871W (800 series) WiFi setup of WPA2

Pardon my newbiness, but I am at wits end.
I have an 871W. IOS 12.4(15) T9
I got WPA to work fine with a MAC (OSX 10.5 but is now 10.6).
I am trying to setup WPA2 Enterprise, but I can't seem to find any
working command line examples. The Cisco site does provide one page for
such a setup on aeronet devices, but shows only the useless SDM images.
The following does get the Mac to see a "WPA2 Enterprise" service with
my ssid. If I search for all networks and choose mine, it then asks for
username/password. But I can type anything and it seems to accept it.
(but the console log on the Mac does show autnentication error).
Is there anything obvious ? superfluous or missing in the config
snippets below ? And it is correct to state that it should only accept
user donaldduck with password mickeymouse ?
The router's IP is
The Wi-fi section:
dot11 ssid yourWiFi
vlan 10
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
interface Dot11Radio0
no ip address
broadcast-key vlan 10 change 600
encryption vlan 10 mode ciphers aes-ccm
ssid yourWiFi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
antenna receive diversity
antenna transmit diversity
world-mode dot11d country CA both
interface Dot11Radio0.10
description yourWiFi on VLAN 10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
The radius section:
radius-server local
nas key 0 mylongandsharedsecret
eapfast server-key primary 0 2C8F83C20595913697807834E822B619
eapfast server-key secondary 0 ADDE5F565301D05E659A0C120216EF02
user donaldduck password mickeymouse
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1812 acct-port 1813 key
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
The aaa section:
aaa new-model
aaa group server radius rad_eap
server auth-port 1812 acct-port 1813
radius-server host auth-port 1812 acct-port 1813 key
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
!aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
Note: after writing above, I added:
aaa authentication dot1x rad_eap local
but that didn't make a difference.
Reply to
JF Mezei
Loading thread data ...
JF Mezei schrieb:
You have configured the local radius server. So your supplicant MUST authenticate using LEAP or EAP-FAST (and EAP-FAST with local radius has a few restrictions...) No PEAP/MSCHAPv2 or EAP-TLS.
The authentication part is the same for both WPA and WPA2, the only difference is under the interface DotRadio0 for WPA: encryption vlan 10 mode ciphers tkip for WPA2: encryption vlan 10 mode ciphers aes-ccm
Reply to
Uli Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.