I've often ran into issues with the autonomous AP not wanting to use the
specified AAA method. 

It normally works with a simple configuration but when I keep adding
stuff this sometime breaks.

I'm very curious why this is. Here is an example when it breaks.

 

Provided is a configuration example from a 1131AG. 

 

AAP_1131#sh run

Building configuration...

 

Current configuration : 6143 bytes

!

! Last configuration change at 18:45:04 CET Wed Jul 11 2012 by tacacs

! NVRAM config last updated at 18:45:05 CET Wed Jul 11 2012 by tacacs

!

version 12.4

no service pad

service timestamps debug datetime show-timezone

service timestamps log datetime show-timezone

service password-encryption

!

hostname AAP_1131

!

logging rate-limit console 9

!

aaa new-model

!

!

aaa group server radius LOCALRADIUS

server 10.30.103.2 auth-port 1812 acct-port 1813

!

aaa group server radius ACS

server 10.30.110.5 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ acs

server 10.30.110.5

!

aaa authentication login LOCALRADIUS group LOCALRADIUS

aaa authentication login ACS group ACS

aaa authentication login tacacsgroup group acs local

aaa authentication enable default group acs enable

aaa authorization exec tacacsexecgroup group acs local 

!

aaa session-id common

clock timezone CET 1

clock summer-time CET recurring

no ip domain lookup

ip domain name LABDOMAIN.LAN

ip name-server 10.30.111.10

!

!

dot11 syslog

!

dot11 ssid ABC

   vlan 103

   authentication open eap LOCALRADIUS 

   authentication network-eap LOCALRADIUS 

   authentication key-management wpa

   mbssid guest-mode

!

eap profile WDSPROFILE

method fast

!

ip ssh version 2

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 103 mode ciphers tkip 

 !

ssid ABC

!

mbssid

speed  basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

power local -1

power client -1

channel 2462

station-role root

!

interface Dot11Radio0.103

encapsulation dot1Q 103 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

countermeasure tkip hold-time 15

no dfs band block

speed  basic-12.0 18.0 24.0

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.103

encapsulation dot1Q 103 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.30.103.2 255.255.255.0

no ip route-cache

!

ip http server

ip http authentication aaa login-authentication tacacsgroup

ip http authentication aaa exec-authorization tacacsexecgroup

ip http secure-server

ip http secure-port 8443

ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

tacacs-server host 10.30.110.5 key 7 07012E581A1C4B06

radius-server local

  no authentication mac

  eapfast server-key primary 7 653EDAFC0300A0996724A2BA9ADE14884B

  nas 10.30.103.2 key 7 0502160A395C4B1B0D

  group eapfast 

    eapfast pac expiry 14 

  !

  user eapfast nthash 7
15312954270C08720D1060034B5E345257040E7A0B712A514C327B0E0506070402 group
eapfast

  user wds nthash 7
144E302A2E500F7F7D716761013752455653707D7B70032F2149407B7D04077303

  user leap nthash 7
106F5A4E2044425D28277E7E740E6616724025332659757C7D0A775E203A340C01

!

radius-server host 10.30.103.2 auth-port 1812 acct-port 1813 key 7
08285C4B1109000506

radius-server host 10.30.110.5 auth-port 1645 acct-port 1646 key 7
082F435A5D0C5714

bridge 1 route ip

!

!

wlccp ap username wds password 7 10590D0A151601181B0B382F

wlccp ap eap profile WDSPROFILE

wlccp authentication-server infrastructure ACS

wlccp authentication-server client any LOCALRADIUS

  ssid SSID1

wlccp wds priority 255 interface BVI1

!

line con 0

line vty 0 4

login authentication tacacsgroup

transport input all

line vty 5 15

login authentication tacacsgroup

transport input all

!

sntp server 10.30.110.3 version 3

end

 

 

 

The correct methods gets picked for WDS authentication, for WDS client
authentication and for TACACS. 

But for authentication of the SSID it simply does not work, why is this?

 

AAP_1131#debug aaa authentication 

AAA Authentication debugging is on

 

>>>> I try to connect with a client using Anyconnect 3.0 using LEAP.

AAP_1131#

Jul 11 16:51:35 UTC: AAA/AUTHEN/PPP (000000F9): Pick method list
'Permanent Local' 

Jul 11 16:51:35 UTC: %DOT11-7-AUTH_FAILED: Station 5cd9.98bf.be32
Authentication failed

 

So why does it not match the LOCALRADIUS method? Permanent local is the
default method.

 

 

Rgds. Andreas di Zazzo CCIE #28735 (R&S).

 

 

 

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to