Sign in to follow this  
Followers 0
cshanyee

Autonomous AP with Radius Authentication

11 posts in this topic

Hi,

 

I've configured my 1142N autonomous AP to authenticate with Microsoft NAP server.

 

The strange part is that I can see the client get authenticated on the NAP server as well as on the AP.

 

But, on the client end which is running on Windows 7, the wireless adapter icon remained cross out.

 

The error msg is "The settings saved on this computer for the network do not match the requirements of the network".

 

Although the adapter is crossed out, the client still able to connect to the network.

 

I'm not sure where is the problem, appreciate if someone could help.

 

Below is my AP configuration:

 

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname AP1

!

enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa group server radius rad_eap3

server 172.16.4.16 auth-port 1645 acct-port 1646

!

aaa authentication login lconsole local

aaa authentication login mac_methods local

aaa authentication login eap_methods3 group rad_eap3

aaa authentication dot1x default group radius

aaa authorization exec default local

aaa authorization network default group radius

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

clock timezone KH 7

ip domain name mydomain.com

!

!

dot11 syslog

!

dot11 ssid myssid

vlan 20

authentication open eap eap_methods3

authentication network-eap eap_methods3

authentication key-management wpa version 2

guest-mode

!

crypto pki trustpoint TP-self-signed-156841273

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-156841273

revocation-check none

rsakeypair TP-self-signed-156841273

!

!

crypto pki certificate chain TP-self-signed-156841273

certificate self-signed 01

30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31353638 34313237 33301E17 0D303230 33303130 30343933

385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3135 36383431

32373330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

B1372A6B A35E273E 783F6906 62FB08ED 29B96B6D 734D4689 C18FF832 BD952B01

ACF2A01A 6ED9D86F ECFED440 43A362F3 7FC8A1E6 A6C989BB 733482A1 8047F2B9

C6A6F480 61162E59 CF2825C8 977147EC 127F8031 CC586E16 FEFAA7C6 7AA1CC6C

E68B5FE4 F6957D81 5E3B1D46 480BD171 B952A8E4 7DC85A3F EB7EFAEF 522A0C69

02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D

11041E30 1C821A4B 482D5352 2D415031 2E696170 70617265 6C696E74 6C2E636F

6D301F06 03551D23 04183016 8014D204 682B73BD 6DA47207 3533ED4C B952F5F7

A7EF301D 0603551D 0E041604 14D20468 2B73BD6D A4720735 33ED4CB9 52F5F7A7

EF300D06 092A8648 86F70D01 01040500 03818100 B0A61652 2F6A1E89 8D25DDA9

2B9B2A23 3E048E0D 568D8F87 8291A69C C6368EDB E1AFFB46 61F60535 705F85C0

0F829ACB 809CA2E8 898F81C6 166726AC 53506875 8C083A22 9F2465C8 EF6A83B4

AA3B8112 9758706A 80E05A00 7DA75B47 DA202E0C DAA51987 065E0BEF 8FCECB3C

F83C3254 43E31C3B 323C33CD 281C3641 38BAAA8C

quit

username myid secret mypassword

!

!

ip ssh time-out 60

ip ssh version 2

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 20 mode ciphers tkip

!

antenna gain 0

station-role root

!

interface Dot11Radio0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption vlan 20 mode ciphers tkip

!

ssid myssid

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface BVI1

ip address 172.16.4.142 255.255.255.128

no ip route-cache

!

ip default-gateway 172.16.4.129

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/sm ... g/help/eag

ip radius source-interface BVI1

access-list 70 permit 172.16.7.128 0.0.0.15 log

access-list 70 permit 172.16.7.8 0.0.0.7 log

access-list 70 permit 172.16.1.0 0.0.0.255 log

radius-server attribute 32 include-in-access-req format %h

radius-server host 172.16.4.16 auth-port 1645 acct-port 1646 key mykeypassword

radius-server retransmit 10

radius-server timeout 4

radius-server deadtime 2

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 0 4

session-timeout 5

access-class 70 in

exec-timeout 5 0

transport input ssh

transport output none

!

sntp server 172.16.7.254

sntp broadcast client

end

 

On client end, I've configured the following:

Security method for authentication: WPA2-Enterprise

Encryption: TKIP

Network authentication method: Microsoft PEAP

Authentication mode: User-reauthentication

 

NAP Server:

Authentication Method: EAP

Access Permission: Granted Access

NAP Enforcement: Allow full network access

Framed protocol: PPP

Service-Type: Framed

Tunnel-Type: Virtual LANs

Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet canonical format)

Tunnel-Pvt-Group-ID: 20

Extensible Authentication Protocol Method: Microsoft Protected EAP (PEAP)

Encryption: Strongest encryption (MPPE 128-bit)

Encryption Policy: Enabled

 

Regards

 

shanmomo

0

Share this post


Link to post
Share on other sites

Hi,

 

Thanks! I've check the config and nothing much different from mine.

 

As I've mentioned previously, the machine able to authenticate, but the funny part is on the client side.

