Solved: IAS, PEAP, 1200 AP

Discussion in 'Cisco' started by jt, May 14, 2004.

  1. jt

    jt Guest

    I got the IAS running with PEAP on a 1200 series AP,
    both with 350 and CB21AG cards.

    Howto available on request.

    jt
    jt, May 14, 2004
    #1
    1. Advertising

  2. jt

    John Caruso Guest

    In article <40a47535$0$26353$-online.net>, jt wrote:
    > I got the IAS running with PEAP on a 1200 series AP,
    > both with 350 and CB21AG cards.
    >
    > Howto available on request.


    Please do post one, if you get the time. There are enough interoperability
    problems out there with wireless at the moment that any information on a
    successful implementation is useful.

    - John
    John Caruso, May 18, 2004
    #2
    1. Advertising

  3. Hi,

    I'm interested as well.

    Erik

    "John Caruso" <> wrote in message
    news:...
    > In article <40a47535$0$26353$-online.net>, jt

    wrote:
    > > I got the IAS running with PEAP on a 1200 series AP,
    > > both with 350 and CB21AG cards.
    > >
    > > Howto available on request.

    >
    > Please do post one, if you get the time. There are enough

    interoperability
    > problems out there with wireless at the moment that any information on a
    > successful implementation is useful.
    >
    > - John
    Erik Tamminga, May 18, 2004
    #3
  4. jt

    D Guest

    "jt" <> wrote in message news:<40a47535$0$26353$-online.net>...
    > I got the IAS running with PEAP on a 1200 series AP,
    > both with 350 and CB21AG cards.
    >
    > Howto available on request.
    >
    > jt


    JT,

    Could you send me the Howto? I have a problem configuring AP IOS to
    support PEAP. When time a client tries to associate, it will get
    associated but nothing else. The AP doesn't even send out PEAP packets
    to IAS.

    Please send the Howto to

    Thanks a lot!
    D, May 24, 2004
    #4
  5. jt

    GroupReply Guest

    Update your IOS to the latest. The older IOS sent the NAS-type of "virtual"
    to the IAS server and the newer version of the IOS sends the NAS-type as
    "wireless". Make sure it is configured properly in your IAS policy.



    "D" <> wrote in message
    news:...
    > "jt" <> wrote in message

    news:<40a47535$0$26353$-online.net>...
    > > I got the IAS running with PEAP on a 1200 series AP,
    > > both with 350 and CB21AG cards.
    > >
    > > Howto available on request.
    > >
    > > jt

    >
    > JT,
    >
    > Could you send me the Howto? I have a problem configuring AP IOS to
    > support PEAP. When time a client tries to associate, it will get
    > associated but nothing else. The AP doesn't even send out PEAP packets
    > to IAS.
    >
    > Please send the Howto to
    >
    > Thanks a lot!
    GroupReply, May 24, 2004
    #5
  6. jt

    D Guest

    I just upgraded this AP1220 from the non-IOS version to IOS about a
    month ago. Did have a little problem after that but upgrading it again
    to the then latest version fixed it. Here is the sh ver

    Cisco Internetwork Operating System Software
    IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA3, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)
    ....

    ROM: Bootstrap program is C1200 boot loader
    BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)

    After all the attempts, I also begin to think I may need another
    upgrade -- if there is one :))

    Basically, my AAA Radius setup on the AP is correct because I am
    telnetting to the AP through RADIUS logon. The problem is when I turn
    on my Laptop, which is an XP sp1 with a 350 series card configured
    (using XP, not ACU) to use PEAP w/ MSCHAP2, all the AP log shows is
    "Debugging Station 000a.4104.8ca6 Authentication failed." No RADIUS
    packets are sent out to IAS for PEAP (didn't catch any with Netmon on
    IAS). Event log on IAS also only shows the regular RADIUS packets for
    telnet logon on that AP, and nothing else.

