Microsoft
Software
Hardware
Network
Question : Cisco AP 1240AG
Quick config question. I'm pretty sure my problem is a Windows config error, but just wanted to rule out any config error. Here is what I'm trying to accomplish.
2 SSIDs (for now)
guest-ap (VLAN 2) that is completely open and is broadcast out (later will be broadcast, but will have WPA-PSK config)
secure-ap (VLAN 10) that is not broadcast and uses WPA encryption and authenticates via a RADIUS server (W2K integrated to authen the user/computer)
Right now I can connect to the both SSIDs, the guest-ap (being open) allows use and I get an IP. Everything is good. The secure-ap gets stuck on Verifying identity. I get a bunch of auth failed messages in the AP log. Also (don't know if this is common or not), but before the auth failed messages I always get two messages referencing the radius server. The first says it couldn't communicate with the RADIUS server, then immediately after that is says its alive again. Also, I do get messages on the RADIUS server stating that auth failed (reason why I think its a MS server misconfig problem and not an AP one).
At any rate, here is my AP config. secure-ap2 (VLAN11) is in there because I added that via the web int so I could figure out what command line commands I had to use to switch secure-ap from open to more secure. I just left it in incase it might be screwing something up.
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1240-test
!
enable secret 5 xxxxxxxxxxxxxx
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius msradius
server 192.168.1.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_eap
server 192.168.1.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Guest vlan 2
dot11 vlan-name Inside vlan 10
!
dot11 ssid guest-ap
vlan 2
authentication open
guest-mode
admit-traffic
!
dot11 ssid secure-ap
vlan 10
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
admit-traffic
!
dot11 ssid secure-ap2
vlan 11
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
!
dot11 arp-cache
power inline negotiation prestandard source
!
!
dot1x credentials approfile
!
username Cisco password 7 xxxxxxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers tkip
!
encryption vlan 10 mode ciphers tkip
!
ssid guest-ap
!
ssid secure-ap
!
ssid secure-ap2
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption vlan 11 mode ciphers tkip
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.1
no ip route-cache
!
interface FastEthernet0.2
encapsulation dot1Q 2
ip address 192.168.2.10 255.255.255.0
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
ip address 192.168.1.10 255.255.255.0
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!
interface BVI1
ip address 192.168.1.9 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/
public/779
/smbiz/pro
dconfig/he
lp/
eag
ip radius source-interface BVI1
!
logging trap debugging
logging 192.168.2.102
snmp-server community sato RO
radius-server local
nas 192.168.1.5 key 7 0518071B2E4D5E
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxx
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
password 7 xxxxxxxxxxxxxx
!
end
Answer : Cisco AP 1240AG
OK, I see what you've done.
The correct way is to make the AP management VLAN the native VLAN. Since you've configured for a 192.168.1.X address, you need to tick this option for VLAN 10 on the access point. You will also need to configure the switch port the AP plugs into to have VLAN 10 as the native or untagged VLAN.
Access to the AP should then be possible using the 192.168.1.9 address and this will be the IP address the RADIUS server will see authentication requests coming from.
Random Solutions
Dual Router setup problems
DHCP Scopes, Reservations, Exculsions Gone
VPN client for Linksys routers???
Cisco 2600 Password Recovery
Cisco 7945G IP Phone DHCP Problem
How to block Ares and Ares Lite P2P programs?
stress/load test on WLS
MAC address of Multiple NIC
adding DNS server to DNS Console.
Cannot Ping My Own IP Address
