Cisco 1200 - EAP-Fast

Discussion in 'Cisco' started by R Siffredi, Apr 12, 2005.

  1. R Siffredi

    R Siffredi Guest

    I want to use EAP-Fast with my cisco 1200 and laptop with PC-350 cisco card.
    I have the latest 1200 sofitwae and the 6.4 latest client pc cisco software.

    My client associates to the laptop, then asks for usename/password/domain and
    says provisioning failed. I have reveiwed all the docs on CCO, I ahve the locl radius server configured.

    Does anyone know which piece I am missing?
     
    R Siffredi, Apr 12, 2005
    #1
    1. Advertising

  2. R Siffredi

    z400d3 Guest

    "Provisioniing failed" sounds like a PAC problem.

    Post the config and I will have a look



    On Tue, 12 Apr 2005 15:15:42 -0400, R Siffredi <> wrote:

    >I want to use EAP-Fast with my cisco 1200 and laptop with PC-350 cisco card.
    >I have the latest 1200 sofitwae and the 6.4 latest client pc cisco software.
    >
    >My client associates to the laptop, then asks for usename/password/domain and
    >says provisioning failed. I have reveiwed all the docs on CCO, I ahve the locl radius server configured.
    >
    >Does anyone know which piece I am missing?


    Drop the ZZZ to reply

    Cheers ...
     
    z400d3, Apr 13, 2005
    #2
    1. Advertising

  3. R Siffredi

    R Siffredi Guest

    hostname ap
    !
    !
    username xxx privilege 15 password xxx
    ip subnet-zero
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    server 172.16.100.50 auth-port 1645 acct-port 1646
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    !
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption mode ciphers tkip
    !
    ssid ciscoap
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    authentication client username rocco password test
    !
    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 172.16.100.50 255.255.255.0
    no ip route-cache
    !
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    logging snmp-trap emergencies
    logging snmp-trap alerts
    logging snmp-trap critical
    logging snmp-trap errors
    logging snmp-trap warnings
    radius-server local
    no authentication leap
    no authentication mac
    nas 172.16.100.50 key 7 06258635AF52
    group accessap
    ssid ciscoap
    !
    user rocco password test group accessap
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 030752180500
    radius-server vsa send accounting
    bridge 1 route ip
    !
    !
    !
    line con 0.................



    On Wed, 13 Apr 2005 11:49:05 +0100, z400d3 <> wrote:

    >"Provisioniing failed" sounds like a PAC problem.
    >
    >Post the config and I will have a look
    >
    >
    >
    >On Tue, 12 Apr 2005 15:15:42 -0400, R Siffredi <> wrote:
    >
    >>I want to use EAP-Fast with my cisco 1200 and laptop with PC-350 cisco card.
    >>I have the latest 1200 sofitwae and the 6.4 latest client pc cisco software.
    >>
    >>My client associates to the laptop, then asks for usename/password/domain and
    >>says provisioning failed. I have reveiwed all the docs on CCO, I ahve the locl radius server configured.
    >>
    >>Does anyone know which piece I am missing?

    >
    >Drop the ZZZ to reply
    >
    >Cheers ...
     
    R Siffredi, Apr 13, 2005
    #3
  4. R Siffredi

    z400d3 Guest

    I have had a look at this and two things immediatly spring to mind.

    (1) Initially set users and groups globally rather than attached to an
    ssid

    (2) For local authentication you need to be using ports 1812 and 1813,
    1645 and 1646 are for remote authentication

    Replace "aaa group server radius rad_eap
    server 172.16.100.50 auth-port 1645 acct-port 1646"

    With "aaa group server radius rad_eap
    server 172.16.100.50 auth-port 1812 acct-port 1813

    Overall, I would simplify the config and get the EAP side of things
    working with eap-leap on an open ssid before adding anything like mac
    address filtering, fast etc.

    I can supply you with example configs if you need them.



