I have been trying unsuccessfully to setup one of my Aironet 1200 to authenticate wireless users using EAP to our Windows RADIUS server. I have the certificates on the computers and I think that part is is working fine. It doesn't appear though that the AP is passing the authentication request to the RADIUS server. Here is my relevent config info and some diag stuff that I have done. If anybody has any ideas on what else I should do I would apprecite it.
ap16.beav-admin.lanphere#show running-config Building configuration... . . . aaa group server radius rad_eap1 server 10.3.0.93 auth-port 1645 acct-port 1646 . . . aaa authentication login eap_methods1 group rad_eap1 aaa authorization exec default local . . . dot11 vlan-name CLIENT-DATA vlan 400 . . . dot11 ssid 71050255E vlan 400 authentication open eap eap_methods1 authentication key-management wpa guest-mode information-element ssidl wps . . . interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 400 mode ciphers tkip . . . ! ssid 71050255E ! . . . interface Dot11Radio0.400 encapsulation dot1Q 400 no ip route-cache bridge-group 255 bridge-group 255 subscriber-loop-control bridge-group 255 block-unknown-source no bridge-group 255 source-learning no bridge-group 255 unicast-flooding bridge-group 255 spanning-disabled !
Debug I have turned on.
ap16.beav-admin.lanphere#show debug General OS: AAA Authentication debugging is on AAA Authorization debugging is on AAA server group server selection debugging is on dot11/wlccp authenticator: state machine debugging is on process debugging is on Radius protocol debugging is on Radius packet protocol debugging is on Radius elog debugging debugging is on Radius elog debugging debugging is on
Results of using "test" command. The AP does appear to send request to the RADIUS server when I do this. It is rejects the authentication attempt and that is what I expected as I don't probably have a policy setup that would allow this to work, but at least it logs the error on the RADIUS server so I know it is communicating with it.
ap16.beav-admin.lanphere#test aaa group rad_eap1 jit password new Trying to authenticate with Servergroup rad_eap1 User rejected
ap16.beav-admin.lanphere# Dec 29 19:11:35.995: AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Lo cal' Dec 29 19:11:35.996: RADIUS/ENCODE(00000000):Orig. component type = INVALID Dec 29 19:11:35.996: RADIUS/ENCODE(00000000): dropping service type, "radius-ser ver attribute 6 on-for-login-auth" is off Dec 29 19:11:35.996: RADIUS(00000000): Config NAS IP: 206.22.0.218 Dec 29 19:11:35.997: RADIUS(00000000): Config NAS IP: 206.22.0.218 Dec 29 19:11:35.997: RADIUS(00000000): sending Dec 29 19:11:35.997: RADIUS(00000000): Send Access-Request to
10.3.0.93:1645 id 1645/14, len 75 Dec 29 19:11:35.998: RADIUS: authenticator A2 33 30 63 18 31 4E 32 - D3 25 B4 B 3 F6 79 05 29 Dec 29 19:11:35.998: RADIUS: User-Password [2] 18 * Dec 29 19:11:35.998: RADIUS: User-Name [1] 5 "jit" Dec 29 19:11:35.998: RADIUS: NAS-IP-Address [4] 6 206.22.0.218Dec 29 19:11:35.998: RADIUS: Nas-Identifier [32] 26 "ap16.beav- admin.lan phere" Dec 29 19:11:36.007: RADIUS: Received from id 1645/14 10.3.0.93:1645, Access-Rej ect, len 20 Dec 29 19:11:36.007: RADIUS: authenticator CE 79 8D 7D 89 BA 87 38 -
8B 1A 82 2 8 CC A0 1D 1B Dec 29 19:11:36.008: RADIUS(00000000): Received from id 1645/14This is all I get on the AP when a wirless client trys to connect and I get nothing logged on the RADIUS server.
Dec 29 19:15:12.050: AAA/BIND(0000009A): Bind i/f Dec 29 19:15:12.608: %DOT11-7-AUTH_FAILED: Station 001f.3b7c.236d Authentication failed Dec 29 19:15:13.370: AAA/BIND(0000009B): Bind i/f