cshanyee

Members
  • Content count

    7
  • Joined

  • Last visited

Community Reputation

0 Neutral

About cshanyee

  • Rank
    Newbie
  1. Hi, I've managed to solve the problem. Is due to the Radius's Shared Secret. The shared secret contains symbol. In the AP cli, I can enter the shared secret with symbols without any problem. And this cause the client's wireless adapter being crossed out. However in the AP web console, it doesn't accept the symbol. By removing the symbol and reconfiguring the shared secret on the Radius server solve all the problems. Regards
  2. Hi, I'm continue with the testing today as I was busy few months back. The pc is able to connect and authenticated to the AP, refer log below: 08390: Apr 12 09:57:21.214 Information Interface Dot11Radio0, Station 0012.0eb5.2cf5 Associated KEY_MGMT[WPAv2] But surprisingly, on the pc wireless adapter, the connection still being cross out with error msg "The settings saved on this computer for the network do not match the requirements of the network". I'm just wondering whether AP 1142N is able to do WPAv2 authentication via a radius server. Is it necessary to have a wireless controller? I'm really at the dead end, don't know how should I troubleshoot this matter further. Regards
  3. Hi, How do I wake up a pc in an environment with guest-vlan enabled using WOL? I can wake up the pc if without guest-vlan configured. With guest vlan configured, when pc shutdown the port will fall back to guest-vlan which is in authorized mode. WOL with "dot1x control-direction in" will only work when the port is in "Unauthorized" mode. Please advise.
  4. Hi, The wireless profile config was pushed down via GPO. I will try to delete and recreate the gpo tonight. Will update the status here tomorrow. regards Shanmomo
  5. Hi, Sorry! What do you mean that authentication not taking place? But I can see the client get authenticated from the NAP server (refer to below). Fyi, I'm only use the NAP server as a Radius server for 802.1x wireless authentication. Really don't know what went wrong here. Pls advise. =============================================================== Network Policy Server granted full access to a user because the host met the defined health policy. User: Security ID: mydomain\user1 Account Name: mydomain\user1 Account Domain: mydomain Fully Qualified Account Name: mydomain\user1 Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 6c50.4db7.3c40 Calling Station Identifier: 0012.0eb5.2cf5 NAS: NAS IPv4 Address: 172.16.4.142 NAS IPv6 Address: - NAS Identifier: KH-SR-AP1 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 724 RADIUS Client: Client Friendly Name: KH-SR-AP1 Client IP Address: 172.16.4.142 Authentication Details: Proxy Policy Name: Use Windows authentication for all users Network Policy Name: Secure Wireless Connections - VLAN 20 Authentication Provider: Windows Authentication Server: NPS.mydomain.com Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Quarantine Information: Result: Full Access Extended-Result: - Session Identifier: - Help URL: - System Health Validator Result(s): - Regards shanmomo
  6. Hi, Thanks! I've check the config and nothing much different from mine. As I've mentioned previously, the machine able to authenticate, but the funny part is on the client side. Refer to the attached file, I've done a screen capture on the client side. As you can see that the wireless adapter remain cross although it is connected (refer to wireless-peap.jpg). On the second screen capture, the wireless signal can be seen via Wireless Network Connection Status (refer to wireless-peap2.jpg). I don't think this is normal. Regards shanmomo
