Guest

Wireless, LAN (WLAN)

EAP Authentication on ACS 5.3 with Access Points

Document ID: 116598

Updated: Oct 23, 2013

Contributed by Ishant Varshney, Cisco TAC Engineer.

   Print

Introduction

This document describes a sample configuration of a Cisco IOS® software-based access point (AP) for Extensible Authentication Protocol (EAP) authentication of wireless users against a database accessed by a RADIUS server.

The AP bridges wireless packets from the client into wired packets destined to the authentication server and vice versa. Because the AP plays this passive role in EAP, this configuration is used with virtually all EAP methods. These methods include, but are not limited to, Light EAP (LEAP), Protected EAP (PEAP)-Microsoft Challenge Handshake Authentication Protocol (MSCHAP) version 2, PEAP-Generic Token Card (GTC), EAP-Flexible Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled TLS (TTLS). You must appropriately configure the authentication server for each of these EAP methods.

This document describes how to configure the AP and the RADIUS server, which is a Cisco Secure Access Control Server (ACS) 5.3 in this sample configuration.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Familiarity with the Cisco IOS software GUI or command-line interface (CLI)
  • Familiarity with the concepts of EAP authentication

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Aironet 3602 Access Point that runs Cisco IOS Software Release 15.2(2)JB
  • Cisco Secure Access Control Server 5.3

This configuration example assumes there is only one VLAN in the network.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

This document uses this configuration for both the GUI and the CLI:

  • The IP address of the AP is 10.105.136.11.
  • The IP address of the RADIUS server (the ACS) is 10.106.55.91.

Configuration with GUI

Define Authentication Server

This procedure describes how to define the authentication server and establish a relationship with it.

  1. In the AP GUI, navigate to Security > Server Manager.

  2. In the Corporate Servers section, enter the IP address of the authentication server (10.106.55.91) in the Server field.

  3. Specify the Shared Secret, the Authentication Port, and the Accounting Port. You can use ports 1813, 1814 or 1645, 1646.

  4. Click Apply in order to create the definition and populate the drop-down lists.

  5. In the Default Server Priorities section, set the EAP Authentication Priority 1 field to the server IP address (10.106.55.91).

  6. Click Apply.

116598-config-eap-radius-01.jpg

Configure ACS

If you send users to an external RADIUS server, the AP needs to be an authentication, authorization, and accounting (AAA) client for this external RADIUS server. This procedure describes how to configure the ACS.

  1. In the Cisco Secure ACS GUI, click Network Resources. In ACS 5.3, devices can be grouped by locations.

    116598-config-eap-radius-02.jpg

  2. Create a location. Under Network Device Groups, click Location. Click create new location. In the Name field, enter a location name (IOS_lab). Enter a description (IOS LAB) for this location. Select the general All Locations as the Parent location. Click Submit to validate.

    116598-config-eap-radius-03.png

  3. Create a group for the IOS APs. Click Device Type. Click Create to create a new group. In the Name field, enter a group name (IOS_APs). Enter a description (IOS APs in the LAB) for this group. Select All Device Types as the Parent. Click Submit to validate.

    116598-config-eap-radius-04.jpg

  4. Add the AP. Click Network Devices and AAA Clients. In the Name field, enter the name of your IOS AP (AP). Enter a description for that AP (IOS AP).

    Under Network Device Groups, next to the Location field, click Select, check the box next to IOS_lab, and click OK to validate. Under IP Address, be sure Single IP Address is enabled, and enter the IP address of your AP (10.105.136.11).

    Under Authentication Options, check RADIUS. In the Shared Secret field, enter a secret (Cisco). Keep the other values to their defaults. Click Submit to validate.

    116598-config-eap-radius-05.jpg

  5. Add the wireless user credentials. Navigate to Users and Identity Stores > Identity Groups. Click Create to create a new group. In the Name field, enter a group name (EAP_Users). Enter a description (Users for EAP wireless). Click Submit to validate.

    116598-config-eap-radius-06.jpg

  6. Create a user in this group. Click Users. Click Create to create a new user. In the Name field, enter a username (radius). Ensure that the user Status is Enabled. Enter a description for the user (test radius). Next to the Identity Group field, click Select, check the box next to EAP_Users, and click OK to validate.

