC and ACS.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
thank you very much"RADIUS server "IP Address":1645 failed to respond to request (ID 24) for client "MAC Address" - Check there is connectivity between WLC and ACS. Also, check whether the username credentials are correctly given.
-
Hello Everyone,
I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
dot11 ssid WLAN
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid WLAN
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2462
station-role root
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface BVI1
ip address 10.133.16.2 255.255.255.128
no ip route-cache
adius-server local
nas 10.133.16.2 key 7 10.133.16.2
group MAC
vlan 20
ssid WLAN
block count 3 time infinite
reauthentication time 1800
user 54724f80421c password 54724f80421c group MAC
Further information can be provided by request.
Cheers,
Parhamwhat are you trying to accomplish?
With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
HTH,
Steve -
WLC Webauth on mac filter / Bypass
Hi
I am currently experimenting with the webauth 'On MAC Filter failure' feature.
In most cases things work fine, meaning that: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not heassociates to the AP and gets the usual splashscreen. But, in some weird cases things dont happen as expected: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not he can not associated.
I tryed to run some debugs but with little success as I dont know what I am looking for.
As far as I can say, the problem appears with devices I used for testing (allow through MAC filter, then removed ...) and make me think of some kind of caching mechanism. (things like fastpath come into my mind).
Did someone implement the feature successfully?
Thanks,
seb.Hi,
Sure (debug client 00:24:d6:23:d0:58). Problem is visible around 12:26:47.612
*pemReceiveTask: Sep 22 12:25:38.048: 2c:a8:35:cf:20:14 Sent an XID frame
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Adding mobile on LWAPP AP 00:08:30:4a:d6:50(0)
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Association received from mobile on AP 00:08:30:4a:d6:50
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific IPv6 override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying IPv6 Interface Policy for station 00:24:d6:23:d0:58 - vlan 113, interface id 11, interface 'unaids-guests'
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 apfProcessAssocReq (apf_80211.c:5122) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Idle to AAA Pending
*aaaQueueReader: Sep 22 12:26:26.258: Unable to find requested user entry for 0024d623d058
*aaaQueueReader: Sep 22 12:26:26.258: ReProcessAuthentication previous proto 8, next proto 40000001
*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*aaaQueueReader: Sep 22 12:26:26.258: AuthenticationRequest: 0x2aeb3be8
*aaaQueueReader: Sep 22 12:26:26.258: Callback.....................................0x100df840
*aaaQueueReader: Sep 22 12:26:26.258: protocolType.................................0x40000001
*aaaQueueReader: Sep 22 12:26:26.258: proxyState...................................00:24:D6:23:D0:58-00:00
*aaaQueueReader: Sep 22 12:26:26.258: Packet contains 14 AVPs (not shown)
*aaaQueueReader: Sep 22 12:26:26.258: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Sep 22 12:26:26.259: 00:24:d6:23:d0:58 Successful transmission of Authentication Packet (id 255) to 10.83.40.111:1812, proxy state 00:24:d6:23:d0:58-00:01
*aaaQueueReader: Sep 22 12:26:26.259: 00000000: 01 ff 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 ................
*aaaQueueReader: Sep 22 12:26:26.259: 00000010: 00 00 00 00 01 0e 30 30 32 34 64 36 32 33 64 30 ......0024d623d0
*aaaQueueReader: Sep 22 12:26:26.259: 00000020: 35 38 1e 21 30 30 2d 30 38 2d 33 30 2d 34 61 2d 58.!00-08-30-4a-
*aaaQueueReader: Sep 22 12:26:26.259: 00000030: 64 36 2d 35 30 3a 55 4e 41 49 44 53 2d 54 45 53 d6-50:UNAIDS-TES
*aaaQueueReader: Sep 22 12:26:26.259: 00000040: 54 2d 32 1f 13 30 30 2d 32 34 2d 64 36 2d 32 33 T-2..00-24-d6-23
*aaaQueueReader: Sep 22 12:26:26.259: 00000050: 2d 64 30 2d 35 38 05 06 00 00 00 0d 04 06 0a 53 -d0-58.........S
*aaaQueueReader: Sep 22 12:26:26.259: 00000060: 05 80 20 0d 47 45 2d 44 43 57 4c 43 2d 30 31 1a ....GE-DCWLC-01.
