http://www.dslreports.com/forum/Config-Cisco-877W-authenticated-through-radius-but-no-traffic-27602954 en Fri, 24 May 2013 04:57:17 EDT Fri, 24 May 2013 04:57:17 EDT http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27617827 http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27617827 Fri, 12 Oct 2012 21:17:20 EDT http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27603848
10 permit 10.0.0.0, wildcard bits 0.0.0.255 (5 matches)
20 permit 10.0.1.0, wildcard bits 0.0.0.255
30 permit 10.0.2.0, wildcard bits 0.0.0.255 (278 matches)
40 permit 10.0.3.0, wildcard bits 0.0.0.255

Also I can now not ping the wireless client 10.0.1.2 ]]> http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27603848 Tue, 09 Oct 2012 08:28:49 EDT http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27603618
The only access list I have is a sdm generated one which has the guest wifi subnet 10.0.3.1.

Ive checked in the tmg server logs and nothing is being blocked there]]> http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27603618 Tue, 09 Oct 2012 05:42:15 EDT http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27603184
Is the Access-list getting incremented on the Guest Subnet?]]> http://www.dslreports.com/forum/Re-Config-Cisco-877W-authenticated-through-radius-but-no-traf-27603184 Mon, 08 Oct 2012 22:17:01 EDT http://www.dslreports.com/forum/Config-Cisco-877W-authenticated-through-radius-but-no-traffic-27602954
This is my network setup



The blue ssid is for access to the internal network (past the radius/tmg server)
The red one is for guest access to the internet without filtering (allowed radius access)

This is my config, The only thing I can think of is the guest ssid isn't on the native vlan.

I've made sure im using a static ip to test this and after connection the client cant ping the router nor the router the client

Syslog shows no issues with the authentication

[config]version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname Cisco877W
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.3
!
aaa group server radius rad_mac
server 10.0.0.3
!
aaa group server radius rad_acct
server 10.0.0.3
!
aaa group server radius rad_admin
server 10.0.0.3
!
aaa group server radius rad_pmip
server 10.0.0.3
!
aaa group server radius dummy
!
aaa group server radius sdm-vpn-server-group-1
server 10.0.0.3
!
aaa group server radius sdm-vpn-server-group-2
server 10.0.0.3
!
aaa authentication login default group radius local
aaa authentication login local_authen local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
aaa authentication login sdm_vpn_xauth_ml_2 passwd-expiry group sdm-vpn-server-group-2
aaa authorization exec local_author local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-1
aaa authorization network sdm_vpn_group_ml_2 group sdm-vpn-server-group-2
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-
certificate self-signed 01

quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
dot11 syslog
dot11 vlan-name External-VLAN vlan 10
dot11 vlan-name Internal-VLAN vlan 1
!
dot11 ssid GuestWiFi
vlan 10
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
dot11 ssid mydomain.com
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
no ip source-route
!
!
!
ip cef
no ip bootp server -----
ip domain name
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
username localadmin privilege 15 secret 5 $1$e47g$a5oIXFDS08EhlkvWmILVQ/
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp profile sdm-ike-profile-1
match identity group VPNUsers
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac comp-lzs
!
crypto ipsec profile SDM_Profile1
set transform-set AES
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
beacon period 50
beacon dtim-period 50
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
ssid GuestWiFi
!
ssid mydomain.com
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 50
fragment-threshold 2307
station-role root
rts threshold 2306
rts retries 50
world-mode dot11d country IE indoor
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip address 10.0.1.1 255.255.255.0
ip helper-address 10.0.0.1
ip flow ingress
ip flow egress
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 10
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.0.1
ip flow ingress
ip flow egress
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
no ip address
ip flow ingress
ip flow egress
ip virtual-reassembly in
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan10
no ip address
ip flow ingress
ip flow egress
ip virtual-reassembly in
bridge-group 2
bridge-group 2 spanning-disabled
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname eircom
ppp chap password
no cdp enable
!
interface BVI1
description $FW_INSIDE$
ip address 10.0.0.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface BVI2
description $FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-export version 9
ip flow-export destination 10.0.0.1 2055
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip radius source-interface BVI1
logging 10.0.0.1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
radius-server local
nas 10.0.0.3 key 7
!
radius-server host 10.0.0.3 key 7
!
!
control-plane
!
bridge 1 route ip
bridge 2 route ip
banner login ^C
^C
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
sntp server 10.0.0.2
sntp source-interface Vlan1
end
[/config]]]> http://www.dslreports.com/forum/Config-Cisco-877W-authenticated-through-radius-but-no-traffic-27602954 Mon, 08 Oct 2012 21:02:57 EDT