1. Home
  2. Cisco Systems
  3. Unable to use Radius Authentication for Wireless

Unable to use Radius Authentication for Wireless

Hello I have this scenario:

C877 52F/256D with 15.0M1 ADVIPSERVICES

I have enabled on it the local radius server with these configuration:

radius-server local nas 192.168.1.243 key 7 0010161510 (test) user elia password 0 elia ! radius-server host 192.168.1.254 auth-port 1645 acct-port 1646

192.168.1.254 is the IP of the C877 192.168.1.243 is the ip of the AP

---------------

I have one Access Point 1121G-E-K9 with this current config:

Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED, RELEASE SOFTWARE (fc1) Technical Support:

formatting link
(c) 1986-2009 by Cisco Systems, Inc. Compiled Fri 18-Sep-09 10:28 by tinhuang

! version 12.3 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname ap ! no logging console enable secret 5 $1$iELC$zp6EkUHMBPODgTs7wBoSf1 ! clock timezone CET 1 ip subnet-zero no ip source-route no ip gratuitous-arps ip tcp selective-ack ip tcp synwait-time 10 ip domain name spadhausen.local ip name-server 212.97.32.2 ip name-server 212.97.32.7 ! ! ip ssh time-out 90 ip ssh version 2 aaa new-model ! ! aaa group server radius rad_eap server 192.168.1.254 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac ! aaa group server radius rad_acct server 192.168.1.254 auth-port 1645 acct-port 1646 ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common dot11 syslog ! dot11 ssid tsunami2 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa guest-mode ! ! ! username Cisco password 7 047802150C2E ! bridge irb ! ! interface Dot11Radio0 no ip address no ip unreachables no ip proxy-arp no ip route-cache ! encryption mode ciphers aes-ccm tkip ! broadcast-key change 3600 membership-termination capability-change ! ! ssid tsunami2 ! speed basic-1.0 basic-2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 no power client local power client 1 power local cck 1 power local ofdm 1 station-role root access-point fallback shutdown payload-encapsulation dot1h world-mode dot11d country-code IT indoor bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip unreachables no ip proxy-arp no ip route-cache duplex auto speed auto no cdp enable bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.1.243 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.1.254 ip http server no ip http secure-server ip http help-path

formatting link
radius source-interface BVI1 ! snmp-server community public RO radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.1.254 auth-port 1645 acct-port 1646 key 0 test radius-server key 0 test radius-server vsa send accounting bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! sntp server 193.204.114.105 sntp server 192.43.244.18 sntp broadcast client end

(please note that in the original config I have

radius-server host 192.168.1.254 auth-port 1645 acct-port 1646 key 7

0835495D1D radius-server key 7 044F0E151B

even inf the password are entered using 0 test to set password to "test". why they have two different hashes?? )

I am unable to login to the wi fi network

On the AP I have this logs:

000827: Feb 12 18:44:54.961 CET: AAA/BIND(0000002E): Bind i/f 000828: Feb 12 18:44:54.961 CET: AAA/ACCT/HC(0000002E): Register DOT11/00C7B154 0bit/s, assuming 100Mbit/s, poll every 5m 0s 000829: Feb 12 18:44:54.962 CET: AAA/ACCT/HC(0000002E): Update DOT11/00C7B154 000830: Feb 12 18:44:54.962 CET: AAA/ACCT/HC(0000002E): DOT11/00C7B154 [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0 000831: Feb 12 18:44:54.962 CET: AAA/ACCT/HC(0000002E): DOT11/00C7B154 [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0 000832: Feb 12 18:44:54.962 CET: AAA/ACCT/EVENT/(0000002E): CALL START 000833: Feb 12 18:44:54.962 CET: Getting session id for NET(0000002E) : db=BE30CC 000834: Feb 12 18:44:54.962 CET: AAA/ACCT(00000000): add node, session 44 000835: Feb 12 18:44:54.962 CET: AAA/ACCT/NET(0000002E): add, count 1 000836: Feb 12 18:44:57.127 CET: AAA/AUTHEN/PPP (0000002E): Pick method list 'eap_methods' 000837: Feb 12 18:44:57.128 CET: Getting session id for NET(0000002E) : db=BE30CC 000838: Feb 12 18:45:05.123 CET: AAA/ACCT/HC(0000002E): Update DOT11/00C7B154 000839: Feb 12 18:45:05.123 CET: AAA/ACCT/HC(0000002E): DOT11/00C7B154 [pre-sess] (rx/tx) base 0/0 pre 219/310 call 219/310 000840: Feb 12 18:45:05.123 CET: AAA/ACCT/HC(0000002E): DOT11/00C7B154 [pre-sess] (rx/tx) adjusted, pre 219/310 call 0/0 000841: Feb 12 18:45:05.124 CET: AAA/ACCT/HC(0000002E): Deregister DOT11/00C7B154 000842: Feb 12 18:45:05.124 CET: AAA/ACCT/EVENT/(0000002E): CALL STOP 000843: Feb 12 18:45:05.124 CET: AAA/ACCT/CALL STOP(0000002E): Sending stop requests 000844: Feb 12 18:45:05.125 CET: AAA/ACCT(0000002E): Send all stops 000845: Feb 12 18:45:05.125 CET: AAA/ACCT/NET(0000002E): STOP 000846: Feb 12 18:45:05.125 CET: AAA/ACCT/NET(0000002E): Method list not found 000847: Feb 12 18:45:05.125 CET: AAA/ACCT(0000002E): del node, session 44 000848: Feb 12 18:45:05.125 CET: AAA/ACCT/NET(0000002E): free_rec, count 0 000849: Feb 12 18:45:05.125 CET: AAA/ACCT/NET(0000002E) reccnt 0, csr TRUE, osr 0 000850: Feb 12 18:45:05.125 CET: AAA/ACCT/NET(0000002E): Last rec in db, intf not enqueued 000851: Feb 12 18:45:05.967 CET: AAA/BIND(0000002F): Bind i/f 000852: Feb 12 18:45:05.967 CET: AAA/ACCT/HC(0000002F): Register DOT11/00C79B34 0bit/s, assuming 100Mbit/s, poll every 5m 0s 000853: Feb 12 18:45:05.967 CET: AAA/ACCT/HC(0000002F): Update DOT11/00C79B34 000854: Feb 12 18:45:05.967 CET: AAA/ACCT/HC(0000002F): DOT11/00C79B34 [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0 000855: Feb 12 18:45:05.968 CET: AAA/ACCT/HC(0000002F): DOT11/00C79B34 [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0 000856: Feb 12 18:45:05.968 CET: AAA/ACCT/EVENT/(0000002F): CALL START 000857: Feb 12 18:45:05.968 CET: Getting session id for NET(0000002F) : db=C5F818 000858: Feb 12 18:45:05.968 CET: AAA/ACCT(00000000): add node, session 45 000859: Feb 12 18:45:05.969 CET: AAA/ACCT/NET(0000002F): add, count 1 000860: Feb 12 18:45:06.001 CET: AAA/ACCT/HC(0000002F): Update DOT11/00C79B34 000861: Feb 12 18:45:06.002 CET: AAA/ACCT/HC(0000002F): DOT11/00C79B34 [pre-sess] (rx/tx) base 0/0 pre 63/310 call 63/310 000862: Feb 12 18:45:06.002 CET: AAA/ACCT/HC(0000002F): DOT11/00C79B34 [pre-sess] (rx/tx) adjusted, pre 63/310 call 0/0 000863: Feb 12 18:45:06.003 CET: AAA/ACCT/HC(0000002F): Deregister DOT11/00C79B34 000864: Feb 12 18:45:06.003 CET: AAA/ACCT/EVENT/(0000002F): CALL STOP 000865: Feb 12 18:45:06.003 CET: AAA/ACCT/CALL STOP(0000002F): Sending stop requests 000866: Feb 12 18:45:06.003 CET: AAA/ACCT(0000002F): Send all stops 000867: Feb 12 18:45:06.003 CET: AAA/ACCT/NET(0000002F): STOP 000868: Feb 12 18:45:06.003 CET: AAA/ACCT/NET(0000002F): Method list not found 000869: Feb 12 18:45:06.003 CET: AAA/ACCT(0000002F): del node, session 45 000870: Feb 12 18:45:06.003 CET: AAA/ACCT/NET(0000002F): free_rec, count 0 000871: Feb 12 18:45:06.004 CET: AAA/ACCT/NET(0000002F) reccnt 0, csr TRUE, osr 0 000872: Feb 12 18:45:06.004 CET: AAA/ACCT/NET(0000002F): Last rec in db, intf not enqueued 000873: Feb 12 18:45:06.753 CET: AAA/BIND(00000030): Bind i/f 000874: Feb 12 18:45:06.753 CET: AAA/ACCT/HC(00000030): Register DOT11/00C7E9B4 0bit/s, assuming 100Mbit/s, poll every 5m 0s 000875: Feb 12 18:45:06.753 CET: AAA/ACCT/HC(00000030): Update DOT11/00C7E9B4 000876: Feb 12 18:45:06.754 CET: AAA/ACCT/HC(00000030): DOT11/00C7E9B4 [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0 000877: Feb 12 18:45:06.754 CET: AAA/ACCT/HC(00000030): DOT11/00C7E9B4 [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0 000878: Feb 12 18:45:06.754 CET: AAA/ACCT/EVENT/(00000030): CALL START 000879: Feb 12 18:45:06.754 CET: Getting session id for NET(00000030) : db=C5F818 000880: Feb 12 18:45:06.754 CET: AAA/ACCT(00000000): add node, session 46 000881: Feb 12 18:45:06.754 CET: AAA/ACCT/NET(00000030): add, count 1 000882: Feb 12 18:45:11.273 CET: AAA/ACCT/HC(00000030): Update DOT11/00C7E9B4 000883: Feb 12 18:45:11.273 CET: AAA/ACCT/HC(00000030): DOT11/00C7E9B4 [pre-sess] (rx/tx) base 0/0 pre 63/310 call 63/310 000884: Feb 12 18:45:11.273 CET: AAA/ACCT/HC(00000030): DOT11/00C7E9B4 [pre-sess] (rx/tx) adjusted, pre 63/310 call 0/0 000885: Feb 12 18:45:11.273 CET: AAA/ACCT/HC(00000030): Deregister DOT11/00C7E9B4 000886: Feb 12 18:45:11.274 CET: AAA/ACCT/EVENT/(00000030): CALL STOP 000887: Feb 12 18:45:11.274 CET: AAA/ACCT/CALL STOP(00000030): Sending stop requests 000888: Feb 12 18:45:11.274 CET: AAA/ACCT(00000030): Send all stops 000889: Feb 12 18:45:11.274 CET: AAA/ACCT/NET(00000030): STOP 000890: Feb 12 18:45:11.274 CET: AAA/ACCT/NET(00000030): Method list not found 000891: Feb 12 18:45:11.275 CET: AAA/ACCT(00000030): del node, session 46 000892: Feb 12 18:45:11.275 CET: AAA/ACCT/NET(00000030): free_rec, count 0 000893: Feb 12 18:45:11.275 CET: AAA/ACCT/NET(00000030) reccnt 0, csr TRUE, osr 0 000894: Feb 12 18:45:11.275 CET: AAA/ACCT/NET(00000030): Last rec in db, intf not enqueued

