That is because you specified the ssid "SSID1" under the wlccp authentication-server client configuration. Therefore, there was no match for WDS to use. Change the ssid to ABC and it should work. Keep in mind that if you enable "wlccp authentication-server client" on the AP, WDS will control all client authentications. It won't matter what you put under the SSID configuration itself in terms of which AAA method-list you are matching there.
Jason Boyers, CCIE #26024 (Wireless) Blog: netboyers.wordpress.com On Wed, Jul 11, 2012 at 12:56 PM, Andreas di Zazzo < [email protected]> wrote: > I’ve often ran into issues with the autonomous AP not wanting to use the > specified AAA method. **** > > It normally works with a simple configuration but when I keep adding stuff > this sometime breaks.**** > > I’m very curious why this is. Here is an example when it breaks.**** > > ** ** > > Provided is a configuration example from a 1131AG. **** > > ** ** > > AAP_1131#sh run**** > > Building configuration...**** > > ** ** > > Current configuration : 6143 bytes**** > > !**** > > ! Last configuration change at 18:45:04 CET Wed Jul 11 2012 by tacacs**** > > ! NVRAM config last updated at 18:45:05 CET Wed Jul 11 2012 by tacacs**** > > !**** > > version 12.4**** > > no service pad**** > > service timestamps debug datetime show-timezone**** > > service timestamps log datetime show-timezone**** > > service password-encryption**** > > !**** > > hostname AAP_1131**** > > !**** > > logging rate-limit console 9**** > > !**** > > aaa new-model**** > > !**** > > !**** > > aaa group server radius LOCALRADIUS**** > > server 10.30.103.2 auth-port 1812 acct-port 1813**** > > !**** > > aaa group server radius ACS**** > > server 10.30.110.5 auth-port 1645 acct-port 1646**** > > !**** > > aaa group server tacacs+ acs**** > > server 10.30.110.5**** > > !**** > > aaa authentication login LOCALRADIUS group LOCALRADIUS**** > > aaa authentication login ACS group ACS**** > > aaa authentication login tacacsgroup group acs local**** > > aaa authentication enable default group acs enable**** > > aaa authorization exec tacacsexecgroup group acs local **** > > !**** > > aaa session-id common**** > > clock timezone CET 1**** > > clock summer-time CET recurring**** > > no ip domain lookup**** > > ip domain name LABDOMAIN.LAN**** > > ip name-server 10.30.111.10**** > > !**** > > !**** > > dot11 syslog**** > > !**** > > dot11 ssid ABC**** > > vlan 103**** > > authentication open eap LOCALRADIUS **** > > authentication network-eap LOCALRADIUS **** > > authentication key-management wpa**** > > mbssid guest-mode**** > > !**** > > eap profile WDSPROFILE**** > > method fast**** > > !**** > > ip ssh version 2**** > > !**** > > bridge irb**** > > !**** > > interface Dot11Radio0**** > > no ip address**** > > no ip route-cache**** > > !**** > > encryption vlan 103 mode ciphers tkip **** > > !**** > > ssid ABC**** > > !**** > > mbssid**** > > speed basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0**** > > power local -1**** > > power client -1**** > > channel 2462**** > > station-role root**** > > !**** > > interface Dot11Radio0.103**** > > encapsulation dot1Q 103 native**** > > no ip route-cache**** > > bridge-group 1**** > > bridge-group 1 subscriber-loop-control**** > > bridge-group 1 block-unknown-source**** > > no bridge-group 1 source-learning**** > > no bridge-group 1 unicast-flooding**** > > bridge-group 1 spanning-disabled**** > > !**** > > interface Dot11Radio1**** > > no ip address**** > > no ip route-cache**** > > shutdown**** > > countermeasure tkip hold-time 15**** > > no dfs band block**** > > speed basic-12.0 18.0 24.0**** > > channel dfs**** > > station-role root**** > > bridge-group 1**** > > bridge-group 1 subscriber-loop-control**** > > bridge-group 1 block-unknown-source**** > > no bridge-group 1 source-learning**** > > no bridge-group 1 unicast-flooding**** > > bridge-group 1 spanning-disabled**** > > !**** > > interface FastEthernet0**** > > no ip address**** > > no ip route-cache**** > > duplex auto**** > > speed auto**** > > !**** > > interface FastEthernet0.103**** > > encapsulation dot1Q 103 native**** > > no ip route-cache**** > > bridge-group 1**** > > no bridge-group 1 source-learning**** > > bridge-group 1 spanning-disabled**** > > !**** > > interface BVI1**** > > ip address 10.30.103.2 255.255.255.0**** > > no ip route-cache**** > > !**** > > ip http server**** > > ip http authentication aaa login-authentication tacacsgroup**** > > ip http authentication aaa exec-authorization tacacsexecgroup**** > > ip http secure-server**** > > ip http secure-port 8443**** > > ip http help-path > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag**** > > tacacs-server host 10.30.110.5 key 7 07012E581A1C4B06**** > > radius-server local**** > > no authentication mac**** > > eapfast server-key primary 7 653EDAFC0300A0996724A2BA9ADE14884B**** > > nas 10.30.103.2 key 7 0502160A395C4B1B0D**** > > group eapfast **** > > eapfast pac expiry 14 **** > > !**** > > user eapfast nthash 7 > 15312954270C08720D1060034B5E345257040E7A0B712A514C327B0E0506070402 group > eapfast**** > > user wds nthash 7 > 144E302A2E500F7F7D716761013752455653707D7B70032F2149407B7D04077303**** > > user leap nthash 7 > 106F5A4E2044425D28277E7E740E6616724025332659757C7D0A775E203A340C01**** > > !**** > > radius-server host 10.30.103.2 auth-port 1812 acct-port 1813 key 7 > 08285C4B1109000506**** > > radius-server host 10.30.110.5 auth-port 1645 acct-port 1646 key 7 > 082F435A5D0C5714**** > > bridge 1 route ip**** > > !**** > > !**** > > wlccp ap username wds password 7 10590D0A151601181B0B382F**** > > wlccp ap eap profile WDSPROFILE**** > > wlccp authentication-server infrastructure ACS**** > > wlccp authentication-server client any LOCALRADIUS**** > > ssid SSID1**** > > wlccp wds priority 255 interface BVI1**** > > !**** > > line con 0**** > > line vty 0 4**** > > login authentication tacacsgroup**** > > transport input all**** > > line vty 5 15**** > > login authentication tacacsgroup**** > > transport input all**** > > !**** > > sntp server 10.30.110.3 version 3**** > > end**** > > ** ** > > ** ** > > ** ** > > The correct methods gets picked for WDS authentication, for WDS client > authentication and for TACACS. **** > > But for authentication of the SSID it simply does not work, why is this?** > ** > > ** ** > > AAP_1131#debug aaa authentication **** > > AAA Authentication debugging is on**** > > ** ** > > *>>>> I try to connect with a client using Anyconnect 3.0 using LEAP.* > > AAP_1131#**** > > Jul 11 16:51:35 UTC: AAA/AUTHEN/PPP (000000F9): Pick method list > 'Permanent Local' **** > > Jul 11 16:51:35 UTC: %DOT11-7-AUTH_FAILED: Station 5cd9.98bf.be32 > Authentication failed**** > > ** ** > > So why does it not match the LOCALRADIUS method? Permanent local is the > default method.**** > > ** ** > > ** ** > > Rgds. Andreas di Zazzo CCIE #28735 (R&S).**** > > ** ** > > ** ** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
