ExtremeWireless (WiNG)

Expand all | Collapse all

Test wlan that will uses eap ms-chapv2 self-controller to authenticate

  • 1.  Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-13-2017 12:40
    I have created on onboard Radius and role based firewall, ( sort of )
    so this is what I have done so far,

    from the CLI
    #conf
    # radius-server-policy RADIUS
    # commit write
    #radius-group Guest
    #guest
    #..
    radius-group Corp
    #..
    radius-user-pool CORP-USER
    User UKROI password #976301234 group corp
    #commit write
    #profile rfs7000 default-rfs7000
    #use radius-server--policy RADIUS
    #commit write

    # role-policy RBFW
    #user-role Guest precedence 1
    #assign vlan 999
    #ssid contains Guest
    #..
    #user-role Corp precedence 2
    #assign vlan 1000
    #group exact Corp
    #commit write
    #aaa-policy INTERNAL-AAA
    #authentication server 1 onboard-controller
    I have created a wlan and assigned the aaa-policy INTERNAL_AAA

    then in the ap profile under settings I have added the RBFW in the wireless client role policy

    The problem I have
    I only have two prodution vlan's so I can not put the AAA server to these, but I need to get to a server on the main VLAN

    I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
    select the ms-chapv2, then you have an option about certificate he I select none
    then under the username it show anonymous


  • 2.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-13-2017 13:01
    The RFS can act as a DHCP server quite easily

    For example:

    dhcp-server-policy RFS
    dhcp-pool Guest
    network 10.254.254.0/24
    address range 10.254.254.10 10.254.254.254
    default-router 10.254.254.1
    dns-server 8.8.8.8 8.8.4.4[/code]In the RFS's config you need to "use" the dhcp server policy to activate it.

    You also need to have a switch virtual interface vlan defined in the same subnet, and this same vlan # must be used in the WLAN config.

    You can use the "show ip dhcp status" command to verify that the DHCP server is actually running.

    Lastly, how do you plan on getting return traffic back to vlan 999 or 1000 ? IE: if a host on vlan 999 communicates with server X, it will receive the packet just fine, but how is it going to know where to send the reply to?



  • 3.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-13-2017 13:23
    Hi Andrew
    thanks for the very swift response, So I have setup the test wlan the device that will connect via this is a tablet, all the test wlan is for is to prove that our device will support peap.
    so the devBod at our place has asked if its possible to
    connect to the dot1x network - with a username and passord that he has supplied me, then for it to connect to a test server on a different vlan ( vlan 1 )

    .
    so on the switch there is no DHCP server running.

    so the device will be on vlan 999 but the test server is on vlan 1. ( it looks like this might get complicated )



  • 4.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-13-2017 13:29
    If you want to test proof of concept, I would suggest you make your test wlan terminate on vlan 1. This will keep it simple and allow you to demonstrate the peap authentication without having to re-engineer your network.

    There is no restriction on having multiple WLANs with different security levels all connect to the same vlan.



  • 5.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-13-2017 13:43
    I think I tried that, but I must have done something wrong, as all the users on the wifi were being prompted for a username and password, I must have done something wrong with regards the AAA server ? - there is no AAA server/service on vlan1.


  • 6.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-13-2017 13:53
    The AAA service is only used on the WLAN if you call for it to be used. I suspect the role policy might have something to do with that. In reality you don't really need the role policy here. You're trying to change the vlan based on the name of the ssid, but that is something that you can define in a wlan.

    Consider the following:

    wlan corp
    ssid corp
    vlan 1
    encryption-type ccmp
    authentication-type none
    wpa-wpa2 psk 0 some-secret-key
    ...[/code]
    wlan test
    ssid test
    vlan 1
    encryption-type ccmp
    authentication-type eap
    use aaa-policy your-aaa-server-policy
    ...[/code]

    In the above scenario both corp and test are using vlan 1, but corp uses WPA2-PSK and test uses WPA2-Enterprise (dot1x).



