871W (800 series) WiFi setup of WPA2

Pardon my newbiness, but I am at wits end.

I have an 871W. IOS 12.4(15) T9

I got WPA to work fine with a MAC (OSX 10.5 but is now 10.6).

I am trying to setup WPA2 Enterprise, but I can't seem to find any working command line examples. The Cisco site does provide one page for such a setup on aeronet devices, but shows only the useless SDM images.

The following does get the Mac to see a "WPA2 Enterprise" service with my ssid. If I search for all networks and choose mine, it then asks for username/password. But I can type anything and it seems to accept it. (but the console log on the Mac does show autnentication error).

Is there anything obvious ? superfluous or missing in the config snippets below ? And it is correct to state that it should only accept user donaldduck with password mickeymouse ?

The router's IP is

The Wi-fi section:


dot11 ssid yourWiFi vlan 10 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa guest-mode

interface Dot11Radio0 no ip address ! broadcast-key vlan 10 change 600 ! encryption vlan 10 mode ciphers aes-ccm ! ssid yourWiFi ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 station-role root antenna receive diversity antenna transmit diversity world-mode dot11d country CA both ! interface Dot11Radio0.10 description yourWiFi on VLAN 10 encapsulation dot1Q 10 bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding !

The radius section:

----------------------------------------------- radius-server local nas key 0 mylongandsharedsecret eapfast server-key primary 0 2C8F83C20595913697807834E822B619 eapfast server-key secondary 0 ADDE5F565301D05E659A0C120216EF02 user donaldduck password mickeymouse ! radius-server attribute 32 include-in-access-req format %h radius-server host auth-port 1812 acct-port 1813 key mylongandsharedsecret radius-server authorization permit missing Service-Type radius-server vsa send accounting !

The aaa section:

----------------------------------------------- ! aaa new-model ! ! aaa group server radius rad_eap server auth-port 1812 acct-port 1813 radius-server host auth-port 1812 acct-port 1813 key mylongandsharedpassword

! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! !aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! ! aaa session-id common

Note: after writing above, I added:

aaa authentication dot1x rad_eap local

but that didn't make a difference.

Reply to
JF Mezei
Loading thread data ...

JF Mezei schrieb:

You have configured the local radius server. So your supplicant MUST authenticate using LEAP or EAP-FAST (and EAP-FAST with local radius has a few restrictions...) No PEAP/MSCHAPv2 or EAP-TLS.

The authentication part is the same for both WPA and WPA2, the only difference is under the interface DotRadio0 for WPA: encryption vlan 10 mode ciphers tkip for WPA2: encryption vlan 10 mode ciphers aes-ccm

Reply to
Uli Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.