*aaaQueueReader: Sep 22 12:26:26.259: 00000070: 0c 00 00 37 63 01 06 00 00 00 03 02 12 0d e4 89 ...7c...........
*aaaQueueReader: Sep 22 12:26:26.259: 00000080: d6 a8 35 ae 7e ee 86 d9 65 0e 78 f5 5d 06 06 00 ..5.~...e.x.]...
*aaaQueueReader: Sep 22 12:26:26.259: 00000090: 00 00 0a 0c 06 00 00 05 14 3d 06 00 00 00 13 40 .........=.....@
*aaaQueueReader: Sep 22 12:26:26.259: 000000a0: 06 00 00 00 0d 41 06 00 00 00 06 51 05 31 31 33 .....A.....Q.113
*radiusTransportThread: Sep 22 12:26:27.262: 00000000: 03 ff 00 14 64 b5 1e e0 41 f9 08 3f 47 46 3c 2b ....d...A..?GF<+
*radiusTransportThread: Sep 22 12:26:27.262: 00000010: 33 38 28 a3 38(.
*radiusTransportThread: Sep 22 12:26:27.262: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Sep 22 12:26:27.262: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Access-Reject received from RADIUS server 10.83.40.111 for mobile 00:24:d6:23:d0:58 receiveId = 0
*radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d6:23:d0:58
*radiusTransportThread: Sep 22 12:26:27.262: AuthorizationResponse: 0x3c4fd8b4
*radiusTransportThread: Sep 22 12:26:27.262: structureSize................................32
*radiusTransportThread: Sep 22 12:26:27.262: resultCode...................................-4
*radiusTransportThread: Sep 22 12:26:27.262: protocolUsed.................................0xffffffff
*radiusTransportThread: Sep 22 12:26:27.262: proxyState...................................00:24:D6:23:D0:58-00:00
*radiusTransportThread: Sep 22 12:26:27.262: Packet contains 0 AVPs:
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying new AAA override for station 00:24:d6:23:d0:58
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58
source: 2, valid bits: 0x0
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: '', aclName: ''
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting AAA Override struct for mobile
MAC: 00:24:d6:23:d0:58, source 2
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting new RADIUS override into chain for station 00:24:d6:23:d0:58
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58
source: 2, valid bits: 0x0
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: '', aclName: ''
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3for this client
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfMsAssoStateInc
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from AAA Pending to Associated
*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 Sending Assoc Response to station on BSSID 00:08:30:4a:d6:50 (status 0) ApVapId 3 Slot 0
*apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 apfProcessRadiusAssocResp (apf_80211.c:2153) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Associated
*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule
*apfReceiveTask: Sep 22 09:31:33.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:08:30:4a:d6:50, slot 0, interface = 13, QOS = 0
ACL Id = 255, Jumbo F
*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 113, IPv6 intf id = 11
*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 Sent an XID frame
*spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Received Idle-Timeout from AP 00:08:30:4a:d6:50, slot 0 for STA 00:24:d6:23:d0:58
*spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4
*spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Disassociated
*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sent Deauthenticate to mobile on BSSID 00:08:30:4a:d6:50 slot 0(caller apf_ms.c:5094)
*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sending Accounting request (2) for station 00:24:d6:23:d0:58
*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsAssoStateDec
*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Disassociated to Idle
*apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:08:30:4a:d6:50]
*apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 Deleting mobile on AP 00:08:30:4a:d6:50(0)
*pemReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 Removed NPU entry.
*aaaQueueReader: Sep 22 12:31:04.526: Unable to find requested user entry for 2ca835cf2014
*aaaQueueReader: Sep 22 12:31:04.526: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Sep 22 12:31:04.526: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*radiusTransportThread: Sep 22 12:31:05.530: 00000000: 03 00 00 14 cd cd cd 40 48 d9 c9 26 10 81 e3 5b .......@H..&...[
*radiusTransportThread: Sep 22 12:31:05.530: 00000010: b0 35 95 73 .5.s
*radiusTransportThread: Sep 22 12:31:05.530: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Sep 22 12:31:05.530: ****Enter processRadiusResponse: response code=3
Thanks,
Seb. -
EAP-FAST on Local Radius Server : Can't Get It Working
Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Unknown NAS : 0 Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 17
Auto provision success : 0 Auto provision failure : 0
PAC refresh : 0 Invalid PAC received : 0
Can anyone suggest what I might be doing wrong?
