Wireless bridge can't access windows certificate server 1

[msworld]

We have 10 Cisco 1200 wireless APs. The VLAN 1 use Windows certificate as authentication and VLAN 100 for the public. They work fine. We just bought two 1310 wireless bridges for outdoor use. We contact Cisco support for setup these two bridges. The wireless can receive the signal but can't logon. The IP is 169.254.x.x. The Certificate server receive Event ID 2 as below. The Cisco engineer can't make it work and he said the setup Windows IAS is not his expertise. Any suggestions how can we fix this issue?

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 4/13/2007
Time: 7:41:21 PM
User: N/A
Computer: DEVICES
Description:
User blin was denied access.
Fully-Qualified-User-Name = chicagotech.net/Users/Bob Lin
NAS-IP-Address = 10.0.20.54
NAS-Identifier = Outdoor_1300_2
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Root Bridge1
Client-IP-Address = 10.0.20.54
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = All
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:
0000: 00 00 00 00 ....


Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

 

[burtsbees]

You do know that 169.254.xxx.xxx is Windows APIPA, right? This means that the device cannot get an IP from the DHCP server, and it is set for DHCP...am I stating something you already knew, and it has nothing to do with the problem?

Burt

 

[ADB100]

NAS-Port-Type = Async

This is not a Wireless Authentication attempt, it's someone attaching to the console.

Plus:

Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

This means IAS isn't configured correctly.

Without knowing a bit more about what has already been configured it's a bit difficult to diagnose this further.....

Andy

 

[msworld]

By my understand, if the IAS denies the access, the DHCP won't assign IP address. the question, how do I troubleshooting the IAS settings. What I don't understand is existing 10 wireless work fine. We compare all settings and can't tell what's different.

Andy, what information you need?

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

 

[ADB100]

Configs from the AP and IAS will pretty much cover it....

Andy

 

[msworld]

The new AP is off. I will post the configuration Monday. Now, the problem is the Existing wireless don't work any more and the IAS receives a lot Event ID 3 after the Cisco Engineer made some changes in the IAS. I believe he created wireless policy and moved the original policy All to the second (showing below). I just move the All up. but not sure that fix the problem. What's the command line to test AAA? I tries test aaa username password, but that don't work.

Name Order
wireless 1
All 2
Connections to Microsoft Routing and Remote Access server 3
Connections to other access servers 4

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

 

[ADB100]

I have multiple policies on IAS, one of these is 'Wireless Users'. This has the policy conditions:

NAS-Port-Type matches "Wireless - IEEE 802.11" and
Windows-Groups matches "DOMAIN\Wireless Users" and
Service-Type matches "Authenticate Only OR Login" and
Authenticatio-Type matches "EAP"

In the profile I have enabled the session-timeout and set it to 10-minutes (600-seconds). All the Authentication tick boxes are un-ticked and EAP Methods is used, this is set to 'Smart Card or other Certificate' as I am using EAP-TLS as the authentication type. Encryption is set to ONLY 'Strongest encryption (MPPE 128 bit) however I don't think this parameter is checked?. In advanced I have added the Radius Attribute 'Termination-Action' and set it to 'RADIUS-Request' as this enables re-authentication after the timeout configured earlier.

HTH

Andy

 

[msworld]

Andy,

Reset the policy in IAS using your configuration. The all existing Wirelesses work now. Thank you for the details information. The new wireless bridge still receive the Event ID 2 and authentication-type=PAP. We are using EAP. I can't figure our where to make change. Can you take look the configuration? Thank you.


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Outdoor_1300_1
!
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.12 auth-port 1645 acct-port 1646
server 10.0.20.54 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 10.0.20.54 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid 06Wireless
vlan 1
authentication open eap eap_methods1
authentication network-eap eap_methods1
authentication key-management wpa
authentication client username Cisco password 7 062506324F41
guest-mode
infrastructure-ssid
!
dot11 ssid Chicago
vlan 300
authentication open
!
dot11 ssid Student
vlan 200
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxx
!
dot11 ssid Teacher
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxx
!
dot11 network-map
!
!

!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 100 mode ciphers tkip
!
encryption vlan 200 mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid 06Wireless
!
ssid Chicago
!
ssid Student
!
ssid Teacher
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge wireless-clients
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
!
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
bridge-group 200 spanning-disabled
!
interface Dot11Radio0.300
encapsulation dot1Q 300
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
!
interface FastEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
bridge-group 200 spanning-disabled
!
interface FastEthernet0.300
encapsulation dot1Q 300
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
!
interface BVI1
ip address 10.0.20.53 255.255.0.0
no ip route-cache
!
ip default-gateway 10.0.0.2
ip http server
no ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.12 auth-port 1645 acct-port 1646 key 7 121A5502001F
radius-server host 10.0.20.54 auth-port 1812 acct-port 1813 key 7 13261E010803
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

 

[msworld]

Sorry, gave the wrong information. If we do test aaa group r username password l, the IAS has Event ID 2 mentioned before. If you try to connect the wireless, no Event ID in the IAS and the wireless receive IP 0.0.0.0 or 169.254.x.x.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

 

[ADB100]

OK, looking at your configuration you have multiple SSID's, each mapped to a separate VLAN (06Wireless, Chicago, Student and Teacher). However none of these are configured to use the Radius servers you list to authenticate wireless clients.
I have an Aironet 1100 with the 802.11G radio installed and my SSID looks like this:

dot11 ssid wireless
   vlan 50
   authentication open eap eap_methods 
   authentication key-management wpa
   accounting acct_methods
   guest-mode
   mbssid guest-mode

The 'authentication open eap eap_methods' line refers to an AAA Authentication list that point to the radius server group:

aaa authentication login eap_methods group rad_eap

HTH

Andy

 

[msworld]

I do have radius-server as showing below.

radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.12 auth-port 1645 acct-port 1646 key 7 121A5502001F
radius-server host 10.0.20.54 auth-port 1812 acct-port 1813 key 7 13261E010803
radius-server vsa send accounting

I found the problem is client settings. Thank you.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com