Technically, "network eap" sets the 802.11 authentication algorithm to 128, as opposed to open (algorithm 0) or shared WEP (algorithm 1.) Once the 802.11 authentication is approved, then the client can associate and move into the EAP authentication using LEAP or EAP-FAST. It was originally used for LEAP clients, as a means of distinguishing that the client would be required to perform EAP prior to even associating with the AP.
Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: *[email protected] * On Wed, Jun 8, 2011 at 1:42 PM, Victor Platov (viplatov) <[email protected] > wrote: > Hi, > > > > If you are dealing with cisco client (AP in repeater, non root bridge or > WGB modes) and you’re willing to use any kinds of security other than open > or shared you have to announce “network with eap”. > > In general “network with eap” means LEAP and “open with eap” means all > other EAP methods but not for cisco APs. You always have to announce > “network with eap” and actually don’t have to use “open with eap” even if > you’re using EAP-FAST. > > Hope this helps. > > > > P.S. Raul, what was you ssid configuration on both sides? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Raul Manzano > *Sent:* Wednesday, June 08, 2011 6:34 PM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_Wireless] EAPFAST and LEAP using > localauthetication. > > > > Thanks Stefan. > > > > Really I had read this blog, but I didn´t remember that you should offer > always LEAP to an AP. With a slower reading I understand better this > behaviour. > > > > Thanks again. > > > > Best Regards. > > 2011/6/8 Stefan Angerer <[email protected]> > > Hi Raul, > > > > although this is an IP Expert list, i recommend reading Jerome’s blog post > about this: > > > > > http://wirelessccie.blogspot.com/2010/07/autonomous-aps-network-eap-vs-open-with.html > > > > It will shed some light on this J > > > > Good luck for your studies! > > > > Regards > > Stefan > > > > *Von:* [email protected] [mailto: > [email protected]] *Im Auftrag von *Raul Manzano > *Gesendet:* Mittwoch, 08. Juni 2011 14:48 > *An:* [email protected] > *Betreff:* [OSL | CCIE_Wireless] EAPFAST and LEAP using local > authetication. > > > > Hi guys. > > > > I would share with you this issue. > > > > Big surprise doing the exercise 3.10 of WB1. Because I actually don´t have > any ACS I decided to use local authetication in AAP1 and because the > exercise talks about "Ensure that leap is not used" I added the following > line to match the requirements: > > > > AAP1(config)#radius-server local > AAP1(config-radsrv)#authe > AAP1(config-radsrv)#no authentication leap > > > > I finished to configure all the scenario but bridges can not link, Probably > I forgot anything but the configurations seems right (strange!!!!). > > > > I see the logs on AAP1 and AAP2 > > > > AAP1: > > > > *Mar 1 00:33:21.591: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > > > > AAP2: > > > > *Mar 1 00:33:59.365: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to down > *Mar 1 00:34:07.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: No Response > *Mar 1 00:34:47.345: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 1 2643 > *Mar 1 00:34:58.792: %LINK-5-CHANGED: Interface Dot11Radio0, changed state > to reset > > > > These logs normaly informs that your credentials are wrong; I review the > credentials but are ok O_o > > > > AAP1#debug radius local-server error > > Radius server error debugging is on > AAP1#ter mon > AAP1# > *Mar 1 00:05:32.247: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.734: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:35.736: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > *Mar 1 00:05:52.249: RADSRV: LEAP authentication is not enabled !! > *Mar 1 00:05:52.250: %DOT11-7-AUTH_FAILED: Station 0023.ac5b.e710 > Authentication failed > > > > Now, I delete the line and... > > > > AAP1#conf t > Enter configuration commands, one per line. End with CNTL/Z. > AAP1(config)#radius-server local > AAP1(config-radsrv)#authentication leap > AAP1(config-radsrv)# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > AAP1# > *Mar 1 00:06:59.860: %SYS-5-CONFIG_I: Configured from console by Cisco on > vty0 (10.10.210.7) > *Mar 1 00:07:00.808: RADSRV: EAP NAK received - starting EAP-FAST > *Mar 1 00:07:00.842: %DOT11-6-ASSOC: Interface Dot11Radio0, Station LWAP1 > 0023.ac5b.e710 Associated KEY_MGMT[WPAv2] > > > > AAP2: > > AAP2# > AAP2# > *Mar 1 00:06:26.701: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot > associate: Rcvd response from 0023.5d0e.3c10 channel 6 2654 > *Mar 1 00:06:27.059: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, > Associated To AP AAP1 0023.5d0e.3c10 [EAP-FAST WPAv2] > *Mar 1 00:06:27.060: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state > to up > *Mar 1 00:06:28.060: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Dot11Radio0, changed state to up > > > > Wow!!!, I didn´t know using the local radius of an AP and using EAP-FAST I > must permit EAP-FAST and LEAP authentication to work. > > > > It is probably you would know this issue, but I didn´t have any idea. > > > > Best Regards. > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
