Solved

Cisco AP 1240AG

Posted on 2006-07-06
6
1,693 Views
Last Modified: 2012-05-05
Quick config question.  I'm pretty sure my problem is a Windows config error, but just wanted to rule out any config error.  Here is what I'm trying to accomplish.
2 SSIDs (for now)
guest-ap (VLAN 2) that is completely open and is broadcast out (later will be broadcast, but will have WPA-PSK config)
secure-ap (VLAN 10) that is not broadcast and uses WPA encryption and authenticates via a RADIUS server (W2K integrated to authen the user/computer)

Right now I can connect to the both SSIDs, the guest-ap (being open) allows use and I get an IP.  Everything is good.  The secure-ap gets stuck on Verifying identity.  I get a bunch of auth failed messages in the AP log.  Also (don't know if this is common or not), but before the auth failed messages I always get two messages referencing the radius server.  The first says it couldn't communicate with the RADIUS server, then immediately after that is says its alive again.  Also, I do get messages on the RADIUS server stating that auth failed (reason why I think its a MS server misconfig problem and not an AP one).

At any rate, here is my AP config.  secure-ap2 (VLAN11) is in there because I added that via the web int so I could figure out what command line commands I had to use to switch secure-ap from open to more secure.  I just left it in incase it might be screwing something up.  

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1240-test
!
enable secret 5 xxxxxxxxxxxxxx
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius msradius
server 192.168.1.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_eap
 server 192.168.1.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Guest vlan 2
dot11 vlan-name Inside vlan 10
!
dot11 ssid guest-ap
  vlan 2
  authentication open
  guest-mode
  admit-traffic
!
dot11 ssid secure-ap
  vlan 10
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  admit-traffic
!
dot11 ssid secure-ap2
  vlan 11
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
!
dot11 arp-cache
power inline negotiation prestandard source
!
!
dot1x credentials approfile
!
username Cisco password 7 xxxxxxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers tkip
!
encryption vlan 10 mode ciphers tkip
!
ssid guest-ap
!
ssid secure-ap
!
ssid secure-ap2
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption vlan 11 mode ciphers tkip
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in

interface FastEthernet0.1
no ip route-cache
!
interface FastEthernet0.2
encapsulation dot1Q 2
ip address 192.168.2.10 255.255.255.0
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
ip address 192.168.1.10 255.255.255.0
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!
interface BVI1
ip address 192.168.1.9 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
logging trap debugging
logging 192.168.2.102
snmp-server community sato RO
radius-server local
 nas 192.168.1.5 key 7 0518071B2E4D5E
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxx
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
password 7 xxxxxxxxxxxxxx
!
end

0
Comment
Question by:Cyclops3590
  • 3
  • 3
6 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 17052545
Don't know if it has anything to do with the problem but why are there IP addresses on the sub interfaces FastEthernet0.2 and FastEthernet0.10?

I'm not aware if this can be done through the web GUI and any IP address I've seen configured is always on the BVI interface.
0
 
LVL 25

Author Comment

by:Cyclops3590
ID: 17052760
I think I just added them in.  I'll take them out, but I highly doubt that is the problem.  I know the RADIUS client needed the 1.9 IP whereas for telneting I had to use the 1.10
0
 
LVL 15

Accepted Solution

by:
Frabble earned 250 total points
ID: 17054796
OK, I see what you've done.
The correct way is to make the AP management VLAN the native VLAN. Since you've configured for a 192.168.1.X address, you need to tick this option for VLAN 10 on the access point. You will also need to configure the switch port the AP plugs into to have VLAN 10 as the native or untagged VLAN.

Access to the AP should then be possible using the 192.168.1.9 address and this will be the IP address the RADIUS server will see authentication requests coming from.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Author Comment

by:Cyclops3590
ID: 17057559
I'll see if I can get time to make those changes today.

Thanks for looking over my config for me.  Although I've gotten fairly good at configing Cisco firewalls and am ok at routers and switches, APs I'm still fairly new to.  Looks like a lot is like a router, but with the added needed functionality for wireless.
0
 
LVL 25

Author Comment

by:Cyclops3590
ID: 17111247
ok, my problem was related to exactly what you brought up.   sometimes the communication would work and sometimes not.  This was because sometimes it tried to go over 1.10 which was in vlan 10 and other times in vlan 1 (native vlan i'm sure) over 1.9

This screwed everything up.  Eliminated vlans altogether and it started working.  Thanks a bunch.
0
 
LVL 15

Expert Comment

by:Frabble
ID: 17118024
Glad to have helped, thanks for the points.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now