    Under Password Information, enter <password> in the Password and Confirm Password fields. Because this user needs access to the network but does not need access to any Cisco device for management, there is no need for an Enable Password.

    116598-config-eap-radius-07.jpg

  7. Click Submit to validate. The new user appears in the list, and the ACS is now ready.

  8. Navigate to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles in order to verify that the user is granted access permission. There should be a PermitAccess profile. Users that receive this profile are granted access to the network.

    116598-config-eap-radius-08.jpg

  9. Navigate to Access Policies > Access Services > Default Device Admin to examine the authorization. Make sure that Identity, Group Mapping, and Authorization are checked.

    116598-config-eap-radius-09.jpg

  10. Click the Allowed Protocols tab, select the boxes for required EAP methods, and click Submit to validate.

    116598-config-eap-radius-10.jpg

Configure SSID

This procedure describes how to configure the service set identifier (SSID) on the AP.

  1. In the Cisco Secure ACS GUI, navigate to Security > SSID Manager. Click New, enter the SSID name (radius), enable both radio Interfaces, and click Apply.

    116598-config-eap-radius-11.jpg

  2. Navigate to Security > Encryption Manager, select AES CCMP as the Cipher, and click Apply-All to apply this encryption on both radios.

    116598-config-eap-radius-12.jpg

  3. Navigate to Security > SSID Manager, and select the radius SSID. In the Client Authentication Settings section, check Open Authentication, select with EAP from the drop-down list, and check Network EAP.

    In the Client Authenticated Key Management section, select Mandatory from the Key Management drop-down list, check Enable WPA, and select WPAv2 from the drop-down list. Click Apply.

    116598-config-eap-radius-13.jpg

  4. In order to broadcast this SSID on both radios, find the Guest Mode/Infrastructure SSID Settings section on the same page. For both radios, set the Beacon Mode to Single BSSID, and select the SSID name (radius) from the Set Single Guest Mode SSID drop-down list. Click Apply.

    116598-config-eap-radius-14.jpg

  5. Navigate to Network > Network Interface > Radio0-802.11n 2G.Hz > Settings > Enable in order to enable both radio interfaces.

  6. Test the client connectivity.

Configuration with CLI

Notes:

Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

This is the same configuration done within the CLI:

show run
Building configuration...

Current configuration : 2511 bytes
!
! Last configuration change at 01:17:48 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$1u04$jr7DG0DC5KZ6bVaSYUhck0
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.106.55.91
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
ip cef
!
ip dhcp pool test
!
!
!
dot11 syslog
!
dot11 ssid radius
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode
!
!
crypto pki token default removal timeout 0
!
!
username Cisco password 7 0802455D0A16
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid radius
 !
 antenna gain 0
 stbc
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid radius
 !
 antenna gain 0
 dfs band 3 block
 stbc
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.105.136.11 255.255.255.128
!
ip default-gateway 10.105.136.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.105.136.1
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.106.55.91 key 7 00271A1507545A545C606C
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Verify

Use this section to confirm that your configuration works properly.

Connect the client; after successful authentication, this is the configuration summary that appears in the AP GUI:

116598-config-eap-radius-15.jpg

Note: The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

In the CLI , enter the show dot11 associations command in order to confirm the configuration:

ap#show dot11 associations 

802.11 Client Stations on Dot11Radio0:

SSID [radius] :

MAC Address    IP address      Device        Name         Parent      State
f8db.7f75.7804 10.105.136.116  unknown       -            self        EAP-Assoc

You can also enter the show radius server-group all command in order to display a list of all configured RADIUS server-groups on the AP.

Troubleshoot

This procedure describes how to troubleshoot your configuration.

  1. In the client-side utility or software, create a new profile or connection with the same or similar parameters in order to ensure that nothing has become corrupted in the client configuration.

  2. Radio frequency (RF) issues can prevent successful authentication. Temporarily disable authentication in order to eliminate this possibility:

    • From the CLI, enter these commands:

      • no authentication open eap eap_methods
      • no authentication network-eap eap_methods
      • authentication open

    • From the GUI, on the SSID Manager page, uncheck Network-EAP, check Open, and set the drop-down list to No Addition.

