Help with Local RADIUS on Cisco Aironet 1130AG

[jkoebel]

I'm playing with an Aironet at work, trying to learn about them and in the process the various methods of authentication and so forth.

I want to use the Local RADIUS server for starters. I configured a shared secret, made a user/password combo ("user"/"password" ). I set the preferred RADIUS server in the Aironet configuration to be 127.0.0.1 (since the server is local to the AP, right?)

My settings, in the end, were: Key Management WPA, Encryption TKIP, etc. On my client (Windows XP SP3), I enabled 802.1X authentication and selected PEAP. I unchecked the options to automatically authenticate as my Windows login, the Computer or Guest.

When I associate to the access point, it waits at "Verifying identity..." in the WCZ screen. It pops up a little window in the bottom saying to enter my username and password (and domain if needed) to authenticate to the network.

Pointers would be amazing, and even better would be a walkthrough of some sort.

Then it waits. And waits. And waits. And then falls back to a different AP and gives up.

The Aironet home screen shows a "debug" level message about a failed authentication from my station, but the Local RADIUS server screen shows 0 authentication attempts -- failed or not. So apparently it isn't even trying to hit the local server.

Any suggestions?

I've never touched Cisco gear in my life before, which is why I want to learn this so badly. Cheers.

 

[archivalbackup]

run some debug commands:
#term mon
#debug radius auth
#debug radius local-server

post the results when you try to authenticate, I would be interested to see them. I would also try putting the radius server as the IP address of the AP and not the local loopback.

 

[archivalbackup]

Here is a Cisco Doc that should help you out with setting up a local Radius server
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html

It looks like you need to setup a list of authenticators allowed to use the local radius server.

Useful LEAP Demo: http://www.cisco.com/en/US/products...s_configuration_example09186a00801c0912.shtml

 

[jkoebel]

Thanks, I'm browsing those documents now.

The output from that command:

*Mar 1 16:42:19.359: RADIUS/ENCODE(0000002D):Orig. component type = DOT11
*Mar 1 16:42:19.359: RADIUS: AAA Unsupported Attr: ssid [263] 15
*Mar 1 16:42:19.359: RADIUS: 50 72 6F 74 65 63 74 65 64 31 31 33 30 [Protected1130]
*Mar 1 16:42:19.359: RADIUS: AAA Unsupported Attr: interface [156] 3
*Mar 1 16:42:19.359: RADIUS: 32 [2]
*Mar 1 16:42:19.359: RADIUS(0000002D): Storing nasport 292 in rad_db
*Mar 1 16:42:19.360: RADIUS(0000002D): Config NAS IP: 192.168.1.104
*Mar 1 16:42:19.360: RADIUS/ENCODE(0000002D): acct_session_id: 42
*Mar 1 16:42:19.360: RADIUS(0000002D): Config NAS IP: 192.168.1.104
*Mar 1 16:42:19.360: RADIUS(0000002D): sending
*Mar 1 16:42:19.360: RADIUS(0000002D): Send Access-Request to 192.168.1.104:1645 id 1645/22, len 121
*Mar 1 16:42:19.360: RADIUS: authenticator EC 39 FF 1D 70 B3 F2 3A - 72 81 79 31 6D 1E 99 21
*Mar 1 16:42:19.361: RADIUS: User-Name [1] 6 "User"
*Mar 1 16:42:19.361: RADIUS: Framed-MTU [12] 6 1400
*Mar 1 16:42:19.361: RADIUS: Called-Station-Id [30] 16 "0016.9cb9.e290"
*Mar 1 16:42:19.361: RADIUS: Calling-Station-Id [31] 16 "0016.e392.c25c"
*Mar 1 16:42:19.361: RADIUS: Service-Type [6] 6 Login [1]
*Mar 1 16:42:19.361: RADIUS: Message-Authenticato[80] 18 *
*Mar 1 16:42:19.361: RADIUS: EAP-Message [79] 11
*Mar 1 16:42:19.361: RADIUS: 02 02 00 09 01 55 73 65 72 [?????User]
*Mar 1 16:42:19.362: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 1 16:42:19.362: RADIUS: NAS-Port [5] 6 292
*Mar 1 16:42:19.362: RADIUS: NAS-IP-Address [4] 6 192.168.1.104
*Mar 1 16:42:19.362: RADIUS: Nas-Identifier [32] 4 "ap"
*Mar 1 16:42:19.362: RADIUS: Dropping the unsolicited RADIUS packet
*Mar 1 16:42:24.978: RADIUS: no sg in radius-timers: ctx 0xBD7494 sg 0x0000
*Mar 1 16:42:24.978: RADIUS: Retransmit to (192.168.1.104:1645,1646) for id 1645/22
*Mar 1 16:42:24.978: RADIUS: Dropping the unsolicited RADIUS packet
*Mar 1 16:42:30.578: RADIUS: no sg in radius-timers: ctx 0xBD7494 sg 0x0000
*Mar 1 16:42:30.578: RADIUS: Retransmit to (192.168.1.104:1645,1646) for id 1645/22
*Mar 1 16:42:30.579: RADIUS: Dropping the unsolicited RADIUS packet
*Mar 1 16:42:36.178: RADIUS: no sg in radius-timers: ctx 0xBD7494 sg 0x0000
*Mar 1 16:42:36.178: RADIUS: Retransmit to (192.168.1.104:1645,1646) for id 1645/22
*Mar 1 16:42:36.178: RADIUS: Dropping the unsolicited RADIUS packet
*Mar 1 16:42:41.618: RADIUS: no sg in radius-timers: ctx 0xBD7494 sg 0x0000
*Mar 1 16:42:41.618: RADIUS: No response from (192.168.1.104:1645,1646) for id 1645/22
*Mar 1 16:42:41.618: RADIUS/DECODE: parse response no app start; FAIL
*Mar 1 16:42:41.618: RADIUS/DECODE: parse response; FAIL
*Mar 1 16:42:41.619: %DOT11-7-AUTH_FAILED: Station 0016.e392.c25c Authentication failed*Mar 1 16:42:19.359: RADIUS/ENCODE(0000002D):Orig. component type = DOT11

But it seems not to like the commands in the document you posted.