Cisco Aironet 1100 LEAP, MS IAS Auth error; what is wrong with my config?

Discussion in 'Hardware' started by data_noid, Nov 27, 2009.

  1. data_noid

    data_noid

    Joined:
    Nov 27, 2009
    Messages:
    1
    Hello all,

    I am cutting my teeth on a couple of Cisco Aironet 1100 APs running IOS 12.3/8 and a MS IAS server. The current access point (AP1) has been up and running with the IAS server with no problems. I have been tasked to extend the coverage area by adding a repeater (AP2), another 1100 with the same IOS ver., to a location with no wired access.

    The problem I could use some help with is showing up as this error on AP1;

    "Station ####.####.#### Authentication failed" The MAC address is correct for AP2.

    On AP2 the error message is:

    "Packet to client ####.####.#### reached max retries, removing the client" The displayed MAC address is correct for AP1's radio interface.

    What am I doing wrong? Any input would be greatly appreciated. My config for both devices is below:

    Parent Access Point Config:

    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname ap1
    !
    no logging console
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXX.
    !
    ip subnet-zero
    !
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    server 10.10.10.20 auth-port 1645 acct-port 1646
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    !
    dot11 ssid Fluffy
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    !
    !
    !
    username admin privilege 15 password 7 XXXXXXXXXXXXXX
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption mode ciphers tkip
    !
    ssid Fluffy
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 10.10.10.27 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 10.10.10.1
    ip http server
    no ip http secure-server
    ip radius source-interface BVI1
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 10.10.10.20 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXX
    radius-server vsa send accounting
    bridge 1 route ip
    !
    !
    !
    line con 0
    line vty 0 4
    !
    end

    *********


    Repeater Config:

    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname ap2
    !
    no logging console
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXX.
    !
    ip subnet-zero
    !
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    server 10.10.10.20 auth-port 1645 acct-port 1646
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    !
    dot11 ssid Fluffy
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    authentication client username ap2 password 7 XXXXXXXXXXXXXX
    infrastructure-ssid
    !
    !
    !
    username admin privilege 15 password 7 XXXXXXXXXXXXXX
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption mode ciphers tkip
    !
    ssid Fluffy
    !
    parent 1 ####.####.####
    parent timeout 300
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role repeater
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 10.10.10.26 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 10.10.10.1
    ip http server
    no ip http secure-server
    ip radius source-interface BVI1
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 10.10.10.20 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXX
    radius-server vsa send accounting
    bridge 1 route ip
    !
    !
    !
    line con 0
    line vty 0 4
    !
    end



    I am missing something but I am stumped...

    Thank you for your time and effort.

    -J
    Last edited: Nov 27, 2009
    data_noid, Nov 27, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JD
    Replies:
    2
    Views:
    1,908
  2. nicklebon@netscape.net

    AP340 LEAP and non-leap users

    nicklebon@netscape.net, Apr 2, 2005, in forum: Cisco
    Replies:
    1
    Views:
    556
    Uli Link
    Apr 2, 2005
  3. Uli Link
    Replies:
    6
    Views:
    3,078
    Uli Link
    Nov 10, 2005
  4. Naman Sharma

    Cisco Aironet LEAP authentication problem

    Naman Sharma, Apr 1, 2007, in forum: Hardware
    Replies:
    0
    Views:
    989
    Naman Sharma
    Apr 1, 2007
  5. ahab.captain@gmail.com
    Replies:
    0
    Views:
    1,356
    ahab.captain@gmail.com
    Aug 17, 2007
Loading...

Share This Page