  • 7.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-14-2017 06:25
    Hi Andrew
    I have set the wlan to use VLAN1 under the basic setting ( GUI ) - Bridging mode = Tunnel
    then in security its set to use Internal-AAA

    under Security > wireless Client Roles - my role - in the firewall roles I have set the Vlan ID to 1

    ? What is the difference between onboard-controller and onboard-self - not there is no punch line to this one :-))

    It will not connect , tries but fails

    Looking at the logs, It is a tiimeout
    Radius server Internal-AAA timeout authenticating client xx:xx--95:D2 on wlan "Group-1-Dot1x



  • 8.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-14-2017 12:43
    Hi Phil,

    With regards to the bridging mode, use the same mode that you are using on the existing wlan that is working.

    For the onboard question:

    Onboard-controller: The service runs on the controller that has adopted the APs

    Onboard-self: The service runs on the device (AP or controller)

    In your instance, you want to run it on the controller.

    You seem to be missing the radius server policy, this tells the radius server what groups to use, as well as what method of EAP you want to use. In order for PEAP to function, there is also the question of certificates (server side only. it can be a self signed certificate, but your clients won't trust it implicitly).



  • 9.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-15-2017 05:30
    Hi Andrew, I have checked and it all seems to be there. this is from the running config

    role-policy RBFW
    user-role GUEST precedence 1
    assign vlan 1
    ssid contains GUEST
    user-role Corp precedence 2
    assign vlan 1
    group exact Corp

    profile ap71xx Mic71xxx
    ip default-gateway 172.17.144.254
    autoinstall configuration
    autoinstall firmware
    device-upgrade persist-images
    use radius-server-policy RADIUS

    wlan Group-1-DOT1X
    ssid Group-1-DOT1X
    vlan 1
    bridging-mode tunnel
    encryption-type ccmp
    authentication-type eap
    radio-resource-measurement
    radius vlan-assignment
    use aaa-policy Internal-AAA
    use ip-access-list out BROADCAST-MULTICAST-CONTROL
    use mac-access-list out PERMIT-ARP-AND-IPv4

    !
    radius-group Corp
    guest
    policy vlan 1
    !
    radius-group GUEST
    guest
    policy vlan 1
    !

    Is there a password limit length ? the oassword I have been sent to add into the system is 44 characters long with / and an = in it



  • 10.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-15-2017 11:14
    Hi Phil,

    Role-policy != Radius Policy. You will need a radius policy to make it work.

    Please see section 11.6 in: http://documentation.extremenetworks.com/WiNG/5.8.5/WING_5.8.5_SRG_MN-002942-01_A_EN.pdf



  • 11.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 06-16-2017 10:26
    Hi Andrew
    I have checked against 11.6, what I have looks the same other than the LDAP group

    looking at the logs" Radius Server Internal-AAA:1 timeout authenticating client


  • 12.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 08-01-2017 10:00
    Hi
    This has raised its head again, I have gone through my notes and a guide from a student lab ( although this refers to the VX900 controller ) I'm using the RFS7k with wing 5.8.5. In the guide I have it "Onboard Radius & Role Based Firewall "
    anyway when I try and connect I get a radius timeout



    I have missed somthing but not sure what ?
    any advise / help please
    [i]


  • 13.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 08-31-2017 04:03
    Could someone offer advice to get this working ?


  • 14.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 08-31-2017 06:08
    I have been looking at the event history on the AP that I'm trying to connect too
    in the message i get
    Client "20-14-B0-7E-22-11" disassociated from wlan "Group-1-DOT1X2 Radio "ap7532-82BCF4-eap"R1" authentication rejected by radius server timeout (reason code:23 )
    the device associates then fails on the timeout authenticating.

