Yeah right :D I also try to use the dot1x credentials and eap profiles to ensure that you will send EAP-FAST. But LEAP has to be enabled for them to negotiate at all. This is instead of using "client authentication username..."
good stuff ! regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: 8. júní 2011 14:49 To: [email protected] Subject: CCIE_Wireless Digest, Vol 27, Issue 12 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Re: EAPFAST and LEAP using local authetication. (Vit) 2. Re: EAPFAST and LEAP using local authetication. (Raul Manzano) 3. Re: 1. Re: [CCIE Wireless] Autonomous Mode Configs (Vit) (Stalder Dominic) ---------------------------------------------------------------------- Message: 1 Date: Wed, 8 Jun 2011 15:22:52 +0100 From: Vit <[email protected]> To: Raul Manzano <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] EAPFAST and LEAP using local authetication. Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Raul, I have found exactly the same thing recently :) Somewhere earlier on the list Jason discussed that: Also, that is a true statement about using EAP-FAST with local RADIUS for Cisco clients (APs and bridges.) LEAP must be allowed so that it can be offered. If not, the AP won't offer EAP-FAST as an EAP authentication algorithm. Cheers, Vit On Wed, Jun 8, 2011 at 1:47 PM, Raul Manzano <[email protected]> wrote: > Hi guys. > > I would share with you this issue. > > Big surprise doing the exercise 3.10 of WB1. Because I actually don?t have > any ACS I decided to use local authetication in AAP1 and because the > exercise talks about "Ensure that leap is not used" I added the following > line to match the requirements: > > AAP1(config)#radius-server local > AAP1(config-radsrv)#authe > AAP1(config-radsrv)#no authentication leap > > I finished to configure all the scenario but bridges can not link, Probably > I forgot anything but the configurations seems right (strange!!!!). > > I see the logs on AAP1 and AAP2 > > AAP1: > > *Mar 1 00:33:21.591: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > AAP2: > > *Mar 1 00:33:59.365: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to down > *Mar 1 00:34:07.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: No Response > *Mar 1 00:34:47.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 1 2643 > *Mar 1 00:34:58.792: %LINK-5-CHANGED: Interface Dot11Radio0, changed state > to reset > > These logs normaly informs that your credentials are wrong; I review the > credentials but are ok O_o > > AAP1#debug radius local-server error > Radius server error debugging is on > AAP1#ter mon > AAP1# > *Mar 1 00:05:32.247: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.734: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.736: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > *Mar 1 00:05:52.249: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:52.250: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > Now, I delete the line and... > > AAP1#conf t > Enter configuration commands, one per line. End with CNTL/Z. > AAP1(config)#radius-server local > AAP1(config-radsrv)#authentication leap > AAP1(config-radsrv)# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > *Mar 1 00:06:59.860: %SYS-5-CONFIG_I: Configured from console by Cisco on > vty0 (10.10.210.7) > *Mar 1 00:07:00.808: RADSRV: EAP NAK received - starting EAP-FAST > *Mar 1 00:07:00.842: %DOT11-6-ASSOC: Interface Dot11Radio0, Station LWAP1 > 0023.ac5b.e710 Associated KEY_MGMT[WPAv2] > > AAP2: > AAP2# > AAP2# > *Mar 1 00:06:26.701: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 6 2654 > *Mar 1 00:06:27.059: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, > Associated To AP AAP1 0023.5d0e.3c10 [EAP-FAST WPAv2] > *Mar 1 00:06:27.060: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to up > *Mar 1 00:06:28.060: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Dot11Radio0, changed state to up > > Wow!!!, I didn?t know using the local radius of an AP and using EAP-FAST I > must permit EAP-FAST and LEAP authentication to work. > > It is probably you would know this issue, but I didn?t have any idea. > > Best Regards. > > > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110608/2c930189/attachment-0001.html> ------------------------------ Message: 2 Date: Wed, 8 Jun 2011 16:33:46 +0200 From: Raul Manzano <[email protected]> To: [email protected] Subject: Re: [OSL | CCIE_Wireless] EAPFAST and LEAP using local authetication. Message-ID: <[email protected]> Content-Type: text/plain; charset="windows-1252" Thanks Stefan. Really I had read this blog, but I didn?t remember that you should offer always LEAP to an AP. With a slower reading I understand better this behaviour. Thanks again. Best Regards. 