Re: [OSL | CCIE_Wireless] EAPFAST and LEAP using localauthetication.

[Victor Platov (viplatov)]

Hi,

 

If you are dealing with cisco client (AP in repeater, non root bridge or WGB 
modes) and you're willing to use any kinds of security other than open or 
shared you have to announce "network with eap".

In general "network with eap" means LEAP and "open with eap" means all other 
EAP methods but not for cisco APs. You always have to announce "network with 
eap" and actually don't have to use "open with eap" even if you're using 
EAP-FAST.

Hope this helps.

 

P.S.  Raul, what was you ssid configuration on both sides? 

 

From: ccie_wireless-boun...@onlinestudylist.com 
[mailto:ccie_wireless-boun...@onlinestudylist.com] On Behalf Of Raul Manzano
Sent: Wednesday, June 08, 2011 6:34 PM
To: ccie_wireless@onlinestudylist.com
Subject: Re: [OSL | CCIE_Wireless] EAPFAST and LEAP using localauthetication.

 

Thanks Stefan.

 

Really I had read this blog, but I didn´t remember that you should offer always 
LEAP to an AP. With a slower reading I understand better this behaviour.

 

Thanks again.

 

Best Regards.

2011/6/8 Stefan Angerer <stefan.ange...@nts.eu>

Hi Raul,

 

although this is an IP Expert list, i recommend reading Jerome's blog post 
about this: 

 

http://wirelessccie.blogspot.com/2010/07/autonomous-aps-network-eap-vs-open-with.html

 

It will shed some light on this J

 

Good luck for your studies!

 

Regards

Stefan

 

Von: ccie_wireless-boun...@onlinestudylist.com 
[mailto:ccie_wireless-boun...@onlinestudylist.com] Im Auftrag von Raul Manzano
Gesendet: Mittwoch, 08. Juni 2011 14:48
An: ccie_wireless@onlinestudylist.com
Betreff: [OSL | CCIE_Wireless] EAPFAST and LEAP using local authetication.

 

Hi guys.

 

I would share with you this issue. 

 

Big surprise doing the exercise 3.10 of WB1. Because I actually don´t have any 
ACS I decided to use local authetication in AAP1 and because the exercise talks 
about "Ensure that leap is not used" I added the following line to match the 
requirements:

 

AAP1(config)#radius-server local
AAP1(config-radsrv)#authe
AAP1(config-radsrv)#no authentication leap

 

I finished to configure all the scenario but bridges can not link, Probably I 
forgot anything but the configurations seems right (strange!!!!). 

 

I see the logs on AAP1 and AAP2

 

AAP1:

 

*Mar  1 00:33:21.591: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 
Authentication failed

 

 

AAP2:

 

*Mar  1 00:33:59.365: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to 
down
*Mar  1 00:34:07.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot 
associate: No Response
*Mar  1 00:34:47.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot 
associate: Rcvd response from 0023.5d0e.3c10 channel 1 2643
*Mar  1 00:34:58.792: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to 
reset

 

These logs normaly informs that your credentials are wrong; I review the 
credentials but are ok  O_o

 

AAP1#debug radius local-server error

Radius server error debugging is on
AAP1#ter mon
AAP1#
*Mar  1 00:05:32.247: RADSRV: LEAP authentication is not enabled !!
*Mar  1 00:05:35.734: RADSRV: LEAP authentication is not enabled !!
*Mar  1 00:05:35.736: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 
Authentication failed
*Mar  1 00:05:52.249: RADSRV: LEAP authentication is not enabled !!
*Mar  1 00:05:52.250: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 
Authentication failed

 

Now, I delete the line and...

 

AAP1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
AAP1(config)#radius-server local 
AAP1(config-radsrv)#authentication leap
AAP1(config-radsrv)#
AAP1#
AAP1#
AAP1#
AAP1#
AAP1#
AAP1#
*Mar  1 00:06:59.860: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0 
(10.10.210.7)
*Mar  1 00:07:00.808: RADSRV: EAP NAK received - starting EAP-FAST
*Mar  1 00:07:00.842: %DOT11-6-ASSOC: Interface Dot11Radio0, Station LWAP1 
0023.ac5b.e710 Associated KEY_MGMT[WPAv2]

 

AAP2:

AAP2#
AAP2#
*Mar  1 00:06:26.701: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot 
associate: Rcvd response from 0023.5d0e.3c10 channel 6 2654
*Mar  1 00:06:27.059: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, 
Associated To AP AAP1 0023.5d0e.3c10 [EAP-FAST WPAv2]
*Mar  1 00:06:27.060: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:06:28.060: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Dot11Radio0, changed state to up

 

Wow!!!, I didn´t know using the local radius of an AP and using EAP-FAST I must 
permit EAP-FAST and LEAP authentication to work.

 

It is probably you would know this issue, but I didn´t have any idea.

 

Best Regards.

 

 

 

 

 

 

 

 

 

 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com