Cisco Aironet 1300...

[jlazzaro]

I've setup more secure access points using AES encryption and 802.1x RADIUS authentication than I care to remember...this Cisco is just a PITA. Never had this many problems settings a simple aes cipher and defining a radius server for PEAP.

Looking through the docs, they have a brief overview of settings the authentication type to an SSID. Here is their example of settings the SSID with EAP and authentication to server adam:

ap# configure terminal
ap(config)# configure interface dot11radio 0
ap(config-if)# ssid bridgeman
ap(config-ssid)# authentication open eap adam
ap(config-ssid)# end

However, when I go into the CLI and try those commands, this is what I get:

ap#config t
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#interface dot11Radio 0
ap(config-if)#ssid WIRELESS
ap(config-if-ssid)#?
ssid configuration commands:
dot1x SSID Config Commands for IEEE 802.1X

No authentication commands are avaliable to the SSID, just the dot1x.

Below is the configuration output from the setup using the GUI. I've tried pretty much every encryption and authentication combonation possible trying to get this thing going. Radius servers are set, aes-ccm as the cipher, network eap as authenticaiton. Still nothing...

Current configuration : 2243 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$PJxV$xP2l.DCkHsh8YINs1XF1M/
!
ip subnet-zero
ip name-server 155.78.60.21
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server x.x.60.18 auth-port 1812 acct-port 1813
server x.x.60.75 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server x.x.60.18 auth-port 1812 acct-port 1813
server x.x.60.75 auth-port 1812 acct-port 1813
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid USACE
authentication network-eap eap_methods
authentication key-management wpa
!
!
!
username Cisco password 7 123A0C041104
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 80 in
!
interface BVI1
ip address 155.78.75.14 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 155.78.60.18 auth-port 1812 acct-port 1813 key 7 104F0B15014643
radius-server host 155.78.60.75 auth-port 1812 acct-port 1813 key 7 050A0403251D1F
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

 

[spidey07]

update the software, that config looks like it's running on old IOS.

 

[jlazzaro]

its running 2nd to the the newest IOS, c1310-k9w7-tar.123-8.JA2

It was running the newest IOS, c1310-k9w7-tar.123-8.JEA, but I bumped it back one version for shits and giggles.

 

[spidey07]

I'd just reset it and start over via the web. When it comes to authentication/encryption the web is actually easier because of all the AAA commands you need.

the docs should be out there on how to configure it. basically you set your encryption, then the ssid, then the radius servers.