    If anyone has a simplified guide to setting this this up, I would be very greatful, stating from scratch for just one user to test that eap works and that it can connect to the test server on vlan 1
    thanks



  • 15.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 08-31-2017 06:51
    This is the DEBUG

    [ap7532-82BCF4-eap] 08:47:11.27: mgmt:rx auth-req from 20-14-B0-7E-22-11 on radio 0 (mgmt.c:3872)
    [ap7532-82BCF4-eap] 08:47:11.27: mgmt:tx auth-rsp to 20-14-B0-7E-22-11 on radio 0. status: success (mgmt.c:1302)
    [ap7532-82BCF4-eap] 08:47:11.31: mgmt:rx association-req from 20-14-B0-7E-22-11 on radio ap7532-82BCF4-eap:R1 signal-strength is -45dBm (mgmt.c:38
    [ap7532-82BCF4-eap] 08:47:11.31: client:MU 20-14-B0-7E-22-11 panBU enab_cap=00 00 00 00, supp_cap=00 00 00 00 (mgmt.c:3112)
    [ap7532-82BCF4-eap] 08:47:11.31: client:using cached vlan 1 for wireless client 20-14-B0-7E-22-11 (mgmt.c:3347)
    [ap7532-82BCF4-eap] 08:47:11.31: mgmt:Client 20-14-B0-7E-22-11 negotiated WPA2-EAP on wlan (Group-1-DOT1X) (mgmt.c:3412)
    [ap7532-82BCF4-eap] 08:47:11.31: mgmt:tx association-rsp success to 20-14-B0-7E-22-11 on wlan (Group-1-DOT1X) (ssid:RKOI) with ftie 0 (mgmt.c:3467
    [ap7532-82BCF4-eap] 08:47:11.31: client:no pmkid from client 20-14-B0-7E-22-11 (mgmt.c:1197)
    [ap7532-82BCF4-eap] 08:47:11.31: client:state MU_STATE_DOT1X for client 20-14-B0-7E-22-11 (mgmt.c:1206)
    [ap7532-82BCF4-eap] 08:47:11.31: client:wireless client 20-14-B0-7E-22-11 changing state from [Roaming] to [802.1x/EAP Auth] (mgmt.c:622)
    [ap7532-82BCF4-eap] 08:47:11.31: eap:sending eap-code-request code 1, type 1 to 20-14-B0-7E-22-11 (eap.c:963)
    [ap7532-82BCF4-eap] 08:47:11.31: eap:sending eap-id-req to 20-14-B0-7E-22-11 (eap.c:990)
    [ap7532-82BCF4-eap] 08:47:11.31: client:transmitting roam notification for 20-14-B0-7E-22-11 (mgmt.c:345)
    [ap7532-82BCF4-eap] 08:47:11.32: client:os-info in credcache for 20-14-B0-7E-22-11 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:915)
    [ap7532-82BCF4-eap] 08:47:11.32: client:user-info in credcache for 20-14-B0-7E-22-11 (loyalty_app:0) (credcache.c:956)
    [ap7532-82BCF4-eap] 08:47:11.39: eap:rx eap id-response from 20-14-B0-7E-22-11 (eap.c:696)
    [ap7532-82BCF4-eap] 08:47:11.39: radius:aaa-policy INTERNAL-AAA user: DT-355856050632419 mac: 20-14-B0-7E-22-11 server_is_candidate: 1 0 0 0 0 0 (
    [ap7532-82BCF4-eap] 08:47:11.40: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 1) for 20-14-B0-7E-22-11
    [ap7532-82BCF4-eap] 08:47:14.54: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 2) for 20-14-B0-7E-22-11
    [ap7532-82BCF4-eap] 08:47:17.75: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 3) for 20-14-B0-7E-22-11
    [ap7532-82BCF4-eap] 08:47:20.94: eap:sending eap-failure to 20-14-B0-7E-22-11 (eap.c:1006)
    [ap7532-82BCF4-eap] %%%%>08:47:20.94: radius:no response from radius server INTERNAL-AAA:1 for wireless client 20-14-B0-7E-22-11 (eap.c:373)
    [ap7532-82BCF4-eap] %%%%>08:47:20.94: radius:alarm num_eap_s_tout ++ 1 (eap.c:394)
    [ap7532-82BCF4-eap] 08:47:20.94: mgmt:tx deauthentication [reason: radius server timeout (code:23)] to 20-14-B0-7E-22-11 (mgmt.c:1836)

    Hope this means somthing to someone



  • 16.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 08-31-2017 11:13
    Phil,

    It appears as if you've set the aaa-policy to use onboard controller or onboard centralized-controller, but perhaps the controller isn't "using" the radius server policy hence the timeouts.
    Perhaps debug the controller side to see what its doing with the radius requests.