On the C877 I have these:

002408: Feb 12 18:44:57.286 CET: RADIUS: Received from unauthorized client 192.168.1.243 002409: Feb 12 18:45:02.503 CET: RADIUS: Received from unauthorized client 192.168.1.243 002410: Feb 12 18:45:07.744 CET: RADIUS: Received from unauthorized client 192.168.1.243 002411: Feb 12 18:45:13.077 CET: RADIUS: Received from unauthorized client 192.168.1.243
Reply to
Elia S.
Loading thread data ...

Yesterday I made a lot of testing:

If I put the radius on the radius device (cisco 877 and also i tried using the internal radius of the 1121G) on the port 1645 and 1646 it doesnt work If I put the ports to 1812 and 1813 it works but replies with unknown auth type.

Now a big question.... that may resolve the issue.

I am using Windows 7 business with intel 3945ABG with the very latest drivers. Since the internal radius of both cisco 877 and 1121G supports only LEAP and EAP-FAST, my client could not support it, and I would need a cisco wifi client!!!!!

that could be the issue???

"Elia S." ha scritto nel messaggio news:Esydne snipped-for-privacy@kpnqwest.it...

Reply to
Elia S.

I have solved my problems using the latest intel network utility wich supports cisco EAP.

The problem is that LEAP is not supported natively in windows XP and Win 7 so I need to use PEAP but I need now a standalone radius server, not the integrated cisco's.

Reply to
Elia S.

Elia S.

I have used it for tunning other parameters like roaming, etc. but forgot that it supports other EAP methods.

We got PEAP working with Microsoft's RADIUS service and setting up a new AD group called "Wireless Users." The new group is not required if you want to just allow all domain users instead.

-Gary

Reply to
Gary

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.