2011/6/8 Stefan Angerer <[email protected]> > Hi Raul, > > > > although this is an IP Expert list, i recommend reading Jerome?s blog post > about this: > > > > > http://wirelessccie.blogspot.com/2010/07/autonomous-aps-network-eap-vs-open-with.html > > > > It will shed some light on this J > > > > Good luck for your studies! > > > > Regards > > Stefan > > > > *Von:* [email protected] [mailto: > [email protected]] *Im Auftrag von *Raul Manzano > *Gesendet:* Mittwoch, 08. Juni 2011 14:48 > *An:* [email protected] > *Betreff:* [OSL | CCIE_Wireless] EAPFAST and LEAP using local > authetication. > > > > Hi guys. > > > > I would share with you this issue. > > > > Big surprise doing the exercise 3.10 of WB1. Because I actually don?t have > any ACS I decided to use local authetication in AAP1 and because the > exercise talks about "Ensure that leap is not used" I added the following > line to match the requirements: > > > > AAP1(config)#radius-server local > AAP1(config-radsrv)#authe > AAP1(config-radsrv)#no authentication leap > > > > I finished to configure all the scenario but bridges can not link, Probably > I forgot anything but the configurations seems right (strange!!!!). > > > > I see the logs on AAP1 and AAP2 > > > > AAP1: > > > > *Mar 1 00:33:21.591: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > > > > AAP2: > > > > *Mar 1 00:33:59.365: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to down > *Mar 1 00:34:07.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: No Response > *Mar 1 00:34:47.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 1 2643 > *Mar 1 00:34:58.792: %LINK-5-CHANGED: Interface Dot11Radio0, changed state > to reset > > > > These logs normaly informs that your credentials are wrong; I review the > credentials but are ok O_o > > > > AAP1#debug radius local-server error > > Radius server error debugging is on > AAP1#ter mon > AAP1# > *Mar 1 00:05:32.247: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.734: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.736: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > *Mar 1 00:05:52.249: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:52.250: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > > Now, I delete the line and... > > > > AAP1#conf t > Enter configuration commands, one per line. End with CNTL/Z. > AAP1(config)#radius-server local > AAP1(config-radsrv)#authentication leap > AAP1(config-radsrv)# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > *Mar 1 00:06:59.860: %SYS-5-CONFIG_I: Configured from console by Cisco on > vty0 (10.10.210.7) > *Mar 1 00:07:00.808: RADSRV: EAP NAK received - starting EAP-FAST > *Mar 1 00:07:00.842: %DOT11-6-ASSOC: Interface Dot11Radio0, Station LWAP1 > 0023.ac5b.e710 Associated KEY_MGMT[WPAv2] > > > > AAP2: > > AAP2# > AAP2# > *Mar 1 00:06:26.701: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 6 2654 > *Mar 1 00:06:27.059: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, > Associated To AP AAP1 0023.5d0e.3c10 [EAP-FAST WPAv2] > *Mar 1 00:06:27.060: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to up > *Mar 1 00:06:28.060: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Dot11Radio0, changed state to up > > > > Wow!!!, I didn?t know using the local radius of an AP and using EAP-FAST I > must permit EAP-FAST and LEAP authentication to work. > > > > It is probably you would know this issue, but I didn?t have any idea. > > > > Best Regards. > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110608/8e3a7681/attachment-0001.html> ------------------------------ Message: 3 Date: Wed, 8 Jun 2011 14:49:21 +0000 From: Stalder Dominic <[email protected]> To: Kristj?n ?lafur E?var?sson <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [OSL | CCIE_Wireless] 1. Re: [CCIE Wireless] Autonomous