    On Wed, 13 Apr 2005 08:53:55 -0400, R Siffredi <> wrote:

    >hostname ap
    >!
    >!
    >username xxx privilege 15 password xxx
    >ip subnet-zero
    >!
    >aaa new-model
    >!
    >!
    >aaa group server radius rad_eap
    > server 172.16.100.50 auth-port 1645 acct-port 1646
    >!
    >aaa group server radius rad_mac
    >!
    >aaa group server radius rad_acct
    >!
    >aaa group server radius rad_admin
    >!
    >aaa group server tacacs+ tac_admin
    >!
    >aaa group server radius rad_pmip
    >!
    >aaa group server radius dummy
    >!
    >aaa authentication login default local
    >aaa authentication login eap_methods group rad_eap
    >aaa authentication login mac_methods local
    >aaa authorization exec default local
    >aaa accounting network acct_methods start-stop group rad_acct
    >aaa session-id common
    >!
    >!
    >bridge irb
    >!
    >!
    >interface Dot11Radio0
    > no ip address
    > no ip route-cache
    > !
    > encryption mode ciphers tkip
    > !
    > ssid ciscoap
    > authentication open eap eap_methods
    > authentication network-eap eap_methods
    > authentication key-management wpa
    > authentication client username rocco password test
    > !
    > speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    > station-role root
    > no cdp enable
    > bridge-group 1
    > bridge-group 1 subscriber-loop-control
    > bridge-group 1 block-unknown-source
    > no bridge-group 1 source-learning
    > no bridge-group 1 unicast-flooding
    > bridge-group 1 spanning-disabled
    >!
    >interface FastEthernet0
    > no ip address
    > no ip route-cache
    > duplex auto
    > speed auto
    > bridge-group 1
    > no bridge-group 1 source-learning
    > bridge-group 1 spanning-disabled
    >!
    >interface BVI1
    > ip address 172.16.100.50 255.255.255.0
    > no ip route-cache
    >!
    >ip http server
    >ip http authentication aaa
    >no ip http secure-server
    >ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    >ip radius source-interface BVI1
    >logging snmp-trap emergencies
    >logging snmp-trap alerts
    >logging snmp-trap critical
    >logging snmp-trap errors
    >logging snmp-trap warnings
    >radius-server local
    > no authentication leap
    > no authentication mac
    > nas 172.16.100.50 key 7 06258635AF52
    > group accessap
    > ssid ciscoap
    > !
    > user rocco password test group accessap
    >!
    >radius-server attribute 32 include-in-access-req format %h
    >radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 030752180500
    >radius-server vsa send accounting
    >bridge 1 route ip
    >!
    >!
    >!
    >line con 0.................
    >
    >
    >
    >On Wed, 13 Apr 2005 11:49:05 +0100, z400d3 <> wrote:
    >
    >>"Provisioniing failed" sounds like a PAC problem.
    >>
    >>Post the config and I will have a look
    >>
    >>
    >>
    >>On Tue, 12 Apr 2005 15:15:42 -0400, R Siffredi <> wrote:
    >>
    >>>I want to use EAP-Fast with my cisco 1200 and laptop with PC-350 cisco card.
    >>>I have the latest 1200 sofitwae and the 6.4 latest client pc cisco software.
    >>>
    >>>My client associates to the laptop, then asks for usename/password/domain and
    >>>says provisioning failed. I have reveiwed all the docs on CCO, I ahve the locl radius server configured.
    >>>
    >>>Does anyone know which piece I am missing?

    >>
    >>Drop the ZZZ to reply
    >>
    >>Cheers ...


    Drop the ZZZ to reply

    Cheers ...
     
    z400d3, Apr 14, 2005
    #4
  5. R Siffredi

    z400d3 Guest

    You will also need to change

    radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 KEY

    to ...

    radius-server host 172.16.1.50 auth-port 1812 acct-port 1813 key 7 KEY


    On Wed, 13 Apr 2005 08:53:55 -0400, R Siffredi <> wrote:

    >hostname ap
    >!
    >!
    >username xxx privilege 15 password xxx
    >ip subnet-zero
    >!
    >aaa new-model
    >!
    >!
    >aaa group server radius rad_eap
    > server 172.16.100.50 auth-port 1645 acct-port 1646
    >!
    >aaa group server radius rad_mac
    >!
    >aaa group server radius rad_acct
    >!
    >aaa group server radius rad_admin
    >!
    >aaa group server tacacs+ tac_admin
    >!
    >aaa group server radius rad_pmip
    >!
    >aaa group server radius dummy
    >!
    >aaa authentication login default local
    >aaa authentication login eap_methods group rad_eap
    >aaa authentication login mac_methods local
    >aaa authorization exec default local
    >aaa accounting network acct_methods start-stop group rad_acct
    >aaa session-id common
    >!
    >!
    >bridge irb
    >!
    >!
    >interface Dot11Radio0
    > no ip address
    > no ip route-cache
    > !
    > encryption mode ciphers tkip
    > !
    > ssid ciscoap
    > authentication open eap eap_methods
    > authentication network-eap eap_methods
    > authentication key-management wpa
    > authentication client username rocco password test
    > !
    > speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    > station-role root
    > no cdp enable
    > bridge-group 1
    > bridge-group 1 subscriber-loop-control
    > bridge-group 1 block-unknown-source
    > no bridge-group 1 source-learning
    > no bridge-group 1 unicast-flooding
    > bridge-group 1 spanning-disabled
    >!
    >interface FastEthernet0
    > no ip address
    > no ip route-cache
    > duplex auto
    > speed auto
    > bridge-group 1
    > no bridge-group 1 source-learning
    > bridge-group 1 spanning-disabled
    >!
    >interface BVI1
    > ip address 172.16.100.50 255.255.255.0
    > no ip route-cache
    >!
    >ip http server
    >ip http authentication aaa
    >no ip http secure-server
    >ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    >ip radius source-interface BVI1
    >logging snmp-trap emergencies
    >logging snmp-trap alerts
    >logging snmp-trap critical
    >logging snmp-trap errors
    >logging snmp-trap warnings
    >radius-server local
    > no authentication leap
    > no authentication mac
    > nas 172.16.100.50 key 7 06258635AF52
    > group accessap
    > ssid ciscoap
    > !
    > user rocco password test group accessap
    >!
    >radius-server attribute 32 include-in-access-req format %h
    >radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 030752180500
    >radius-server vsa send accounting
    >bridge 1 route ip
    >!
    >!
    >!
    >line con 0.................
    >
    >
    >
    >On Wed, 13 Apr 2005 11:49:05 +0100, z400d3 <> wrote:
    >
    >>"Provisioniing failed" sounds like a PAC problem.
    >>
    >>Post the config and I will have a look
    >>
    >>
    >>
    >>On Tue, 12 Apr 2005 15:15:42 -0400, R Siffredi <> wrote:
    >>
    >>>I want to use EAP-Fast with my cisco 1200 and laptop with PC-350 cisco card.
    >>>I have the latest 1200 sofitwae and the 6.4 latest client pc cisco software.
    >>>
    >>>My client associates to the laptop, then asks for usename/password/domain and
    >>>says provisioning failed. I have reveiwed all the docs on CCO, I ahve the locl radius server configured.
    >>>
    >>>Does anyone know which piece I am missing?

    >>
    >>Drop the ZZZ to reply
    >>
    >>Cheers ...


    Drop the ZZZ to reply

    Cheers ...
     
    z400d3, Apr 14, 2005
    #5
  6. R Siffredi

    R Siffredi Guest

    Thanks alot, I am able to get auithenticated now.
    I would still however like to see you example configs.
    THanks


    On Thu, 14 Apr 2005 12:42:07 +0100, z400d3 <> wrote:

