I've often ran into issues with the autonomous AP not wanting to use the specified AAA method.
It normally works with a simple configuration but when I keep adding stuff this sometime breaks. I'm very curious why this is. Here is an example when it breaks. Provided is a configuration example from a 1131AG. AAP_1131#sh run Building configuration... Current configuration : 6143 bytes ! ! Last configuration change at 18:45:04 CET Wed Jul 11 2012 by tacacs ! NVRAM config last updated at 18:45:05 CET Wed Jul 11 2012 by tacacs ! version 12.4 no service pad service timestamps debug datetime show-timezone service timestamps log datetime show-timezone service password-encryption ! hostname AAP_1131 ! logging rate-limit console 9 ! aaa new-model ! ! aaa group server radius LOCALRADIUS server 10.30.103.2 auth-port 1812 acct-port 1813 ! aaa group server radius ACS server 10.30.110.5 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ acs server 10.30.110.5 ! aaa authentication login LOCALRADIUS group LOCALRADIUS aaa authentication login ACS group ACS aaa authentication login tacacsgroup group acs local aaa authentication enable default group acs enable aaa authorization exec tacacsexecgroup group acs local ! aaa session-id common clock timezone CET 1 clock summer-time CET recurring no ip domain lookup ip domain name LABDOMAIN.LAN ip name-server 10.30.111.10 ! ! dot11 syslog ! dot11 ssid ABC vlan 103 authentication open eap LOCALRADIUS authentication network-eap LOCALRADIUS authentication key-management wpa mbssid guest-mode ! eap profile WDSPROFILE method fast ! ip ssh version 2 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 103 mode ciphers tkip ! ssid ABC ! mbssid speed basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 power local -1 power client -1 channel 2462 station-role root ! interface Dot11Radio0.103 encapsulation dot1Q 103 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown countermeasure tkip hold-time 15 no dfs band block speed basic-12.0 18.0 24.0 channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.103 encapsulation dot1Q 103 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 10.30.103.2 255.255.255.0 no ip route-cache ! ip http server ip http authentication aaa login-authentication tacacsgroup ip http authentication aaa exec-authorization tacacsexecgroup ip http secure-server ip http secure-port 8443 ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag tacacs-server host 10.30.110.5 key 7 07012E581A1C4B06 radius-server local no authentication mac eapfast server-key primary 7 653EDAFC0300A0996724A2BA9ADE14884B nas 10.30.103.2 key 7 0502160A395C4B1B0D group eapfast eapfast pac expiry 14 ! user eapfast nthash 7 15312954270C08720D1060034B5E345257040E7A0B712A514C327B0E0506070402 group eapfast user wds nthash 7 144E302A2E500F7F7D716761013752455653707D7B70032F2149407B7D04077303 user leap nthash 7 106F5A4E2044425D28277E7E740E6616724025332659757C7D0A775E203A340C01 ! radius-server host 10.30.103.2 auth-port 1812 acct-port 1813 key 7 08285C4B1109000506 radius-server host 10.30.110.5 auth-port 1645 acct-port 1646 key 7 082F435A5D0C5714 bridge 1 route ip ! ! wlccp ap username wds password 7 10590D0A151601181B0B382F wlccp ap eap profile WDSPROFILE wlccp authentication-server infrastructure ACS wlccp authentication-server client any LOCALRADIUS ssid SSID1 wlccp wds priority 255 interface BVI1 ! line con 0 line vty 0 4 login authentication tacacsgroup transport input all line vty 5 15 login authentication tacacsgroup transport input all ! sntp server 10.30.110.3 version 3 end The correct methods gets picked for WDS authentication, for WDS client authentication and for TACACS. But for authentication of the SSID it simply does not work, why is this? AAP_1131#debug aaa authentication AAA Authentication debugging is on >>>> I try to connect with a client using Anyconnect 3.0 using LEAP. AAP_1131# Jul 11 16:51:35 UTC: AAA/AUTHEN/PPP (000000F9): Pick method list 'Permanent Local' Jul 11 16:51:35 UTC: %DOT11-7-AUTH_FAILED: Station 5cd9.98bf.be32 Authentication failed So why does it not match the LOCALRADIUS method? Permanent local is the default method. Rgds. Andreas di Zazzo CCIE #28735 (R&S).
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
