MS IAS and Cisco Aironet 1200 AP
Hi, I and my associates have configured a Windows 2003 server with IAS to authenticate wireless users according to the entries in AD. The AD is on the same server, the authentication works fine when our router request an authentication for a remote-VPN login but the problem is the wireless part. We are using a Cisco Aironet 1200 AP and Cisco Wireless adapters with Cisco ADU(in our laptops), they have connectivity with the server and whe are assured that the server is recieving the RADIUS-requests, but it's not sending any packets back to the AP. We have little or no experience with certificates, but we are using PEAP-MS-CHAPv2, as suggested in many guides and our settings seems to be correct. I have attached the AP-config and the "debug radius authentication"-output below. Any ideas of whats causing the trouble? We have been guessing that the IAS expects specific radius attributes which the AP is NOT sending or perhaps that the IAS can't interpret the ones that ARE sent, thus not even bothering to reply to the AP. Thanks.AP-config: version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname SthlmAP!enable secret 5 $1$O9WD$c41kJfThCR/mm.Q8OfRrq.!ip subnet-zerono ip domain lookupip domain name NoName.com!!aaa new-model!!aaa group server radius rad_eapserver 192.168.35.3 auth-port 1645 acct-port 1646! aaa group server radius rad_mac!aaa group server radius rad_acct!aaa group server radius rad_adminserver 192.168.35.3 auth-port 1645 acct-port 1646!aaa group server tacacs+ tac_admin!aaa group server radius rad_pmip!aaa group server radius dummy!aaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acctaaa session-id commondot11 vlan-name Development vlan 30dot11 vlan-name Economy vlan 20dot11 vlan-name Guest vlan 70dot11 vlan-name Management vlan 99dot11 vlan-name Production vlan 40dot11 vlan-name Sales vlan 10!dot11 ssid SthlmDev vlan 30 authentication open !dot11 ssid SthlmEco vlan 20 authentication open !dot11 ssid SthlmGuest vlan 70 authentication open !dot11 ssid SthlmProd vlan 40 authentication open !dot11 ssid SthlmSales vlan 10 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa guest-mode!!!username Cisco password 7 02250D480809username rnn password 7 0614012F1D1C5Ausername dkn password 7 13011C1C5A5E57username jsn password 7 09465D07485744username jbn password 7 05010401701E1D!bridge irb!!interface Dot11Radio0no ip addressno ip route-cache!encryption vlan 10 mode ciphers aes-ccm tkip !ssid SthlmDev!ssid SthlmEco! ssid SthlmGuest!ssid SthlmProd!ssid SthlmSales!speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 channel 2412station-role rootbridge-group 1bridge-group 1 block-unknown-sourceno bridge-group 1 source-learningno bridge-group 1 unicast-floodingbridge-group 1 spanning-disabled!interface Dot11Radio0.10encapsulation dot1Q 10no ip route-cachebridge-group 10bridge-group 10 subscriber-loop-controlbridge-group 10 block-unknown-sourceno bridge-group 10 source-learningno bridge-group 10 unicast-floodingbridge-group 10 spanning-disabled!interface Dot11Radio0.20encapsulation dot1Q 20no ip route-cachebridge-group 20bridge-group 20 subscriber-loop-controlbridge-group 20 block-unknown-sourceno bridge-group 20 source-learningno bridge-group 20 unicast-floodingbridge-group 20 spanning-disabled!interface Dot11Radio0.30encapsulation dot1Q 30no ip route-cachebridge-group 30bridge-group 30 subscriber-loop-controlbridge-group 30 block-unknown-sourceno bridge-group 30 source-learningno bridge-group 30 unicast-floodingbridge-group 30 spanning-disabled! interface Dot11Radio0.40encapsulation dot1Q 40no ip route-cachebridge-group 40bridge-group 40 subscriber-loop-controlbridge-group 40 block-unknown-sourceno bridge-group 40 source-learningno bridge-group 40 unicast-floodingbridge-group 40 spanning-disabled!interface Dot11Radio0.70encapsulation dot1Q 70no ip route-cachebridge-group 70bridge-group 70 subscriber-loop-controlbridge-group 70 block-unknown-sourceno bridge-group 70 source-learningno bridge-group 70 unicast-floodingbridge-group 70 spanning-disabled!interface Dot11Radio1no ip addressno ip route-cacheshutdownspeed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0station-role rootbridge-group 1bridge-group 1 subscriber-loop-controlbridge-group 1 block-unknown-sourceno bridge-group 1 source-learningno bridge-group 1 unicast-floodingbridge-group 1 spanning-disabled!interface FastEthernet0no ip addressno ip route-cacheduplex autospeed autobridge-group 1no bridge-group 1 source-learningbridge-group 1 spanning-disabledhold-queue 160 in!interface FastEthernet0.10encapsulation dot1Q 10no ip route-cachebridge-group 10no bridge-group 10 source-learningbridge-group 10 spanning-disabled!interface FastEthernet0.20encapsulation dot1Q 20no ip route-cachebridge-group 20no bridge-group 20 source-learningbridge-group 20 spanning-disabled!interface FastEthernet0.30encapsulation dot1Q 30no ip route-cachebridge-group 30no bridge-group 30 source-learningbridge-group 30 spanning-disabled!interface FastEthernet0.40encapsulation dot1Q 40no ip route-cachebridge-group 40no bridge-group 40 source-learningbridge-group 40 spanning-disabled!interface FastEthernet0.70encapsulation dot1Q 70no ip route-cachebridge-group 70no bridge-group 70 source-learningbridge-group 70 spanning-disabled!interface BVI1ip address 192.168.36.10 255.255.255.0ip helper-address 192.168.35.3no ip route-cache!ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagip radius source-interface BVI1 !radius-server attribute 32 include-in-access-req format %hradius-server host 192.168.35.3 auth-port 1645 acct-port 1646 key 7 01350A115D0D1F5D73radius-server vsa send accounting!control-plane!bridge 1 route ip!!!line con 0logging synchronousline vty 0 4!endDebug radius authentication: -- debug radius authenticationRADIUS/ENCODE(0000002F)rig. component type = DOT11RADIUS: AAA Unsupported Attr: ssid  10 RADIUS: 53 74 68 6C 6D 53 61 6C [SthlmSal]RADIUS: AAA Unsupported Attr: interface  3 RADIUS: 32 RADIUS(0000002F): Storing nasport 299 in rad_dbRADIUS(0000002F): Config NAS IP: 192.168.36.10RADIUS/ENCODE(0000002F): acct_session_id: 47RADIUS(0000002F): Config NAS IP: 192.168.36.10RADIUS(0000002F): sendingRADIUS(0000002F): Send Access-Request to 192.168.35.3:1645 id 1645/39, len 124RADIUS: authenticator 2D 00 83 8F 72 4C 89 82 - 17 B9 5A 34 7B 77 83 BCRADIUS: User-Name  5 "rnn"RADIUS: Framed-MTU  6 1400 RADIUS: Called-Station-Id  16 "000f.907b.5ed0"RADIUS: Calling-Station-Id  16 "0040.96a6.3432"RADIUS: Service-Type 6 Login RADIUS: Message-Authenticato 18 *RADIUS: EAP-Message  10 RADIUS: 02 01 00 08 01 72 6E 6E [?????rnn]RADIUS: NAS-Port-Type  6 802.11 wireless RADIUS: NAS-Port  6 299 RADIUS: NAS-IP-Address  6 192.168.36.10 RADIUS: Nas-Identifier  9 "SthlmAP"RADIUS: no sg in radius-timers: ctx 0xA5F298 sg 0x0000RADIUS: Retransmit to (192.168.35.3:1645,1646) for id 1645/39RADIUS: no sg in radius-timers: ctx 0xA5F298 sg 0x0000RADIUS: Retransmit to (192.168.35.3:1645,1646) for id 1645/39RADIUS: no sg in radius-timers: ctx 0xA5F298 sg 0x0000RADIUS: Retransmit to (192.168.35.3:1645,1646) for id 1645/39RADIUS: no sg in radius-timers: ctx 0xA5F298 sg 0x0000RADIUS: No response from (192.168.35.3:1645,1646) for id 1645/39RADIUS/DECODE: parse response no app start; FAILRADIUS/DECODE: parse response; FAIL%DOT11-7-AUTH_FAILED: Station 0040.96a6.3432 Authentication failed
February 2nd, 2008 3:05pm
I am pretty sure that you are delving into the "not officiallysupported" realm of IAG... IAG supports IE, and that is about it. Also, I would be cautious is asked to place AD on the same server as IAG and ISA. To get creative, what I would try to do would be to rely on the ISA component of IAG. Place some rules ahead of the myriad of IAG rules that are automatically created and have the ISA server forward Cert authentication to AD. I really thing that IAG is going to be a very big challenge, so if you can have the relatively predictable functionality of ISA kick in first, that might make things easier...
February 3rd, 2008 3:07am
Make sure that Radius packets are reaching your radius server. Check the application log on the MS radius server and if there is no sign of it hearing the radius requests, put an ip default gateway entry onto your NAS so it can reach the Radius server. If you are using MS-CHAP and PEAP, make sure you have a cert on the radius server that matches the client cert. I uncheck the option in the client to validate/verify the cert when authenticating. This guaranties that intervening firewalls or NAC devices won't block the process. Finally put in an ip radius-server source interface of loopback0 and make sure loopback0 is reachable (test with ping for a start ) from the Radius server and vice versa. I guess in summary, check the IP connectivity from the Radius server to the Aironet. I have authentication working fine this way, but good luck with the VLAN assignments. I cannot get the Cisco aironet to respect the vlan assignment from the Radius server no matter what I do and Cisco TAC hasn't been much help so far. Dan Sichel Ponderosa Telephone
March 11th, 2008 12:00am
Try configuring the AP with a basic running configuration with a single Broadcast SSID (withoutVLAN's).... it simplifies things, particularly during debug Check the event logon IAS .. what are you seeing??.. look for Event ID 2 and make sure that it'sdoing PEAP (and not for example EAP-TLS)... alsomake sure that you've got the necessary certs onboth client and RADIUSserver from your Enterprise CA.. the RADIUS server requires a server authentication certificate... checkout Secure Wireless LAN with Certificate Services as there are certain conditions that the cert needs to conform to. http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en If this is a single test machine then you canprobably install the cert manually. If you'regoing to be doing this for lots of clients then you'll want to do it via AD. Cheers, Mylo
March 11th, 2008 11:15pm
Thanks for the replies guys! The problem has already been solved, it was all about handling singning of the certificates. We hadn't really implemented any service or tool to do such. The IAS-log didn't show any errormessages at all, which is suggestedto be a common sign ofproblems related to the certificates. The notifications in the radius debug about unsupported radius attributes still occur when the system/network is fully functional.
March 12th, 2008 6:52pm
JB84, Can you tell me what you did to fix this problem? We're having exactly the same thing here since we made the authentication go through the firewall. Nothing in IAS logs unless the AP has the wrong password, etc. Debug on an AP gives no sg in radius-timers. Thanks.
April 10th, 2008 2:10pm