Regs, TimThanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting -
Wireless local radius authentication
Greetings,
I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
show ver
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen
ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1121G-A-K9 (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number : 73-7886-07
PCA Assembly Number : 800-21481-07
PCA Revision Number : A0
PCB Serial Number : XXX
Top Assembly Part Number : 800-22053-04
Top Assembly Serial Number : XXX
Top Revision Number : A0
Product/Model Number : AIR-AP1121G-A-K9
Configuration register is 0xF
show run
Current configuration : 4240 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXX
ip subnet-zero
ip domain name XXX!
ip ssh version 2
aaa new-model
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid YYY
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 172.16.1.1
no ip route-cache
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid YYY
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.1.35 255.255.255.0
ip helper-address 172.16.1.1
no ip route-cache
ip default-gateway 172.16.1.1
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 172.16.1.35 key 7 VVV
group YYY
ssid YYY
block count 3 time 30
reauthentication time 300
user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 10 in
line vty 5 15
end
Debug Output:
331: AAA/ACCT(00000000): add node, session 4
*Mar 1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar 1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar 1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar 1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar 1 21:37:37.332: EAPOL pak dump tx
*Mar 1 21:37:37.332: EAPOL Version: 0x1 type: 0x0 length: 0x0036
*Mar 1 21:37:37.332: EAP code: 0x1 id: 0x1 length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72 ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543 asid=YYY
00ECBA30: 4B2C706F 72746964 3D30 K,portid=0
*Mar 1 21:37:37.333: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar 1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_send_msg: sending data to requestor status 0
*Mar 1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar 1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar 1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar 1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar 1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
0023.6c85.32cd
*Mar 1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar 1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar 1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar 1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar 1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar 1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar 1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar 1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar 1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar 1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar 1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar 1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar 1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
ocal'
*Mar 1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar 1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
Thank you,You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics". You could also run "debug radius local-server client" and "debug radius local-server error".
-
Configuring a 1230 AP as a "Local Radius Authenticator"
Configuring a 1230 AP as a "Local Radius Authenticator"
CCO-URL: Configuring an Access Point as a Local Authenticator
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
this is the minimal config, i think:
AP# configure terminal
AP(config)# radius-server local
AP(config-radsrv)# nas 1.1.1.1 key 111
AP(config-radsrv)# group clerks
AP(config-radsrv-group)# vlan 2
AP(config-radsrv-group)# ssid batman
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# lockout count 2 time 600
AP(config-radsrv-group)# exit
AP(config-radsrv)# user jsmith password twain74 group clerks
AP(config-radsrv)# end
whereas 1.1.1.1 is the IP of the AP himself ?
is there a must for additional config commands like this:
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
aaa group server radius rad_eap
server 1.1.1.1 auth-port 1812 acct-port 1813
aaa group server radius rad_admin
server 1.1.1.1 auth-port 1812 acct-port 1813
all attempts didn't work
"station <MAC> authentication failed"
is there anything else nessecary ???You seem to be missing the following commands;
authentication network-eap eap_methods
authentication key-management cckm optional
The following commands are useful for diagnosis;
Show radius local statistics
show interface dot11Radio 0 aaa client
Debug dot11 aaa dot1x state
Debug dot11 mgmt interface
Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
* With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
* ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just havent tested it);
· This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
· This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
· Replace usernames/passwords with your own usernames/passwords