Mode Configs (Vit) Message-ID: <ca15588d.3ef7%[email protected]> Content-Type: text/plain; charset="utf-8" Hi Kristjan / group I have almost the same problem with the workgroup-bridge client-vlan command. In my lab, I would like to have the WGB over VLAN 804 and the Client in VLAN 800 (attached a primitive diagram), so this is my configuration: Root AP: Version 12.4(25d)JA, RELEASE SOFTWARE (fc1) dot11 ssid VLAN804 vlan 804 authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 00271A1507545A545C ! interface Dot11Radio0 ! encryption vlan 804 mode ciphers aes-ccm ! ssid VLAN804 ! packet retries 128 drop-packet no preamble-short station-role root rts threshold 2312 beacon dtim-period 10 no dot11 extension aironet ! interface Dot11Radio0.800 encapsulation dot1Q 800 bridge-group 10 ! interface Dot11Radio0.804 encapsulation dot1Q 804 native bridge-group 1 ! interface FastEthernet0.800 encapsulation dot1Q 800 bridge-group 10 ! interface FastEthernet0.804 encapsulation dot1Q 804 native bridge-group 1 ! interface BVI1 ip address 2.250.30.1 255.255.248.0 ! WGB: Version 12.4(25d)JA, RELEASE SOFTWARE (fc1) dot11 ssid VLAN804 vlan 804 authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 00271A1507545A545C ! interface Dot11Radio0 ! encryption vlan 804 mode ciphers aes-ccm ! ssid VLAN804 ! station-role workgroup-bridge bridge-group 99 ! interface Dot11Radio0.800 encapsulation dot1Q 800 bridge-group 10 ! interface Dot11Radio0.804 encapsulation dot1Q 804 native bridge-group 1 ! interface FastEthernet0 bridge-group 1 ! interface FastEthernet0.800 encapsulation dot1Q 800 native no ip route-cache bridge-group 10 ! interface BVI1 ip address 2.250.30.2 255.255.248.0 ! ip default-gateway 2.250.24.30 ! bridge 10 protocol ieee ! workgroup-bridge client-vlan 800 I can ping from the Router the Root AP and the WGB, but the client can not ping the Router in anyway. What is wrong with my configuration? Thanks a lot in advance and best regards Dominic ________________________________ Von: Kristj?n ?lafur E?var?sson <[email protected]> Datum: Tue, 7 Jun 2011 15:21:51 +0000 An: Vit <[email protected]>, Jason Boyers <[email protected]> Cc: "[email protected]" <[email protected]> Betreff: Re: [OSL | CCIE_Wireless] 1. Re: [CCIE Wireless] Autonomous Mode Configs (Vit) Hey Vitaly and group. I labbed this up. I got work-group bridge to work in ?workgroup-bridge client vlan 998? mode I started to get the root ap working with the wgb-04 ssid connected to VLAN 998 with DHCP server on a switch/router for the 10.10.98.0/24 subnet. I?m using 2x 1242?s in this setup and software version of 12.3.8 JEA3 I had one problem at first, this was after enabling infrastructure-client on the Root. The WGB got Dhcp address through the bridge-link but no other traffic was working from the root. It was fixed after rebooting the Root. Here are the configs on the WGB and Root. I made some fun addons to this excercise that you can see in next post :D ! Root config: ! hostname Root ! ! dot11 ssid wgb-04 vlan 998 authentication open ! ! interface Dot11Radio0 no ip address no ip route-cache ! ssid wgb-04 ! speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root infrastructure-client ! interface Dot11Radio0.998 encapsulation dot1Q 998 native no ip route-cache bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto hold-queue 160 in ! interface FastEthernet0.998 encapsulation dot1Q 998 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 10.10.98.5 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.98.1 ! bridge 1 route ip ! ---------------------------------------------- WGB config: ! hostname WGB ! ! dot11 ssid wgb-04 authentication open ! interface Dot11Radio0 no ip address no ip route-cache ! ssid wgb-04 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role workgroup-bridge bridge-group 1 bridge-group 1 spanning-disabled ! ! interface FastEthernet0 bridge-group 1 bridge-group 1 spanning-disabled hold-queue 160 in ! interface BVI1 ip address dhcp no ip route-cache ! ip default-gateway 10.10.98.1 ! cdp timer 5 ! bridge 1 route ip ! workgroup-bridge client-vlan 998 ! #The bridge gets an IP address from the switch dhcp pool. #My next test will be using a client on vlan 998 on the WGB connected switch (WGB in trunk mode) ! From: Vit [mailto:[email