Root: Dot11 ssid bridge authentication network-eap eap-methods authentication key-management wpa vlan 110
Non Root: Dot11 ssid bridge authentication network-eap eap-methods authentication key-management wpa infrastructure-ssid dot1x eap profile fast dot1x credentials credenciales vlan 110 ! eap profile fast method fast ! dot1x credentials credenciales username eapfast password ipexpert Really in the same way as DSG expected using ACS. Best regards. 2011/6/8 Victor Platov (viplatov) <[email protected]> > Hi, > > > > If you are dealing with cisco client (AP in repeater, non root bridge or > WGB modes) and you’re willing to use any kinds of security other than open > or shared you have to announce “network with eap”. > > In general “network with eap” means LEAP and “open with eap” means all > other EAP methods but not for cisco APs. You always have to announce > “network with eap” and actually don’t have to use “open with eap” even if > you’re using EAP-FAST. > > Hope this helps. > > > > P.S. Raul, what was you ssid configuration on both sides? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Raul Manzano > *Sent:* Wednesday, June 08, 2011 6:34 PM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_Wireless] EAPFAST and LEAP using > localauthetication. > > > > Thanks Stefan. > > > > Really I had read this blog, but I didn´t remember that you should offer > always LEAP to an AP. With a slower reading I understand better this > behaviour. > > > > Thanks again. > > > > Best Regards. > > 2011/6/8 Stefan Angerer <[email protected]> > > Hi Raul, > > > > although this is an IP Expert list, i recommend reading Jerome’s blog post > about this: > > > > > http://wirelessccie.blogspot.com/2010/07/autonomous-aps-network-eap-vs-open-with.html > > > > It will shed some light on this J > > > > Good luck for your studies! > > > > Regards > > Stefan > > > > *Von:* [email protected] [mailto: > [email protected]] *Im Auftrag von *Raul Manzano > *Gesendet:* Mittwoch, 08. Juni 2011 14:48 > *An:* [email protected] > *Betreff:* [OSL | CCIE_Wireless] EAPFAST and LEAP using local > authetication. > > > > Hi guys. > > > > I would share with you this issue. > > > > Big surprise doing the exercise 3.10 of WB1. Because I actually don´t have > any ACS I decided to use local authetication in AAP1 and because the > exercise talks about "Ensure that leap is not used" I added the following > line to match the requirements: > > > > AAP1(config)#radius-server local > AAP1(config-radsrv)#authe > AAP1(config-radsrv)#no authentication leap > > > > I finished to configure all the scenario but bridges can not link, Probably > I forgot anything but the configurations seems right (strange!!!!). > > > > I see the logs on AAP1 and AAP2 > > > > AAP1: > > > > *Mar 1 00:33:21.591: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > > > > AAP2: > > > > *Mar 1 00:33:59.365: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to down > *Mar 1 00:34:07.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: No Response > *Mar 1 00:34:47.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 1 2643 > *Mar 1 00:34:58.792: %LINK-5-CHANGED: Interface Dot11Radio0, changed state > to reset > > > > These logs normaly informs that your credentials are wrong; I review the > credentials but are ok O_o > > > > AAP1#debug radius local-server error > > Radius server error debugging is on > AAP1#ter mon > AAP1# > *Mar 1 00:05:32.247: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.734: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.736: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > *Mar 1 00:05:52.249: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:52.250: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > > Now, I delete the line and... > > > > AAP1#conf t > Enter configuration commands, one per line. End with CNTL/Z. > AAP1(config)#radius-server local > AAP1(config-radsrv)#authentication leap > AAP1(config-radsrv)# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > *Mar 1 00:06:59.860: %SYS-5-CONFIG_I: Configured from console by Cisco on > vty0 (10.10.210.7) > *Mar 1 00:07:00.808: RADSRV: EAP NAK received - starting EAP-FAST > *Mar 1 00:07:00.842: %DOT11-6-ASSOC: Interface Dot11Radio0, Station LWAP1 > 0023.ac5b.e710 Associated KEY_MGMT[WPAv2] > > > > AAP2: > > AAP2# > AAP2# > *Mar 1 00:06:26.701: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 6 2654 > *Mar 1 00:06:27.059: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, > Associated To AP AAP1 0023.5d0e.3c10 [EAP-FAST WPAv2] > *Mar 1 00:06:27.060: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to up > *Mar 1 00:06:28.060: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Dot11Radio0, changed state to up > > > > Wow!!!, I didn´t know using the local radius of an AP and using EAP-FAST I > must permit EAP-FAST and LEAP authentication to work. > > > > It is probably you would know this issue, but I didn´t have any idea. > > > > Best Regards. > > > > > > > > > > > > > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