    Can you post a show running-config...


  • 17.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-01-2017 05:22
    Hi Andrew
    here is the running config, Its not pretty ( have have removed some IP and other info )
    I wnat to set this on only one AP, for the test
    !
    ! Configuration of RFS7000 version 5.8.5.0-016R
    !
    !
    version 2.5
    !
    !
    client-identity Android-X
    dhcp 1 message-type request option 55 exact hexstring 012103060f1c333a3b
    dhcp 2 message-type request option 60 exact ascii dhcpcd-5.5.6
    dhcp-match-message-type request
    !
    client-identity Motorola-Android
    dhcp 1 message-type request option 55 starts-with hexstring 012103060f1c2c333a3b
    dhcp-match-message-type request
    !
    client-identity Windows-10
    dhcp 1 message-type request option 55 exact hexstring 01002710792c78
    dhcp 5 message-type request option 60 exact ascii "MSFT 5.0"
    dhcp-match-message-type request
    !
    client-identity iPhone-iPad
    dhcp 4 message-type request option 55 exact hexstring 017903060f77fc
    dhcp 10 message-type request option 55 exact hexstring 0103060f77fc
    dhcp 1 message-type request option-codes exact hexstring 3537393d32330c
    dhcp 2 message-type request option-codes exact hexstring 3537393d32360c
    dhcp 3 message-type request option-codes exact hexstring 3537393d3233
    dhcp 6 message-type request option-codes exact hexstring 3537393d330c
    dhcp-match-message-type request
    !
    ip access-list BROADCAST-MULTICAST-CONTROL
    permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
    permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
    deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
    permit ip any 224.0.0.0/4 rule-precedence 21 rule-description "Allow IP multicast for Chromecast and Apple TV Boxes to work"
    permit ip any host 255.255.255.255 rule-precedence 22 rule-description "allow IP local broadcast for Chromecast and Apple TV Boxes to work"
    permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
    permit proto 254 any any rule-precedence 101 rule-description Sip traffic
    permit tcp any eq 5061 any rule-precedence 102 rule-description sip traffic
    permit ip any xxx.245.xx.0/21 rule-precedence 103 rule-description RC Network
    permit ip any xxx.23.xxx.0/22 rule-precedence 104 rule-description RC Network
    permit ip any xxx.255.xxx.0/22 rule-precedence 106 rule-description RC Network
    permit ip any xxx.68.xxx.0/22 rule-precedence 107 rule-description RC Network
    permit tcp any range 8008 8009 any range 8008 8009 rule-precedence 108
    permit udp any eq 53 any rule-precedence 110
    permit udp any eq 1900 any rule-precedence 111
    permit tcp any xxx.236.xxx.128/2x eq https rule-precedence 113
    permit tcp any xxx.241.xxx.192/2x eq https rule-precedence 114
    permit tcp any xxx.246.xxx.128/2x eq https rule-precedence 115
    permit tcp any xxx.207.xxx.192/2x eq https rule-precedence 116
    permit tcp any xxx.58.xxx.160/2x eq https rule-precedence 117
    permit tcp any xxx.11.xxx.96/2x eq https rule-precedence 118
    permit tcp any xxx.153.xxx.160/2x eq https rule-precedence 119
    permit tcp any xxx.249.xxx.128/2x eq https rule-precedence 121
    permit tcp any xxx.22xxx.112/2x eq https rule-precedence 122
    permit tcp any 54.175.63.64/26 eq https rule-precedence 123
    permit tcp any 54.93.127.192/26 eq https rule-precedence 124