· Replace ip-addresseswith the APs IP address
· I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
conf t
host loc-auth-ap-name
enable secret cisco
no ip domain-lookup
line vty 0 4
password cisco
exec-timeout 0 0
login
int bvi 1
ip address 10.11.12.13 255.255.255.0
Interface dot11 0
no ssid tsunami
encryption mode ciphers ckip-cmic
ssid test-loc-auth
authentication network-eap eap_methods
authentication key-management cckm optional
ip dhcp excluded-address 10.11.12.13
ip dhcp pool temp
network 10.11.12.0 255.255.255.0
interface BVI1
ip address 10.11.12.13 255.255.255.0
no ip route-cache
aaa new-model
aaa group server radius rad_eap
! add a real AAA server (with auth-port 1645) before
! the following statement if you are configuring a
! fallback authentication service instead of a
! standalone service
server 10.11.12.13 auth-port 1812 acct-port 1646
aaa authentication login eap_methods group rad_eap
! add a real AAA server (with auth-port 1645) before
! the following statement if you are configuring a
! fallback authentication service instead of a
! standalone service
radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
radius-server deadtime 10
dot11 holdoff-time 1
ip radius source-interface BVI1
radius-server local
nas 10.11.12.13 key 0 l0cal-key-secret
user testuser password 0 testuser-key-secret
exit
exit
wri -
ACS - SSID - MAC-Filter separation
Hello,
I’m trying to setup following environment:
WLC 5508 (OS 7.5)
Up to 60 Access Points 1602I
Two SSID’s are required
WPA/WPA2 Authentication is required
MAC-Filter should also be used
I’ve done the following configuration:
LAN Enviroment works
WLC Setup works also with all Access Points
SSID with WPA/WPA2 Authentication work
Clients can connect to each SSID
For the MAC Filter Setup I’m going to use an ACS 5.4 and an Active Directory. The ACS has successfully joined the Active Directory and at the active Directory I’ve create to groups:
CN=SSID1,OU=Authentication,DC=global,DC=lan
CN=SSID2,OU=Authentication,DC=global,DC=lan
These two groups I’ve selected after I joined the Active Directoy. I used the Active Directory (AD1) as an Identity group, which is used by a Network Access based Access Service. In my second step, I configured the WLC to use Radius authentication for MAC-Filter and everything works.
But now I’ve found my problem:
The ACS Server like work top down and first rule matches:
If a MAC is member of group SSID1 and the Client wants to join SSID 1 it works
If a MAC is member of group SSID2 and the Client wants to join SSID 1 it works, too. Because the rules are checkt top down first match. And the ACS will find the MAC in group SSID.
Is it possible to check at the ACS which SSID send the MAC-Filter request? or
Is it possible to get the ssid value from the Active Directory to use this value in my policies?
I would like to restrict the MACs from group SSID1 to SSID 1 and the MACs from group SSID to SSID 2.
Thanks and kind regards
KaiHello,
I hope this will help you. The username and password will be the MAC-Address of your client wirelss device, e.g.
Username: aabbccddeeff
Password: aabbccddeeff
You've to check, in which kind you have to send the MAC Address (aa:bb:cc:dd:ee:ff, aabbcc-ddeeff, AA:BB:CC:DD:EE:FF, and so on)
The attachments will show you a sample ACS Access Policy and the "caller-station-id" configuration and the configuration of a SSID from a Cico WLC 5508. -
Hi,
I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
This is my config:
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip radius source-interface Loopback0
aaa group server radius LOCAL-RADIUS
server 192.168.0.1 auth-port 1812 acct-port 1813
aaa authentication login default group LOCAL-RADIUS
radius-server local
nas 192.168.0.1 key 0 <removed>
user mwhittle nthash 0 <removed>
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
radius-server vsa send accounting
Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
Any ideas?
Kind regards,
MikeHi,
What kind of RADIUS client application are you using with the IOS local RADIUS server? Please note that this server supports *only* wireless clients,
and only for the LEAP and EAP-FAST EAP types, and also MAC authentication. It does not provide support for other kinds of RADIUS clients.
The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
is always equal to password.
If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
3850. mac filter at wlan with wpa key
Hello
I want to get simple mac filter at certain WLAN with psk authentication
I have such at my home cisco881 - MAC-based ACL apply to the radio interface.
I don't find how to make MAC-based ACL at 3850.
And I don't understand how to use class-map type control subscriber (and match mac-address), for example, for such task, because they apply to interface, but now wlan.
Can somebody send me full working config or certain url with decision for such task?subscriber mac-filtering security-mode {mac | none | shared-secret}
Example:
Device(config-sg-radius)# subscriber mac-filtering security-mode mac -
New Photo app on Mac.
How can I (automatically) import new photos of the photo stream on my local disc (Mac)? Don't want to use new icloud service. Simply import.