 

Refer to the attached file, I've done a screen capture on the client side.

 

As you can see that the wireless adapter remain cross although it is connected (refer to wireless-peap.jpg).

 

On the second screen capture, the wireless signal can be seen via Wireless Network Connection Status (refer to wireless-peap2.jpg).

 

I don't think this is normal.

 

Regards

 

shanmomo

post-79621-0-28744600-1298531171_thumb.jpg

post-79621-0-72672500-1298531697_thumb.jpg

0

Share this post


Link to post
Share on other sites

Ok so you know you have layer 1&2 connectivity, obviously your authentication is not taking place.

 

Check settings on server end, and ensure that it allows wireless authentication, the AP acts as the authenticator and the server has to be configured to allow this. ESS association does not have any bearing on STA/user authentication, just that your wireless settings AP/STA are correct.

 

http://technet.microsoft.com/en-us/library/cc753793(WS.10).aspx

 

http://technet.microsoft.com/en-us/network/bb545879

0

Share this post


Link to post
Share on other sites

Hi,

 

Sorry! What do you mean that authentication not taking place?

 

But I can see the client get authenticated from the NAP server (refer to below).

 

Fyi, I'm only use the NAP server as a Radius server for 802.1x wireless authentication.

 

Really don't know what went wrong here. Pls advise.

 

===============================================================

Network Policy Server granted full access to a user because the host met the defined health policy.

 

User:

Security ID: mydomain\user1

Account Name: mydomain\user1

Account Domain: mydomain

Fully Qualified Account Name: mydomain\user1

 

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 6c50.4db7.3c40

Calling Station Identifier: 0012.0eb5.2cf5

 

NAS:

NAS IPv4 Address: 172.16.4.142

NAS IPv6 Address: -

NAS Identifier: KH-SR-AP1

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 724

 

RADIUS Client:

Client Friendly Name: KH-SR-AP1

Client IP Address: 172.16.4.142

 

Authentication Details:

Proxy Policy Name: Use Windows authentication for all users

Network Policy Name: Secure Wireless Connections - VLAN 20

Authentication Provider: Windows

Authentication Server: NPS.mydomain.com

Authentication Type: PEAP

EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)

Account Session Identifier: -

 

Quarantine Information:

Result: Full Access

Extended-Result: -

Session Identifier: -

Help URL: -

System Health Validator Result(s): -

 

Regards

 

shanmomo

0

Share this post


Link to post
Share on other sites

Have you tried deleting this particular WLAN profile and try to connect again?

Edited by sirkozz
0

Share this post


Link to post
Share on other sites

Hi,

 

The wireless profile config was pushed down via GPO.

 

I will try to delete and recreate the gpo tonight.

 

Will update the status here tomorrow.

 

regards

 

Shanmomo

0

Share this post


Link to post
Share on other sites

You should try to connect a STA to the WLAN without using GPO first, that way you know it’s functional before you push out a new GPO.

0

Share this post


Link to post
Share on other sites

Hi,

 

I'm continue with the testing today as I was busy few months back.

 

The pc is able to connect and authenticated to the AP, refer log below:

 

08390: Apr 12 09:57:21.214 Information Interface Dot11Radio0, Station 0012.0eb5.2cf5 Associated KEY_MGMT[WPAv2]

 

But surprisingly, on the pc wireless adapter, the connection still being cross out with error msg "The settings saved on this computer for the network do not match the requirements of the network".

 

I'm just wondering whether AP 1142N is able to do WPAv2 authentication via a radius server. Is it necessary to have a wireless controller?

 

I'm really at the dead end, don't know how should I troubleshoot this matter further.

 

Regards

0

Share this post


Link to post
Share on other sites

OK a couple of things here; 1st unless you have configured the internal radius server on the AP, the AP cannot authenticate a user; 2nd “08390: Apr 12 09:57:21.214 Information Interface Dot11Radio0, Station 0012.0eb5.2cf5 Associated KEY_MGMT[WPAv2]” just means that STA has associated the AP, CCMP keys match; 3rd an 1142 is more than capable of acting as an authenticator for your radius server to WLAN STA’s.

 

Have you tried what I said, delete the profile and connect manually without the use of GPO? Everything your showing me points in the direction of either Windows(STA) or the Radius server misconfigured? What your showing me is that you have layer 1&2 connectivity, however the upper layers appear blocked, STA not authenticated. The radius server will send a frame to the AP(authenticator) its ok to let traffic pass, is the AP authenticated on the LAN via radius?

0

Share this post


Link to post
Share on other sites

Hi,

 

I've managed to solve the problem. Is due to the Radius's Shared Secret.

 

The shared secret contains symbol. In the AP cli, I can enter the shared secret with symbols without any problem.

 

And this cause the client's wireless adapter being crossed out.

 

However in the AP web console, it doesn't accept the symbol. By removing the symbol and reconfiguring the shared secret on the Radius server solve all the problems.

 

Regards

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0