871W (800 series) WiFi setup of WPA2

Discussion in 'Cisco' started by JF Mezei, Sep 26, 2009.

  1. JF Mezei

    JF Mezei Guest

    Pardon my newbiness, but I am at wits end.

    I have an 871W. IOS 12.4(15) T9

    I got WPA to work fine with a MAC (OSX 10.5 but is now 10.6).

    I am trying to setup WPA2 Enterprise, but I can't seem to find any
    working command line examples. The Cisco site does provide one page for
    such a setup on aeronet devices, but shows only the useless SDM images.

    The following does get the Mac to see a "WPA2 Enterprise" service with
    my ssid. If I search for all networks and choose mine, it then asks for
    username/password. But I can type anything and it seems to accept it.
    (but the console log on the Mac does show autnentication error).

    Is there anything obvious ? superfluous or missing in the config
    snippets below ? And it is correct to state that it should only accept
    user donaldduck with password mickeymouse ?



    The router's IP is 10.0.0.2

    The Wi-fi section:
    -----------------------------------------------

    dot11 ssid yourWiFi
    vlan 10
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    guest-mode

    interface Dot11Radio0
    no ip address
    !
    broadcast-key vlan 10 change 600
    !
    encryption vlan 10 mode ciphers aes-ccm
    !
    ssid yourWiFi
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    36.0 48.0 54.0
    station-role root
    antenna receive diversity
    antenna transmit diversity
    world-mode dot11d country CA both
    !
    interface Dot11Radio0.10
    description yourWiFi on VLAN 10
    encapsulation dot1Q 10
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 spanning-disabled
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    !


    The radius section:
    -----------------------------------------------
    radius-server local
    nas 10.0.0.2 key 0 mylongandsharedsecret
    eapfast server-key primary 0 2C8F83C20595913697807834E822B619
    eapfast server-key secondary 0 ADDE5F565301D05E659A0C120216EF02
    user donaldduck password mickeymouse
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key
    mylongandsharedsecret
    radius-server authorization permit missing Service-Type
    radius-server vsa send accounting
    !


    The aaa section:
    -----------------------------------------------
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    server 10.0.0.2 auth-port 1812 acct-port 1813
    radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key
    mylongandsharedpassword


    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    !aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    !
    !
    aaa session-id common


    Note: after writing above, I added:

    aaa authentication dot1x rad_eap local

    but that didn't make a difference.
     
    JF Mezei, Sep 26, 2009
    #1
    1. Advertising

  2. JF Mezei

    Uli Link Guest

    JF Mezei schrieb:
    > Pardon my newbiness, but I am at wits end.
    >
    > I have an 871W. IOS 12.4(15) T9
    >
    > I got WPA to work fine with a MAC (OSX 10.5 but is now 10.6).
    >
    > I am trying to setup WPA2 Enterprise, but I can't seem to find any
    > working command line examples. The Cisco site does provide one page for
    > such a setup on aeronet devices, but shows only the useless SDM images.
    >
    > The following does get the Mac to see a "WPA2 Enterprise" service with
    > my ssid. If I search for all networks and choose mine, it then asks for
    > username/password. But I can type anything and it seems to accept it.
    > (but the console log on the Mac does show autnentication error).
    >
    > Is there anything obvious ? superfluous or missing in the config
    > snippets below ? And it is correct to state that it should only accept
    > user donaldduck with password mickeymouse ?
    >
    >
    >
    > The router's IP is 10.0.0.2
    >
    > The Wi-fi section:
    > -----------------------------------------------
    >
    > dot11 ssid yourWiFi
    > vlan 10
    > authentication open eap eap_methods
    > authentication network-eap eap_methods
    > authentication key-management wpa
    > guest-mode
    >
    > interface Dot11Radio0
    > no ip address
    > !
    > broadcast-key vlan 10 change 600
    > !
    > encryption vlan 10 mode ciphers aes-ccm
    > !
    > ssid yourWiFi
    > !
    > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    > 36.0 48.0 54.0
    > station-role root
    > antenna receive diversity
    > antenna transmit diversity
    > world-mode dot11d country CA both
    > !
    > interface Dot11Radio0.10
    > description yourWiFi on VLAN 10
    > encapsulation dot1Q 10
    > bridge-group 10
    > bridge-group 10 subscriber-loop-control
    > bridge-group 10 spanning-disabled
    > bridge-group 10 block-unknown-source
    > no bridge-group 10 source-learning
    > no bridge-group 10 unicast-flooding
    > !
    >
    >
    > The radius section:
    > -----------------------------------------------
    > radius-server local
    > nas 10.0.0.2 key 0 mylongandsharedsecret
    > eapfast server-key primary 0 2C8F83C20595913697807834E822B619
    > eapfast server-key secondary 0 ADDE5F565301D05E659A0C120216EF02
    > user donaldduck password mickeymouse
    > !
    > radius-server attribute 32 include-in-access-req format %h
    > radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key
    > mylongandsharedsecret
    > radius-server authorization permit missing Service-Type
    > radius-server vsa send accounting
    > !
    >
    >
    > The aaa section:
    > -----------------------------------------------
    > !
    > aaa new-model
    > !
    > !
    > aaa group server radius rad_eap
    > server 10.0.0.2 auth-port 1812 acct-port 1813
    > radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key
    > mylongandsharedpassword
    >
    >
    > !
    > aaa group server radius rad_mac
    > !
    > aaa group server radius rad_acct
    > !
    > aaa group server radius rad_admin
    > !
    > !aaa group server tacacs+ tac_admin
    > !
    > aaa group server radius rad_pmip
    > !
    > aaa group server radius dummy
    > !
    > aaa authentication login eap_methods group rad_eap
    > aaa authentication login mac_methods local
    > aaa authorization exec default local
    > aaa accounting network acct_methods start-stop group rad_acct
    > !
    > !
    > aaa session-id common
    >
    >
    > Note: after writing above, I added:
    >
    > aaa authentication dot1x rad_eap local
    >
    > but that didn't make a difference.


    You have configured the local radius server. So your supplicant MUST
    authenticate using LEAP or EAP-FAST (and EAP-FAST with local radius has
    a few restrictions...)
    No PEAP/MSCHAPv2 or EAP-TLS.

    The authentication part is the same for both WPA and WPA2, the only
    difference is under the interface DotRadio0
    for WPA: encryption vlan 10 mode ciphers tkip
    for WPA2: encryption vlan 10 mode ciphers aes-ccm

    --
    ULi
     
    Uli Link, Sep 26, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. zxcvar
    Replies:
    3
    Views:
    3,761
    Dave Martindale
    Sep 9, 2003
  2. =?Utf-8?B?VGVycnk=?=

    Auto Config SSID/WPA2 Settings for WiFi users

    =?Utf-8?B?VGVycnk=?=, Jan 25, 2007, in forum: Wireless Networking
    Replies:
    4
    Views:
    4,036
  3. [BnH]
    Replies:
    3
    Views:
    582
    Walter Hofmann
    Sep 24, 2005
  4. Starrett

    Errors in IAS event log while trying to setup WPA2

    Starrett, Nov 5, 2008, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,985
    Robert L. \(MS-MVP\)
    Nov 5, 2008
  5. Andreas Heinzelmann

    WPA2 Suuport on ISR 871W?

    Andreas Heinzelmann, Dec 21, 2008, in forum: Cisco
    Replies:
    1
    Views:
    1,389
    Andreas Heinzelmann
    Dec 21, 2008
Loading...

Share This Page