      If the client successfully associates, RF does not contribute to the association problem.

  3. Verify that the shared secret passwords are synchronized between the AP and the authentication server. Otherwise, you might receive this error message:

    Invalid message authenticator in EAP request
    • From the CLI, check the line:

      radius-server host x.x.x.x auth-port x acct-port x key <shared_secret>
    • From the GUI, on the Server Manager page, re-enter the shared secret for the appropriate server in the Shared Secret field.

      The shared secret entry for the AP on the RADIUS server must contain the same shared secret password.

  4. Remove any user groups from the RADIUS server. Conflicts can occur between user groups defined by the RADIUS server and user groups in the underlying domain. Check the logs of the RADIUS server for failed attempts and for the reasons for the failures.

Note: Refer to Important Information on Debug Commands before you use debug commands.

Use these debug commands in order to investigate and display the negotiations among devices:

  • debug dot11 aaa authenticator state-machine
  • debug radius authentication
  • debug aaa authentication

debug dot11 aaa authenticator state-machine

This command displays major divisions (or states) of the negotiation between the client and the authentication server. This is an example of output from a successful authentication:

ap#debug dot11 aaa authenticator state-machine
state machine debugging is on
ap#
*Mar  1 01:38:34.919: dot11_auth_dot1x_send_id_req_to_client: Sending identity
request to f8db.7f75.7804

*Mar  1 01:38:34.919: dot11_auth_dot1x_send_id_req_to_client: Client
f8db.7f75.7804 timer started for 30 seconds
*Mar  1 01:38:35.431: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,
CLIENT_REPLY) for f8db.7f75.7804
*Mar  1 01:38:35.431: dot11_auth_dot1x_send_response_to_server: Sending client
f8db.7f75.7804 data to server

*Mar  1 01:38:35.431: dot11_auth_dot1x_send_response_to_server: Started timer
server_timeout 60 seconds
*Mar  1 01:38:35.435: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,
SERVER_REPLY) for f8db.7f75.7804
*Mar  1 01:38:35.435: dot11_auth_dot1x_send_response_to_client: Forwarding server
message to client f8db.7f75.7804

*Mar  1 01:38:35.435: dot11_auth_dot1x_send_response_to_client: Started timer
client_timeout 30 seconds
*Mar  1 01:38:35.443: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,
CLIENT_REPLY) for f8db.7f75.7804
*Mar  1 01:38:35.443: dot11_auth_dot1x_send_response_to_server: Sending client
f8db.7f75.7804 data to server

*Mar  1 01:38:35.443: dot11_auth_dot1x_send_response_to_server: Started timer
server_timeout 60 seconds
*Mar  1 01:38:35.447: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,
SERVER_REPLY) for f8db.7f75.7804
*Mar  1 01:38:35.447: dot11_auth_dot1x_send_response_to_client: Forwarding server
message to client f8db.7f75.7804
*Mar  1 01:38:35.447: dot11_auth_dot1x_send_response_to_client: Started timer
client_timeout 30 seconds
-------------------Lines Omitted for simplicity-------------------
*Mar  1 01:38:36.663: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,
SERVER_REPLY) for f8db.7f75.7804
*Mar  1 01:38:36.663: dot11_auth_dot1x_send_response_to_client: Forwarding server
message to client f8db.7f75.7804
*Mar  1 01:38:36.663: dot11_auth_dot1x_send_response_to_client: Started timer
client_timeout 30 seconds
*Mar  1 01:38:36.667: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,
CLIENT_REPLY) for f8db.7f75.7804
*Mar  1 01:38:36.667: dot11_auth_dot1x_send_response_to_server: Sending client
f8db.7f75.7804 data to server
*Mar  1 01:38:36.667: dot11_auth_dot1x_send_response_to_server: Started timer
server_timeout 60 seconds
*Mar  1 01:38:36.671: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,
SERVER_PASS) for f8db.7f75.7804

*Mar  1 01:38:36.671: dot11_auth_dot1x_send_response_to_client: Forwarding server
message to client f8db.7f75.7804