With iPhoto every new photo was automatically imported and saved on my local disk (with "full resolution" that's what I only need). In the new photo app I have still my photo stream and when I move a photo (drag and drop from the photo stream) to a new album it indicates a (plus). My understanding is that the photo is now copied to my local disk. But when I deleted the photo in the photo stream it was also deleted in the album !?
If that is the case I can use the photo stream only until I reach the max of 1.000 photos, then I have to delete photos and I will have no copy left.
How can I "physically" copy a photo of the photo stream to my local disk? I just want to "transfer" all pictures taken with Ipads, Iphones to my central storage on the Mac. Please don't propose to connect it via iTunes (cable) to the Mac.
Any other suggestions?
thx
-TomThe amazing device cannot do it because no amazing developer has written an app for it. There is some interest, others have asked, but i have a hunch that the market is fairly limited, and no developer has jumped at the chance just yet.
Any sort of tethered approach means try to feed the material to the pad thru the cck. Which means the app would have to use the allowed/existing cck pathway in a manner that does not violate the sandbox rules. That may be the problem. -
how do i set up my kindle to receive audio books? Is there a MAC filter? it must be disabled and I dont know how to do this
By default, any type of MAC filtering is disabled on the AirPort base stations ... unless, of course, you or someone else enabled it.
If it is enabled, to disable it, you would use the AirPort Utility.
AirPort Utility > Select the AirPort > Manual Setup > AirPort > Access Control tab > MAC Address Access Control: Not Enabled -
Local Radius Authentication - Fails
Hello all,
Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
Client Adapter ABG (PCI)
I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
test aaa group radius xxxxx port 1812 new-code
although the password is matching..........
another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
radius-server local
user dgarnett password xxxx
when i do a 'show run' it displays as
user xxxx
I also get the following during a debug:
There is no RADIUS DB Some Radius attributes may not be stored
any help greatly appreciated
ap#test aaa group radius dgarnett 123456789 port 1812 new-code
Trying to authenticate with Servergroup radius
User rejected
ap#
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): sending
Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
Feb 19 20:57:44.538: RADIUS: State [24] 50
Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be storedJust as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.
-
Problem with connetction to wrt54g2 via wireless connection with WPA/WPA2 & wireless MAC filter
Hello,
I'm Alexey from Novosibirsk, Russia.
I have a problem with connection to wrt54g2 from my DELL D630 notebook via wireless connection. When I setup WPA/WPA2 in wireless security and wireless MAC filter I can't connect from notebook to WRT - in Windows I see that dynamic IP address from WRT is not assigned. When I switch off security mode to disable always OK, but I need a wireless security between DELL and WRT.
Connection via cable Ethernet port is OK.
Can You help me?Have you tried the different laptop...?
Download 1.71 MB the firmware for WRT54G2 v1 and reflash the router's firmware.After reflashing/upgrading the router's firmware,reset the router for 30 seconds and reconfigure the router from scratch. -
EAP-FAST with local radius on 1242AG
I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
Any help or a basic example you be great.
thanks,
SimonI think this is what you're looking for;
Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
HTH
Regards,
Jatin
Do rate helpful posts~
Maybe you are looking for
-
Problem after installing OBIEE 11.1.1.5
Hi, I installed obiee 11g on a windows server. But i dint use a service account,but installed it with another user account which had all admin privileages. Now, i logged into the server and All programs-->Oracle Business Intelligence --->start BI ser
-
How do I re-install Bonjour on OS 10.4.11? I have my original disks, but does basic install allow me to just install Bonjour or all original software?
-
Profit Center Accounting active but no profit center specified
Dear All, I have created two accounting groups, but when i try to create the cost center it will pops up the warning, the cost center is failed to be created. Would you please help if there is anything i should set up to solve this warning like deact
-
Two pages are printing with second one blank though there is no data
Hi All, Got One Ticket as :- While Printing the form Two pages are Printing Automatically Though the data Consists of only one page it is getting printed the second page as empty. Please let me know What Could be the reason My Guess is if we reduce
-
My computer died and I want to load my ipod nano songs onto my wife's computer without disturbing her ipod songs. Is this possible, or will I erase her tunes if I sync my ipod? Or will I (we) get both of our songs on each other's ipod (she hates my t