dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1786
share rss forum feed

RaymondT

join:2012-10-08

[Config] Cisco 877W authenticated through radius but no traffic

I have a cisco 877W and ive got two WPA enterprise ssid's running on it. The radius authentication is not the issue its that when I connect to the first SSID I get access to the internal network but when I connect to the guest SSID I get 60 Received packets in the connection status window with 0 sent packets even after pinging the router

This is my network setup



The blue ssid is for access to the internal network (past the radius/tmg server)
The red one is for guest access to the internet without filtering (allowed radius access)

This is my config, The only thing I can think of is the guest ssid isn't on the native vlan.

I've made sure im using a static ip to test this and after connection the client cant ping the router nor the router the client

Syslog shows no issues with the authentication

[config]version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname Cisco877W
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.3
!
aaa group server radius rad_mac
server 10.0.0.3
!
aaa group server radius rad_acct
server 10.0.0.3
!
aaa group server radius rad_admin
server 10.0.0.3
!
aaa group server radius rad_pmip
server 10.0.0.3
!
aaa group server radius dummy
!
aaa group server radius sdm-vpn-server-group-1
server 10.0.0.3
!
aaa group server radius sdm-vpn-server-group-2
server 10.0.0.3
!
aaa authentication login default group radius local
aaa authentication login local_authen local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
aaa authentication login sdm_vpn_xauth_ml_2 passwd-expiry group sdm-vpn-server-group-2
aaa authorization exec local_author local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-1
aaa authorization network sdm_vpn_group_ml_2 group sdm-vpn-server-group-2
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-
certificate self-signed 01

quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
dot11 syslog
dot11 vlan-name External-VLAN vlan 10
dot11 vlan-name Internal-VLAN vlan 1
!
dot11 ssid GuestWiFi
vlan 10
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
dot11 ssid mydomain.com
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
no ip source-route
!
!
!
ip cef
no ip bootp server -----
ip domain name
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
username localadmin privilege 15 secret 5 $1$e47g$a5oIXFDS08EhlkvWmILVQ/
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp profile sdm-ike-profile-1
match identity group VPNUsers
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac comp-lzs
!
crypto ipsec profile SDM_Profile1
set transform-set AES
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
beacon period 50
beacon dtim-period 50
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
ssid GuestWiFi
!
ssid mydomain.com
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 50
fragment-threshold 2307
station-role root
rts threshold 2306
rts retries 50
world-mode dot11d country IE indoor
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip address 10.0.1.1 255.255.255.0
ip helper-address 10.0.0.1
ip flow ingress
ip flow egress
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 10
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.0.1
ip flow ingress
ip flow egress
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
no ip address
ip flow ingress
ip flow egress
ip virtual-reassembly in
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan10
no ip address
ip flow ingress
ip flow egress
ip virtual-reassembly in
bridge-group 2
bridge-group 2 spanning-disabled
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname eircom
ppp chap password
no cdp enable
!
interface BVI1
description $FW_INSIDE$
ip address 10.0.0.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface BVI2
description $FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-export version 9
ip flow-export destination 10.0.0.1 2055
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip radius source-interface BVI1
logging 10.0.0.1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
radius-server local
nas 10.0.0.3 key 7
!
radius-server host 10.0.0.3 key 7
!
!
control-plane
!
bridge 1 route ip
bridge 2 route ip
banner login ^C
^C
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
sntp server 10.0.0.2
sntp source-interface Vlan1
end
[/config]



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

Re: [Config] Cisco 877W authenticated through radius but no traf

Is a microsoft server doing the DHCP requests and configured as the relay agent?

Is the Access-list getting incremented on the Guest Subnet?


RaymondT

join:2012-10-08

The router is the dhcp relay and ive tested dhcp functionality on the other ssid

The only access list I have is a sdm generated one which has the guest wifi subnet 10.0.3.1.

Ive checked in the tmg server logs and nothing is being blocked there


RaymondT

join:2012-10-08
reply to RaymondT

Upon checking the access list using show ip access list 1 im not getting any hits for the wired subnets.

10 permit 10.0.0.0, wildcard bits 0.0.0.255 (5 matches)
20 permit 10.0.1.0, wildcard bits 0.0.0.255
30 permit 10.0.2.0, wildcard bits 0.0.0.255 (278 matches)
40 permit 10.0.3.0, wildcard bits 0.0.0.255

Also I can now not ping the wireless client 10.0.1.2


RaymondT

join:2012-10-08

Solved this if anyone else has this problem avoid bridge groups altogether just use the advanced ip ios and set a vlan for each interface.