    Here is the Remote Access Policy on IAS (2000 SP4) for Wireless:

    NAS-PORT-TYPE matches "Wirelss - IEEE 802.11 OR wireless - Other" AND
    Windows-Group matches "xxxxx\IT"

    Under Profile -> Authentication: EAP, PEAP, MS-CHAPv2, using IAS
    server certificate issued by a local standalone CA.

    Profile -> Encryption: checked on Strongest.

    Profile -> Advanced: default, i.e., Frame Protocol - RADIUS Standard -
    PPP,
    Service Type - RADIUS standard - Framed

    *** can't find any other VSA to add in there.

    RADIUS client entry for AP1: RADIUS standard (tried Cisco but didn't
    make a difference).

    I have read a ton of MS and Cisco documentation on EAP and PEAP but
    could not find a clear scenario configuration for PEAP/MSCHAPv2 on
    Aironet 1200 IOS and IAS.

    Appreciate it so much!
    daniel

    "GroupReply" <> wrote in message news:<yprsc.3256$>...
    > Update your IOS to the latest. The older IOS sent the NAS-type of "virtual"
    > to the IAS server and the newer version of the IOS sends the NAS-type as
    > "wireless". Make sure it is configured properly in your IAS policy.
    >
    >
    >
    > "D" <> wrote in message
    > news:...
    > > "jt" <> wrote in message

    > news:<40a47535$0$26353$-online.net>...
    > > > I got the IAS running with PEAP on a 1200 series AP,
    > > > both with 350 and CB21AG cards.
    > > >
    > > > Howto available on request.
    > > >
    > > > jt

    > >
    > > JT,
    > >
    > > Could you send me the Howto? I have a problem configuring AP IOS to
    > > support PEAP. When time a client tries to associate, it will get
    > > associated but nothing else. The AP doesn't even send out PEAP packets
    > > to IAS.
    > >
    > > Please send the Howto to
    > >
    > > Thanks a lot!
    D, May 25, 2004
    #6
  7. jt

    mh Guest

    Your AAA/RADIUS config on the AP1200 should looks something like this:


    aaa new-model
    aaa group server radius RADIUS-EAP
    server x.x.x.x auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login EAP-METHOD group RADIUS-EAP
    aaa session-id common

    radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 ??????
    radius-server authorization permit missing Service-Type

    ip radius source-interface BVI1
    mh, May 25, 2004
    #7
  8. jt

    D Guest

    (mh) wrote in message news:<>...
    > Your AAA/RADIUS config on the AP1200 should looks something like this:
    >
    >
    > aaa new-model
    > aaa group server radius RADIUS-EAP
    > server x.x.x.x auth-port 1812 acct-port 1813
    > aaa authentication login default local
    > aaa authentication login EAP-METHOD group RADIUS-EAP
    > aaa session-id common
    >
    > radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 ??????
    > radius-server authorization permit missing Service-Type
    >
    > ip radius source-interface BVI1


    Here is my IOS config.

    version 12.2
    no service pad
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    !
    hostname ap
    !
    enable secret 5 xxxxxxxxx
    !
    username xxxxxx password 7 xxxxxxxxxxxxxx
    clock timezone S -6
    clock summer-time S recurring
    ip subnet-zero
    !
    aaa new-model
    !
    !
    aaa group server radius IAS
    server 172.16.2.106 auth-port 1645 acct-port 1646
    !
    aaa authentication login default group IAS local
    aaa session-id common
    dot11 network-map
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
    transmit-key
    encryption mode wep mandatory
    !
    ssid xxxxxxxx
    authentication open eap IAS
    infrastructure-ssid
    !
    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    rts threshold 2312
    station-role root
    dot1x reauth-period server
    dot1x client-timeout 5
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 172.16.8.10 255.255.255.0
    no ip route-cache
    !
    ip http server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
    ip radius source-interface BVI1
    radius-server host 172.16.2.106 auth-port 1645 acct-port 1646 key 7
    11510B044542185E55
    radius-server authorization permit missing Service-Type
    bridge 1 route ip

    I don't see anything different from your IOS commands.

