Announcement

Collapse
No announcement yet.

Radius Auth with MS PEAP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Radius Auth with MS PEAP

    Hi All,

    I have setup RADIUS authentication with IAS/NPS running on a Windows 2008 server. I have installed the appropriate certificates and added a group policy to enable all domain users access the WLAN. The authentication method is Microsoft Protected EAP and all RADIUS clients have been configured on NPS.

    In our company we use 2 different types of WAP's, in larger sites we use multiple Cisco WAP4410N's and in the smaller sites we use Cisco 881W router. The setup works fine with the WAP4410N's but not with the 881Ws.

    When a user gets authenticated through the WAP4410, I can see the access request in the IAS viewer and an entry in the event log but with sites using an 881, I can see an access request in the IAS viewer but no event log entry at all. I have noticed that in the IAS viewer, even if the user connected successfully, the 'Connect Result' field is 'unknown' and this is the same when the request fails.

    I have checked that all the shared keys match and I have tried several different setups on the 881Ws but nothing I do seems to make a difference. I can see that the server is receiving the request but nothing happens after that so Im not sure what is failing.

    I have included the shortened in my next post..

  • #2
    Re: Radius Auth with MS PEAP

    Building configuration...


    aaa new-model
    !
    !
    aaa group server radius rad_eap
    server 192.168.x.x auth-port 1812 acct-port 1813
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    server 192.168.x.x auth-port 1812 acct-port 1813
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    !
    !
    dot11 syslog
    !
    dot11 ssid TestAP
    vlan 1
    authentication open eap eap_methods
    authentication key-management wpa version 2
    accounting acct_methods
    guest-mode
    !
    bridge irb
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 1 mode ciphers aes-ccm
    !
    broadcast-key vlan 1 change 30
    !
    ssid TestAP
    !
    antenna gain 0
    station-role root
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 192.168.x.x 255.255.255.0
    no ip route-cache
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http help-path
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.x.x auth-port 1645 acct-port 1646 key 7 x
    radius-server vsa send accounting
    bridge 1 route ip

    Any help on this would be greatly appreciated. If you need more info just yell.

    Many thanks!

    Comment

    Working...
    X