ryan80
asked on
Trying to set up 2 Cisco 1310's in a workstation bridge mode
I am trying to get two Cisco 1310's to work in bridge mode. I have put in some basic configuration, but it is having problems associating. I am not very familiar with Cisco wireless devices and was hoping someone might find what I did wrong.
This is the error message displayed on the non root bridge and below are the configs.
*Mar 1 01:15:35.676: %DOT1X_SHIM-3-SUPP_START_F
*Mar 1 01:15:40.921: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: EAP authenticating
This is the error message displayed on the non root bridge and below are the configs.
*Mar 1 01:15:35.676: %DOT1X_SHIM-3-SUPP_START_F
*Mar 1 01:15:40.921: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: EAP authenticating
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nonrootbridge
!
enable secret 5 $1$UOcJ$1tDkLl4iCcRHzKL9hknfV/
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.222.61 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
!
dot11 ssid ccsibridge
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
!
!
!
username Cisco password 7 062506324F41
username ccsi password 7 070C225F47434F514146
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 B170205075A3B9CEDED4382450CB transmit-key
encryption mode wep mandatory
!
ssid ccsibridge
!
station-role non-root bridge
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
--More--
*Mar 1 01:15:20.921: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: EAP auth bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.222.62 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.222.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community ccsigroup RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.222.61 auth-port 1812 acct-port 1813 key 7 000710150D115D525975
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
Tricky.
And Cisco.com weren't exactly helpful...
Error Message: DOT1X-SHIM-3-SUPP_START_FA
Explanation: An unexpected error occurred when the shim layer tried to start the dot1x suppliant on the indicated interface.
Recommended Action: None.
And the other message isn't even mentioned in the error message appendix of the configuration guide.
I got a gut feeling "authentication client username <username> password <password> command on the root bridge might help, but don't know for sure cause I don't know your eap server-side setup. Can't give you any other good answers here, but got a list of questions...
- Since it mentions supplicant in the error message, I'm thinking EAP-issues. Can you tell us how your server end is set up? Certificates?
- Do you get any console messages on the root bridge when you try this?
- I'm guessing from the SSID name this is a lab setup, so you might be OK to reduce your security to authentication open and see what happens? Just to confirm it's an authentication issue... (You're running WEP, so security can't be that big a deal ;))
- Can you do some debugging on both ends? I don't know if all of these will even give any output, just looking at the options available on an AP and looking for those I'd try if it was my problem...
Debug eap all (or just errors or events)
Debug dot1x all (or just errors or events)
Debug radius auth (long shot)
That said, I'm not 100% sure it's the authentication part, might be something with the associating as well, but if you answer those questions (or some of them at least), it'll be easier to tell.
And Cisco.com weren't exactly helpful...
Error Message: DOT1X-SHIM-3-SUPP_START_FA
Explanation: An unexpected error occurred when the shim layer tried to start the dot1x suppliant on the indicated interface.
Recommended Action: None.
And the other message isn't even mentioned in the error message appendix of the configuration guide.
I got a gut feeling "authentication client username <username> password <password> command on the root bridge might help, but don't know for sure cause I don't know your eap server-side setup. Can't give you any other good answers here, but got a list of questions...
- Since it mentions supplicant in the error message, I'm thinking EAP-issues. Can you tell us how your server end is set up? Certificates?
- Do you get any console messages on the root bridge when you try this?
- I'm guessing from the SSID name this is a lab setup, so you might be OK to reduce your security to authentication open and see what happens? Just to confirm it's an authentication issue... (You're running WEP, so security can't be that big a deal ;))
- Can you do some debugging on both ends? I don't know if all of these will even give any output, just looking at the options available on an AP and looking for those I'd try if it was my problem...
Debug eap all (or just errors or events)
Debug dot1x all (or just errors or events)
Debug radius auth (long shot)
That said, I'm not 100% sure it's the authentication part, might be something with the associating as well, but if you answer those questions (or some of them at least), it'll be easier to tell.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the help. that got it working.
ASKER
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rootbridge
!
enable secret 5 $1$7swc$gn6HWtCvWbsfpb19FU
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.222.61 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
!
dot11 ssid ccsibridge
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
!
!
crypto pki trustpoint TP-self-signed-2153882658
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2153882658
!
!
crypto pki certificate chain TP-self-signed-2153882658
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313533 38383236 3538301E 170D3032 30333031 30303232
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31353338
38323635 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A257 01FB42C9 EAEB084A F74BA315 152EF84B 2E2291F1 B1413F78 77BCD3B7
BF2B1C8F 25685E36 35018A66 2BE8294A 07046405 C735A3ED BF9F5306 78E78621
DB20B895 7588BC9B 3F09B75F 5F069D11 77A8DCD0 707987F6 D94556DD 4503EFC2
51ED407F 39F26BAF 5350B9C1 C30E3917 3AD35C64 4DAB8CCE F21481DA 08D71B90
8D3D0203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02617030 1F060355 1D230418 30168014 5A71B434 5060B0D5
6727D7D8 F59DFB9D 49D9DF2E 301D0603 551D0E04 1604145A 71B43450 60B0D567
27D7D8F5 9DFB9D49 D9DF2E30 0D06092A 864886F7 0D010104 05000381 81009C0E
9FD7112E 0F0740F1 6B30E99F 1C1E5552 41AB85C8 64EF3DBB 59DA24FC 87622F4E
7E7F72FF 78B372C9 998E01DF C79CF840 24BF3A1B F6B59355 2FB382CC 4667D050
859DF993 2853C662 BD39224E 8C078940 90A8687C 202278E8 15179D4C C2DA19D8
B64B1431 0EE733C8 D8FE1AD4 94AE1733 E3428CE9 60A389C6 C9AE9B19 4EAA
quit
username Cisco password 7 072C285F4D06
username ccsi password 7 000710150D115D525975
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 B170205075A3B9CEDED4382450
encryption mode wep mandatory
!
ssid ccsibridge
!
channel 2422
station-role root bridge
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.222.61 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.222.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.222.61 key 7 110A1A161E585D58527E
user ccsi nthash 7 055B565F711C1E59495547425B
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.222.61 auth-port 1812 acct-port 1813 key 7 02050748024C59751A1A
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end