    >I have had a look at this and two things immediatly spring to mind.
    >
    >(1) Initially set users and groups globally rather than attached to an
    >ssid
    >
    >(2) For local authentication you need to be using ports 1812 and 1813,
    >1645 and 1646 are for remote authentication
    >
    >Replace "aaa group server radius rad_eap
    > server 172.16.100.50 auth-port 1645 acct-port 1646"
    >
    >With "aaa group server radius rad_eap
    > server 172.16.100.50 auth-port 1812 acct-port 1813
    >
    >Overall, I would simplify the config and get the EAP side of things
    >working with eap-leap on an open ssid before adding anything like mac
    >address filtering, fast etc.
    >
    >I can supply you with example configs if you need them.
    >
    >
    >
    >On Wed, 13 Apr 2005 08:53:55 -0400, R Siffredi <> wrote:
    >
    >>hostname ap
    >>!
    >>!
    >>username xxx privilege 15 password xxx
    >>ip subnet-zero
    >>!
    >>aaa new-model
    >>!
    >>!
    >>aaa group server radius rad_eap
    >> server 172.16.100.50 auth-port 1645 acct-port 1646
    >>!
    >>aaa group server radius rad_mac
    >>!
    >>aaa group server radius rad_acct
    >>!
    >>aaa group server radius rad_admin
    >>!
    >>aaa group server tacacs+ tac_admin
    >>!
    >>aaa group server radius rad_pmip
    >>!
    >>aaa group server radius dummy
    >>!
    >>aaa authentication login default local
    >>aaa authentication login eap_methods group rad_eap
    >>aaa authentication login mac_methods local
    >>aaa authorization exec default local
    >>aaa accounting network acct_methods start-stop group rad_acct
    >>aaa session-id common
    >>!
    >>!
    >>bridge irb
    >>!
    >>!
    >>interface Dot11Radio0
    >> no ip address
    >> no ip route-cache
    >> !
    >> encryption mode ciphers tkip
    >> !
    >> ssid ciscoap
    >> authentication open eap eap_methods
    >> authentication network-eap eap_methods
    >> authentication key-management wpa
    >> authentication client username rocco password test
    >> !
    >> speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    >> station-role root
    >> no cdp enable
    >> bridge-group 1
    >> bridge-group 1 subscriber-loop-control
    >> bridge-group 1 block-unknown-source
    >> no bridge-group 1 source-learning
    >> no bridge-group 1 unicast-flooding
    >> bridge-group 1 spanning-disabled
    >>!
    >>interface FastEthernet0
    >> no ip address
    >> no ip route-cache
    >> duplex auto
    >> speed auto
    >> bridge-group 1
    >> no bridge-group 1 source-learning
    >> bridge-group 1 spanning-disabled
    >>!
    >>interface BVI1
    >> ip address 172.16.100.50 255.255.255.0
    >> no ip route-cache
    >>!
    >>ip http server
    >>ip http authentication aaa
    >>no ip http secure-server
    >>ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    >>ip radius source-interface BVI1
    >>logging snmp-trap emergencies
    >>logging snmp-trap alerts
    >>logging snmp-trap critical
    >>logging snmp-trap errors
    >>logging snmp-trap warnings
    >>radius-server local
    >> no authentication leap
    >> no authentication mac
    >> nas 172.16.100.50 key 7 06258635AF52
    >> group accessap
    >> ssid ciscoap
    >> !
    >> user rocco password test group accessap
    >>!
    >>radius-server attribute 32 include-in-access-req format %h
    >>radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 030752180500
    >>radius-server vsa send accounting
    >>bridge 1 route ip
    >>!
    >>!
    >>!
    >>line con 0.................
    >>
    >>
    >>
    >>On Wed, 13 Apr 2005 11:49:05 +0100, z400d3 <> wrote:
    >>
    >>>"Provisioniing failed" sounds like a PAC problem.
    >>>
    >>>Post the config and I will have a look
    >>>
    >>>
    >>>
    >>>On Tue, 12 Apr 2005 15:15:42 -0400, R Siffredi <> wrote:
    >>>
    >>>>I want to use EAP-Fast with my cisco 1200 and laptop with PC-350 cisco card.
    >>>>I have the latest 1200 sofitwae and the 6.4 latest client pc cisco software.
    >>>>
    >>>>My client associates to the laptop, then asks for usename/password/domain and
    >>>>says provisioning failed. I have reveiwed all the docs on CCO, I ahve the locl radius server configured.
    >>>>
    >>>>Does anyone know which piece I am missing?
    >>>
    >>>Drop the ZZZ to reply
    >>>
    >>>Cheers ...

    >
    >Drop the ZZZ to reply
    >
    >Cheers ...
     
    R Siffredi, Apr 15, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    2,272
    b1-100
    Aug 27, 2011
  2. Replies:
    0
    Views:
    539
  3. R Siffredi

    1200 AP eap-fast help

    R Siffredi, Apr 13, 2005, in forum: Cisco
    Replies:
    1
    Views:
    2,408
    Uli Link
    Apr 13, 2005
  4. frank

    EAP SIM and EAP AKA methods with WZCSVC

    frank, Nov 24, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    718
    frank
    Nov 24, 2006
  5. Cisco 1200 EAP setup

    , Dec 29, 2008, in forum: Cisco
    Replies:
    3
    Views:
    6,082
Loading...

Share This Page