*Mar  1 01:38:36.671: dot11_auth_dot1x_send_response_to_client: Started timer
client_timeout 30 seconds
*Mar  1 01:38:36.719: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
f8db.7f75.7804 Associated KEY_MGMT[WPAv2]

debug radius authentication

This command displays the RADIUS negotiations between the server and client, both of which are bridged by the AP. This is an example of output from a successful authentication:

ap#debug radius authentication

*Mar  1 01:50:50.635: RADIUS/ENCODE(000001F6):Orig. component type = DOT11
*Mar  1 01:50:50.635: RADIUS:  AAA Unsupported Attr: ssid [347] 6
*Mar  1 01:50:50.635: RADIUS:   72 61 64 69 [ radi]
*Mar  1 01:50:50.635: RADIUS:  AAA Unsupported Attr: service-type [345] 4 1
*Mar  1 01:50:50.635: RADIUS:  AAA Unsupported Attr: interface [222] 3
*Mar  1 01:50:50.635: RADIUS:   32 [ 2]
*Mar  1 01:50:50.635: RADIUS(000001F6): Config NAS IP: 10.105.136.11
*Mar  1 01:50:50.635: RADIUS(000001F6): Config NAS IPv6:
*Mar  1 01:50:50.635: RADIUS/ENCODE(000001F6): acct_session_id: 491
*Mar  1 01:50:50.635: RADIUS(000001F6): Config NAS IP: 10.105.136.11
*Mar  1 01:50:50.635: RADIUS(000001F6): sending
*Mar  1 01:50:50.635: RADIUS(000001F6): Send Access-Request to 10.106.55.91:1645
id 1645/73, len 140

*Mar  1 01:50:50.635: RADIUS:  authenticator 0F 74 18 0E F3 08 ED 51 -
8B EA F7 31 AC C9 CA 6B
*Mar  1 01:50:50.635: RADIUS:  User-Name  [1]   8   "radius"
*Mar  1 01:50:50.635: RADIUS:  Framed-MTU  [12]  6   1400
*Mar  1 01:50:50.635: RADIUS:  Called-Station-Id   [30]  26  "1C-E6-C7-E1-D8-90:
radius"
*Mar  1 01:50:50.635: RADIUS:  Calling-Station-Id  [31]  16  "f8db.7f75.7804"
*Mar  1 01:50:50.635: RADIUS:  Service-Type [6]   6   Login  [1]
*Mar  1 01:50:50.635: RADIUS:  Message-Authenticato[80]  18
*Mar  1 01:50:50.635: RADIUS:   E3 E1 50 F8 2B 22 26 84 C1 F1 76 28 79 70 5F 78
[ P+"&v(yp_x]
*Mar  1 01:50:50.635: RADIUS:  EAP-Message [79]  13
*Mar  1 01:50:50.635: RADIUS:   02 01 00 0B 01 72 61 64 69 75 73
[ radius]
*Mar  1 01:50:50.635: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless
[19]
*Mar  1 01:50:50.635: RADIUS:  NAS-Port   [5]   6   282
*Mar  1 01:50:50.635: RADIUS:  NAS-Port-Id  [87]  5   "282"
*Mar  1 01:50:50.635: RADIUS:  NAS-IP-Address [4]   6   10.105.136.11
*Mar  1 01:50:50.635: RADIUS:  Nas-Identifier  [32]  4   "ap"
*Mar  1 01:50:50.635: RADIUS(000001F6): Sending a IPv4 Radius Packet
*Mar  1 01:50:50.635: RADIUS(000001F6): Started 5 sec timeout
*Mar  1 01:50:50.639: RADIUS: Received from id 1645/73 10.106.55.91:1645, Access
-Challenge, len 94