    Thanks!
    D, May 27, 2004
    #8
  9. jt

    Rob Gibson Guest

    Please send me the solution.

    I am having a dificult time setting up a Cisco 1200 series AP with
    PEAP and MSCHAP V2.
    My IAS server (Win 2003 server) nor my AP are communicating to each
    other.
    I am using CB21AG cards.

    I haven't found anything yet that outlines how to set up peap and
    communication on the ap to work with IAS.

    Thanks.
    --rob



    (D) wrote in message news:<>...

    > "jt" <> wrote in message news:<40a47535$0$26353$-online.net>...
    > > I got the IAS running with PEAP on a 1200 series AP,
    > > both with 350 and CB21AG cards.
    > >
    > > Howto available on request.
    > >
    > > jt

    >
    > JT,
    >
    > Could you send me the Howto? I have a problem configuring AP IOS to
    > support PEAP. When time a client tries to associate, it will get
    > associated but nothing else. The AP doesn't even send out PEAP packets
    > to IAS.
    >
    > Please send the Howto to
    >
    > Thanks a lot!
    Rob Gibson, Jun 10, 2004
    #9
  10. jt

    Ivan Ostres Guest

    In article <>,
    says...
    > Please send me the solution.
    >


    Please me too...

    john at fly.srk.fer.hr

    --Ivan.
    Ivan Ostres, Jun 11, 2004
    #10
  11. 802.1x and VoIP

    I have a question regarding 802.1x and VoIP.

    If my VoIP phone contains a mult-port switch in the back of it and I jack my
    workstation into the phone, what authenticates the port on the wiring closet
    switch, my phone or my workstation?

    Okay, let us say we run a .1q trunk to the phone and place the phone and the
    workstation into two separate VLANs (I am assuming the VoIP phone supports
    ..1q). How does one enable/disable 802.1x at the VLAN level? I am not even
    sure if that is possible, but I thought I would get some ideas from others.

    My idea is to lower the cost of deploying VoIP by not having to pull to cat5
    drops to every desk for and still maintain 802.1x security. Does Cisco have
    designs that address this?

    -mike
    Michael Roberts, Jun 11, 2004
    #11
  12. jt

    mirolj

    Joined:
    Apr 18, 2009
    Messages:
    2
    Please send me the solution, thanks in advance Miro


    I am having a dificult time setting up a Cisco 1200 series AP with
    PEAP and MSCHAP V2.
    My IAS server (Win 2003 server) nor my AP are communicating to each
    other.
    I am using Belkin USB adaptor.

    I haven't found anything yet that outlines how to set up peap and
    communication on the ap to work with IAS.
    Last edited: Apr 20, 2009
    mirolj, Apr 20, 2009
    #12
  13. jt

    mirolj

    Joined:
    Apr 18, 2009
    Messages:
    2
    Please send me how to
    thanks
    miro
    mirolj, Apr 20, 2009
    #13
  14. jt

    btech1

    Joined:
    Apr 30, 2009
    Messages:
    1
    How-to url here

    Covers Cisco WCS + PEAP + IAS.

    pskl.us
    btech1, Apr 30, 2009
    #14
  15. jt

    SupaKad

    Joined:
    Oct 13, 2009
    Messages:
    1
    Hi, I am also looking for the solution to this problem, can anyone point me in the right direction? Cheers

    Kad
    SupaKad, Oct 13, 2009
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. maTT

    PEAP and IAS and Standalone CA

    maTT, Jun 6, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    687
    kapil [MSFT]
    Jun 6, 2005
  2. Replies:
    1
    Views:
    4,917
    Mark Gamache
    Jul 15, 2005
  3. Wil
    Replies:
    3
    Views:
    4,521
    SecPer
    Nov 18, 2008
  4. jester
    Replies:
    1
    Views:
    1,746
    Vivek
    Dec 20, 2005
  5. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    860
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
Loading...

Share This Page