|
Question : Cisco AP 1240AG
|
|
Quick config question. I'm pretty sure my problem is a Windows config error, but just wanted to rule out any config error. Here is what I'm trying to accomplish. 2 SSIDs (for now) guest-ap (VLAN 2) that is completely open and is broadcast out (later will be broadcast, but will have WPA-PSK config) secure-ap (VLAN 10) that is not broadcast and uses WPA encryption and authenticates via a RADIUS server (W2K integrated to authen the user/computer)
Right now I can connect to the both SSIDs, the guest-ap (being open) allows use and I get an IP. Everything is good. The secure-ap gets stuck on Verifying identity. I get a bunch of auth failed messages in the AP log. Also (don't know if this is common or not), but before the auth failed messages I always get two messages referencing the radius server. The first says it couldn't communicate with the RADIUS server, then immediately after that is says its alive again. Also, I do get messages on the RADIUS server stating that auth failed (reason why I think its a MS server misconfig problem and not an AP one).
At any rate, here is my AP config. secure-ap2 (VLAN11) is in there because I added that via the web int so I could figure out what command line commands I had to use to switch secure-ap from open to more secure. I just left it in incase it might be screwing something up.
version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 1240-test ! enable secret 5 xxxxxxxxxxxxxx ! ip subnet-zero ! ! aaa new-model ! ! aaa group server radius msradius server 192.168.1.5 auth-port 1645 acct-port 1646 ! aaa group server radius rad_eap server 192.168.1.5 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication dot1x default group radius aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common dot11 vlan-name Guest vlan 2 dot11 vlan-name Inside vlan 10 ! dot11 ssid guest-ap vlan 2 authentication open guest-mode admit-traffic ! dot11 ssid secure-ap vlan 10 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa admit-traffic ! dot11 ssid secure-ap2 vlan 11 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa ! dot11 arp-cache power inline negotiation prestandard source ! ! dot1x credentials approfile ! username Cisco password 7 xxxxxxxxxxxxxx ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 11 mode ciphers tkip ! encryption vlan 10 mode ciphers tkip ! ssid guest-ap ! ssid secure-ap ! ssid secure-ap2 ! speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root access-point bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled ! interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding bridge-group 10 spanning-disabled ! interface Dot11Radio0.11 encapsulation dot1Q 11 no ip route-cache bridge-group 11 bridge-group 11 subscriber-loop-control bridge-group 11 block-unknown-source no bridge-group 11 source-learning no bridge-group 11 unicast-flooding bridge-group 11 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! encryption vlan 11 mode ciphers tkip speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1.11 encapsulation dot1Q 11 no ip route-cache bridge-group 11 bridge-group 11 subscriber-loop-control bridge-group 11 block-unknown-source no bridge-group 11 source-learning no bridge-group 11 unicast-flooding bridge-group 11 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled hold-queue 160 in
interface FastEthernet0.1 no ip route-cache ! interface FastEthernet0.2 encapsulation dot1Q 2 ip address 192.168.2.10 255.255.255.0 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled ! interface FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.1.10 255.255.255.0 no ip route-cache bridge-group 10 no bridge-group 10 source-learning bridge-group 10 spanning-disabled ! interface FastEthernet0.11 encapsulation dot1Q 11 no ip route-cache bridge-group 11 no bridge-group 11 source-learning bridge-group 11 spanning-disabled ! interface BVI1 ip address 192.168.1.9 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.1.1 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! logging trap debugging logging 192.168.2.102 snmp-server community sato RO radius-server local nas 192.168.1.5 key 7 0518071B2E4D5E ! radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.1.5 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxx radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 password 7 xxxxxxxxxxxxxx ! end
|
Answer : Cisco AP 1240AG
|
|
OK, I see what you've done. The correct way is to make the AP management VLAN the native VLAN. Since you've configured for a 192.168.1.X address, you need to tick this option for VLAN 10 on the access point. You will also need to configure the switch port the AP plugs into to have VLAN 10 as the native or untagged VLAN.
Access to the AP should then be possible using the 192.168.1.9 address and this will be the IP address the RADIUS server will see authentication requests coming from.
|
|
|
|