*Mar  1 01:50:50.639: RADIUS:  authenticator 5E A4 A7 B9 01 CC F4 20 -
2E D0 2A 1A A4 58 05 9E
*Mar  1 01:50:50.639: RADIUS:  State               [24]  32
*Mar  1 01:50:50.639: RADIUS:   32 37 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35
[27SessionID=acs5]
*Mar  1 01:50:50.639: RADIUS:   31 2F 31 36 35 34 38 39 35 31 31 2F 39 3B    [ 1
/165489511/9;]
*Mar  1 01:50:50.639: RADIUS:  EAP-Message         [79]  24
*Mar  1 01:50:50.639: RADIUS:   01 DC 00 16 11 01 00 08 00 CB 2A 0A 74 B3 77 AF
72 61 64 69 75 73         [ *twradius]
*Mar  1 01:50:50.639: RADIUS:  Message-Authenticato[80]  18
*Mar  1 01:50:50.643: RADIUS:   CC 44 D5 FE FC 86 BC 2D B0 89 61 69 4F 34 D1 FF
[ D-aiO4]
*Mar  1 01:50:50.643: RADIUS(000001F6): Received from id 1645/73
*Mar  1 01:50:50.643: RADIUS/DECODE: EAP-Message fragments, 22, total 22 bytes
*Mar  1 01:50:50.647: RADIUS/ENCODE(000001F6):Orig. component type = DOT11
*Mar  1 01:50:50.647: RADIUS:  AAA Unsupported Attr: ssid              [347] 6
*Mar  1 01:50:50.647: RADIUS:   72 61 64 69              [ radi]
*Mar  1 01:50:50.647: RADIUS:  AAA Unsupported Attr: service-type      [345] 4
1
*Mar  1 01:50:50.647: RADIUS:  AAA Unsupported Attr: interface         [222] 3
*Mar  1 01:50:50.647: RADIUS:   32                 [ 2]
*Mar  1 01:50:50.647: RADIUS(000001F6): Config NAS IP: 10.105.136.11
*Mar  1 01:50:50.647: RADIUS(000001F6): Config NAS IPv6:
*Mar  1 01:50:50.647: RADIUS/ENCODE(000001F6): acct_session_id: 491
*Mar  1 01:50:50.647: RADIUS(000001F6): Config NAS IP: 10.105.136.11
*Mar  1 01:50:50.647: RADIUS(000001F6): sending
*Mar  1 01:50:50.647: RADIUS(000001F6): Send Access-Request to 10.106.55.91:1645
id 1645/74, len 167
*Mar  1 01:50:50.647: RADIUS:  authenticator C6 54 54 B8 58 7E ED 60 - F8 E0 2E
05 B0 87 3B 76
*Mar  1 01:50:50.647: RADIUS:  User-Name           [1]   8   "radius"
*Mar  1 01:50:50.647: RADIUS:  Framed-MTU          [12]  6   1400
*Mar  1 01:50:50.647: RADIUS:  Called-Station-Id   [30]  26  "1C-E6-C7-E1-D8-90:
radius"
*Mar  1 01:50:50.647: RADIUS:  Calling-Station-Id  [31]  16  "f8db.7f75.7804"
*Mar  1 01:50:50.647: RADIUS:  Service-Type        [6]   6   Login
[1]
*Mar  1 01:50:50.647: RADIUS:  Message-Authenticato[80]  18
*Mar  1 01:50:50.647: RADIUS:   FE 15 7B DB 49 FE 27 C5 BC E2 FE 83 B9 25 8C 1F
[ {I'?]
*Mar  1 01:50:50.647: RADIUS:  EAP-Message         [79]  8
*Mar  1 01:50:50.647: RADIUS:   02 DC 00 06 03 19
*Mar  1 01:50:50.647: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless
[19]
*Mar  1 01:50:50.647: RADIUS:  NAS-Port            [5]   6   282
*Mar  1 01:50:50.647: RADIUS:  NAS-Port-Id         [87]  5   "282"
*Mar  1 01:50:50.647: RADIUS:  State               [24]  32
*Mar  1 01:50:50.647: RADIUS:   32 37 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35
[27SessionID=acs5]
*Mar  1 01:50:50.647: RADIUS:   31 2F 31 36 35 34 38 39 35 31 31 2F 39 3B    [ 1
/165489511/9;]
*Mar  1 01:50:50.647: RADIUS:  NAS-IP-Address      [4]   6   10.105.136.11
*Mar  1 01:50:50.647: RADIUS:  Nas-Identifier      [32]  4   "ap"
*Mar  1 01:50:50.647: RADIUS(000001F6): Sending a IPv4 Radius Packet
*Mar  1 01:50:50.647: RADIUS(000001F6): Started 5 sec timeout
*Mar  1 01:50:50.647: RADIUS: Received from id 1645/74 10.106.55.91:1645, Access
-Challenge, len 78

