Trying to set up 2 Cisco 1310's in a workstation bridge mode

I am trying to get two Cisco 1310's to work in bridge mode. I have put in some basic configuration, but it is having problems associating. I am not very familiar with Cisco wireless devices and was hoping someone might find what I did wrong.

This is the error message displayed on the non root bridge and below are the configs.



*Mar  1 01:15:35.676: %DOT1X_SHIM-3-SUPP_START_FAIL: Unable to start supplicant on Dot11Radio0
*Mar  1 01:15:40.921: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: EAP authenticating

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nonrootbridge
!
enable secret 5 $1$UOcJ$1tDkLl4iCcRHzKL9hknfV/
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.222.61 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
!
dot11 ssid ccsibridge
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
!
!
!
username Cisco password 7 062506324F41
username ccsi password 7 070C225F47434F514146
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 B170205075A3B9CEDED4382450CB transmit-key
 encryption mode wep mandatory
 !
 ssid ccsibridge
 !
 station-role non-root bridge
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 --More--
*Mar  1 01:15:20.921: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: EAP auth bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.222.62 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.222.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community ccsigroup RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.222.61 auth-port 1812 acct-port 1813 key 7 000710150D115D525975
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

Open in new window

LVL 12
ryan80Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ryan80Author Commented:
Current configuration : 3680 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rootbridge
!
enable secret 5 $1$7swc$gn6HWtCvWbsfpb19FU1EQ.
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.222.61 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
!
dot11 ssid ccsibridge
   authentication network-eap eap_methods
   guest-mode
   infrastructure-ssid
!
!
crypto pki trustpoint TP-self-signed-2153882658
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2153882658
 revocation-check none
 rsakeypair TP-self-signed-2153882658
!
!
crypto pki certificate chain TP-self-signed-2153882658
 certificate self-signed 01
  3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313533 38383236 3538301E 170D3032 30333031 30303232
  32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31353338
  38323635 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A257 01FB42C9 EAEB084A F74BA315 152EF84B 2E2291F1 B1413F78 77BCD3B7
  BF2B1C8F 25685E36 35018A66 2BE8294A 07046405 C735A3ED BF9F5306 78E78621
  DB20B895 7588BC9B 3F09B75F 5F069D11 77A8DCD0 707987F6 D94556DD 4503EFC2
  51ED407F 39F26BAF 5350B9C1 C30E3917 3AD35C64 4DAB8CCE F21481DA 08D71B90
  8D3D0203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
  551D1104 06300482 02617030 1F060355 1D230418 30168014 5A71B434 5060B0D5
  6727D7D8 F59DFB9D 49D9DF2E 301D0603 551D0E04 1604145A 71B43450 60B0D567
  27D7D8F5 9DFB9D49 D9DF2E30 0D06092A 864886F7 0D010104 05000381 81009C0E
  9FD7112E 0F0740F1 6B30E99F 1C1E5552 41AB85C8 64EF3DBB 59DA24FC 87622F4E
  7E7F72FF 78B372C9 998E01DF C79CF840 24BF3A1B F6B59355 2FB382CC 4667D050
  859DF993 2853C662 BD39224E 8C078940 90A8687C 202278E8 15179D4C C2DA19D8
  B64B1431 0EE733C8 D8FE1AD4 94AE1733 E3428CE9 60A389C6 C9AE9B19 4EAA
  quit
username Cisco password 7 072C285F4D06
username ccsi password 7 000710150D115D525975
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 B170205075A3B9CEDED4382450CB transmit-key
 encryption mode wep mandatory
 !
 ssid ccsibridge
 !
 channel 2422
 station-role root bridge
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.222.61 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.222.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
  no authentication eapfast
  no authentication mac
  nas 192.168.222.61 key 7 110A1A161E585D58527E
  user ccsi nthash 7 055B565F711C1E59495547425B5C547A7B7478636572435746535106090803045E
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.222.61 auth-port 1812 acct-port 1813 key 7 02050748024C59751A1A
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
0
HodepineCommented:
Tricky.

And Cisco.com weren't exactly helpful...

Error Message:    DOT1X-SHIM-3-SUPP_START_FAIL: "Unable to start supplicant on %s."
Explanation:    An unexpected error occurred when the shim layer tried to start the dot1x suppliant on the indicated interface.

Recommended Action:    None.

And the other message isn't even mentioned in the error message appendix of the configuration guide.

I got a gut feeling "authentication client username <username> password <password> command on the root bridge might help, but don't know for sure cause I don't know your eap server-side setup. Can't give you any other good answers here, but got a list of questions...

- Since it mentions supplicant in the error message, I'm thinking EAP-issues. Can you tell us how your server end is set up? Certificates?
- Do you get any console messages on the root bridge when you try this?
- I'm guessing from the SSID name this is a lab setup, so you might be OK to reduce your security to authentication open and see what happens? Just to confirm it's an authentication issue... (You're running WEP, so security can't be that big a deal ;))
- Can you do some debugging on both ends? I don't know if all of these will even give any output, just looking at the options available on an AP and looking for those I'd try if it was my problem...

Debug eap all (or just errors or events)
Debug dot1x all (or just errors or events)
Debug radius auth (long shot)

That said, I'm not 100% sure it's the authentication part, might be something with the associating as well, but if you answer those questions (or some of them at least), it'll be easier to tell.
0
HodepineCommented:
The "authentication client"-command goes under "dot11 ssid ccsibridge" by the way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ryan80Author Commented:
Thank you for the help. that got it working.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.