protected]] Sent: 6. j?n? 2011 23:14 To: Jason Boyers Cc: Kristj?n ?lafur E?var?sson; [email protected] Subject: Re: [OSL | CCIE_Wireless] 1. Re: [CCIE Wireless] Autonomous Mode Configs (Vit) Thanks Jason, Yes, I see Root AP (and connected switch) native vlan packets arriving to the port on a switch connected to WGB and I had to configure native vlan on this port to match the one on another side.... But no vlan 11 packets are arriving on the switch connected to WGB... Kind regards, Vitaly 2011/6/7 Jason Boyers <[email protected]> Just to confirm - using the "workgroup-bridge client-vlan x" command requires the following: 1) Root AP has a subinterface with the specified VLAN (mapped to the required SSID) 2) If a switch is connected to the WGB, it must use a trunk. The native VLAN should be the same as the native on the root AP (both wired and wireless.) Otherwise, STP will detect that it is receiving BPDUs for one "native" VLAN on a different "native" VLAN and block both. But, as you said, lab it up :) Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected] 2011/6/6 Vit <[email protected]> Hey Kristjan, thanks for your response. Yes, I have a basic config on both root and WGB AAPs, e.g. auth open, ssid and that's it :) Assigning static address to wired WGB-client didn't help as well, so it's not DHCP-related issue. I had sub-interfaces configured on the Root AAP, e.g. d0.11, but I believe they needed, otherwise what's the point of having 'work clie 11' on the WGB. Could you please share a working config, I will test if it works with wired WGB-clients and you will practice speed ;o) Thank you. Regards, Vitaly 2011/6/6 Kristj?n ?lafur E?var?sson <[email protected]> Hey Vitaly, I tested this out in a lab recently. I reccon that the only command need for the workgroup-bridge vlan x is needed. This will hide all other stuff you would normaly do. for example int dot0.11 blablabla. But with other stuff on the wire I didn?t test it but if the WGB was working from wired, I suppose clients on the WGB VLAN should work too. I find sometimes in cases with dhcp or other broadcast/multicast issues the infrastructure-client command on the Root AP helps. After all it is meant to deliver multicast (and broadcast ?) packets reliably.. Putting a static IP of course might help to isolate the problem to start with and also to simplify security before troubleshooting the DHCP related issues. I like to add the security stuff as the last step to see all radio related stuff working first. my 5 cents.. regards. Kristjan ---------------------------------------------------------------------- Message: 1 Date: Sun, 5 Jun 2011 19:57:04 +0100 From: Vit <[email protected]> To: [email protected] Subject: Re: [OSL | CCIE_Wireless] [CCIE Wireless] Autonomous Mode Configs Message-ID: <[email protected] <mailto:jn_izf-zk7bb43gph3bw%[email protected]> > Content-Type: text/plain; charset="iso-8859-1" Guys, I've got a question regarding the 'workgroup-brdige client-vlan X' command and Jason's post -> http://onlinestudylist.com/archives/ccie_wireless/2011-March/002018.html Has anyone managed to get WGB with client-vlan working, e.g. wired clients connected to the WGB are able to get ip address from a DHCP server and ping the rest of the world through the wireless link between Root and WGB? When I create d0.11 subinterface on the WGB, then everything works, once I delete d0.11 (and reboot the WGB to remove Virtual-Dot11Radio0.11) and apply 'work clie 11' then wired clients register on the Root AAP but do not get ip addresses... Yes, I also applied 'bridge 11 proto ieee' to WGB, but no joy... Any help will be much appreciated. Regards, Vitaly ----------------------------------------------------------------------------- -- Regards, Vit _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.PlatinumPlacement.com> ________________________________ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110608/2e851900/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: wgb-lab.png Type: application/octet-stream Size: 25077 bytes Desc: wgb-lab.png URL: </archives/ccie_wireless/attachments/20110608/2e851900/attachment.obj> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 27, Issue 12 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