*Mar  1 01:50:50.647: RADIUS:  authenticator 0E 81 99 9E EE 39 50 FB - 6E 6D 93
8C 8E 29 94 EC
*Mar  1 01:50:50.647: RADIUS:  State               [24]  32
*Mar  1 01:50:50.651: RADIUS:   32 37 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35
[27SessionID=acs5]
*Mar  1 01:50:50.651: RADIUS:   31 2F 31 36 35 34 38 39 35 31 31 2F 39 3B    [ 1
/165489511/9;]
*Mar  1 01:50:50.651: RADIUS:  EAP-Message         [79]  8
*Mar  1 01:50:50.651: RADIUS:   01 DD 00 06 19 21                 [ !]
*Mar  1 01:50:50.651: RADIUS:  Message-Authenticato[80]  18
*Mar  1 01:50:50.651: RADIUS:   A8 54 00 89 1F 2A 01 52 FE FA D2 58 2F E5 F2 86
[ T*RX/]
*Mar  1 01:50:50.651: RADIUS(000001F6): Received from id 1645/74
*Mar  1 01:50:50.651: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar  1 01:50:50.655: RADIUS/ENCODE(000001F6):Orig. component type = DOT11
*Mar  1 01:50:50.655: RADIUS:  AAA Unsupported Attr: ssid              [347] 6
*Mar  1 01:50:50.655: RADIUS:   72 61 64 69              [ radi]
*Mar  1 01:50:50.655: RADIUS:  AAA Unsupported Attr: service-type      [345] 4
1
*Mar  1 01:50:50.655: RADIUS:  AAA Unsupported Attr: interface         [222] 3
 
-------------------Lines Omitted for simplicity-------------------

11        [ l2^w$qM{60]
*Mar  1 01:50:51.115: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless
[19]
*Mar  1 01:50:51.115: RADIUS:  NAS-Port            [5]   6   282
*Mar  1 01:50:51.115: RADIUS:  NAS-Port-Id         [87]  5   "282"
*Mar  1 01:50:51.115: RADIUS:  State               [24]  32
*Mar  1 01:50:51.115: RADIUS:   32 37 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35
[27SessionID=acs5]
*Mar  1 01:50:51.115: RADIUS:   31 2F 31 36 35 34 38 39 35 31 31 2F 39 3B    [ 1
/165489511/9;]
*Mar  1 01:50:51.115: RADIUS:  NAS-IP-Address      [4]   6   10.105.136.11        
*Mar  1 01:50:51.115: RADIUS:  Nas-Identifier      [32]  4   "ap"
*Mar  1 01:50:51.115: RADIUS(000001F6): Sending a IPv4 Radius Packet
*Mar  1 01:50:51.115: RADIUS(000001F6): Started 5 sec timeout
*Mar  1 01:50:51.115: RADIUS: Received from id 1645/80 10.106.55.91:1645, Access
-Challenge, len 115
*Mar  1 01:50:51.115: RADIUS:  authenticator 74 CF 0F 34 1F 1B C1 CF -
E9 27 79 D5 F8 9C 5C 50
*Mar  1 01:50:51.467: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
f8db.7f75.7804 Associated KEY_MGMT[WPAv2]

debug aaa authentication

This command displays the AAA negotiations for authentication between the client device and the authentication server.

ap#debug aaa authentication
AAA Authentication debugging is on
ap#term mon
ap#
*Mar  1 01:55:52.335: AAA/BIND(000001F9): Bind i/f
*Mar  1 01:55:52.859: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:52.867: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:52.875: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:52.895: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:53.219: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:53.379: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:53.395: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:53.807: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:53.879: AAA/AUTHEN/PPP (000001F9): Pick method list 'eap_methods'
*Mar  1 01:55:53.939: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
f8db.7f75.7804 Associated KEY_MGMT[WPAv2]
Updated: Oct 23, 2013
Document ID: 116598