  7. Hi, I've configured my 1142N autonomous AP to authenticate with Microsoft NAP server. The strange part is that I can see the client get authenticated on the NAP server as well as on the AP. But, on the client end which is running on Windows 7, the wireless adapter icon remained cross out. The error msg is "The settings saved on this computer for the network do not match the requirements of the network". Although the adapter is crossed out, the client still able to connect to the network. I'm not sure where is the problem, appreciate if someone could help. Below is my AP configuration: version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service sequence-numbers ! hostname AP1 ! enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxxx ! aaa new-model ! aaa group server radius rad_mac aaa group server radius rad_acct aaa group server radius rad_admin aaa group server tacacs+ tac_admin aaa group server radius rad_pmip aaa group server radius dummy aaa group server radius rad_eap3 server 172.16.4.16 auth-port 1645 acct-port 1646 ! aaa authentication login lconsole local aaa authentication login mac_methods local aaa authentication login eap_methods3 group rad_eap3 aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common clock timezone KH 7 ip domain name mydomain.com ! ! dot11 syslog ! dot11 ssid myssid vlan 20 authentication open eap eap_methods3 authentication network-eap eap_methods3 authentication key-management wpa version 2 guest-mode ! crypto pki trustpoint TP-self-signed-156841273 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-156841273 revocation-check none rsakeypair TP-self-signed-156841273 ! ! crypto pki certificate chain TP-self-signed-156841273 certificate self-signed 01 30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31353638 34313237 33301E17 0D303230 33303130 30343933 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3135 36383431 32373330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B1372A6B A35E273E 783F6906 62FB08ED 29B96B6D 734D4689 C18FF832 BD952B01 ACF2A01A 6ED9D86F ECFED440 43A362F3 7FC8A1E6 A6C989BB 733482A1 8047F2B9 C6A6F480 61162E59 CF2825C8 977147EC 127F8031 CC586E16 FEFAA7C6 7AA1CC6C E68B5FE4 F6957D81 5E3B1D46 480BD171 B952A8E4 7DC85A3F EB7EFAEF 522A0C69 02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D 11041E30 1C821A4B 482D5352 2D415031 2E696170 70617265 6C696E74 6C2E636F 6D301F06 03551D23 04183016 8014D204 682B73BD 6DA47207 3533ED4C B952F5F7 A7EF301D 0603551D 0E041604 14D20468 2B73BD6D A4720735 33ED4CB9 52F5F7A7 EF300D06 092A8648 86F70D01 01040500 03818100 B0A61652 2F6A1E89 8D25DDA9 2B9B2A23 3E048E0D 568D8F87 8291A69C C6368EDB E1AFFB46 61F60535 705F85C0 0F829ACB 809CA2E8 898F81C6 166726AC 53506875 8C083A22 9F2465C8 EF6A83B4 AA3B8112 9758706A 80E05A00 7DA75B47 DA202E0C DAA51987 065E0BEF 8FCECB3C F83C3254 43E31C3B 323C33CD 281C3641 38BAAA8C quit username myid secret mypassword ! ! ip ssh time-out 60 ip ssh version 2 bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 20 mode ciphers tkip ! antenna gain 0 station-role root ! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding bridge-group 20 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption vlan 20 mode ciphers tkip ! ssid myssid ! antenna gain 0 dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding bridge-group 20 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface GigabitEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 no bridge-group 20 source-learning bridge-group 20 spanning-disabled ! interface BVI1 ip address 172.16.4.142 255.255.255.128 no ip route-cache ! ip default-gateway 172.16.4.129 no ip http server ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/sm ... g/help/eag ip radius source-interface BVI1 access-list 70 permit 172.16.7.128 0.0.0.15 log access-list 70 permit 172.16.7.8 0.0.0.7 log access-list 70 permit 172.16.1.0 0.0.0.255 log radius-server attribute 32 include-in-access-req format %h radius-server host 172.16.4.16 auth-port 1645 acct-port 1646 key mykeypassword radius-server retransmit 10 radius-server timeout 4 radius-server deadtime 2 radius-server vsa send accounting bridge 1 route ip ! line con 0 line vty 0 4 session-timeout 5 access-class 70 in exec-timeout 5 0 transport input ssh transport output none ! sntp server 172.16.7.254 sntp broadcast client end On client end, I've configured the following: Security method for authentication: WPA2-Enterprise Encryption: TKIP Network authentication method: Microsoft PEAP Authentication mode: User-reauthentication NAP Server: Authentication Method: EAP Access Permission: Granted Access NAP Enforcement: Allow full network access Framed protocol: PPP Service-Type: Framed Tunnel-Type: Virtual LANs Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet canonical format) Tunnel-Pvt-Group-ID: 20 Extensible Authentication Protocol Method: Microsoft Protected EAP (PEAP) Encryption: Strongest encryption (MPPE 128-bit) Encryption Policy: Enabled Regards shanmomo