    permit tcp any xxx.209.xxx.64/2x eq https rule-precedence 125
    permit tcp any xxx.241.xxx.64/2x eq https rule-precedence 126
    permit tcp any xxx.219.xxx.192/2x eq https rule-precedence 127
    permit tcp any xxx.4.xxx.128/2x eq https rule-precedence 128
    permit tcp any xxx.233.xxx.192/2x eq https rule-precedence 129
    permit tcp any xxx.219.xxx.64/2x eq https rule-precedence 130
    permit tcp any xxx.175.xxx.192/2x eq https rule-precedence 131
    permit tcp any xxx.250.xxx.0/2x eq https rule-precedence 132
    permit tcp any xxx.171.xxx.192/2x eq https rule-precedence 133
    permit tcp any xxx.93.xxx.192/x eq https rule-precedence 134
    permit udp any range 5060 5061 any range 5060 5061 rule-precedence 135
    !
    mac access-list PERMIT-ARP-AND-IPv4
    permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
    permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
    deny host 00-1F-3B-26-02-A5 host 00-1F-3B-26-02-A5 rule-precedence 30
    !
    ip snmp-access-list Mic_HQ
    permit host xxx.17.1xx.xxx
    !
    ip snmp-access-list default
    permit any
    !
    firewall-policy default
    no ip dos tcp-sequence-past-window
    storm-control multicast log warnings
    ip-mac conflict log-and-drop log-level debugging
    no ipv6 firewall enable
    no stateful-packet-inspection-l2
    !
    role-policy RBFW
    user-role Guest precedence 1
    assign vlan 1
    ssid contains RKOI
    user-role Corp precedence 2
    assign vlan 1
    group exact Corp
    !
    !
    mint-policy global-default
    !
    meshpoint-qos-policy default
    accelerated-multicast autodetect classification voice
    !
    wlan-qos-policy default
    classification normal
    classification non-unicast normal
    qos trust dscp
    qos trust wmm
    !
    radio-qos-policy default
    no admission-control implicit-tspec
    admission-control voice
    admission-control video
    admission-control video max-airtime-percent 15
    accelerated-multicast max-streams 60
    !
    aaa-policy INTERNAL-AAA
    authentication server 1 onboard controller
    !
    association-acl-policy Mic_Ban
    deny 4C-0B-BE-04-F1-04 4C-0B-BE-04-F1-04 precedence 1
    !
    wlan 1
    description Guest
    ssid HOTSPOT
    vlan 10
    bridging-mode tunnel
    encryption-type tkip-ccmp
    authentication-type none
    no answer-broadcast-probes
    radio-resource-measurement
    no radio-resource-measurement channel-report
    fast-bss-transition
    wpa-wpa2 psk 0 6hbZ5r5sYJ
    wpa-wpa2 handshake timeout 200 300 400 500
    wpa-wpa2 handshake attempts 5
    use ip-access-list out BROADCAST-MULTICAST-CONTROL
    use mac-access-list out PERMIT-ARP-AND-IPv4
    !
    wlan 2
    description Microlise WLAN
    ssid WLANBG
    vlan 1
    bridging-mode tunnel
    encryption-type tkip-ccmp
    authentication-type none
    no answer-broadcast-probes
    fast-bss-transition
    wpa-wpa2 psk 0 xxxxxxxxxx
    wpa-wpa2 handshake timeout 200 300 400 500
    wpa-wpa2 handshake attempts 5
    accounting syslog host xxx.17.154.xx port 514 proxy-mode through-controller
    data-rates 2.4GHz gn
    data-rates 5GHz an
    ip arp trust
    ip dhcp trust
    use ip-access-list out BROADCAST-MULTICAST-CONTROL
    use mac-access-list out PERMIT-ARP-AND-IPv4
    !
    wlan 3
    description ICT Test
    ssid DOMTEST
    vlan 10
    bridging-mode tunnel
    encryption-type tkip-ccmp
    authentication-type none
    no answer-broadcast-probes
    radio-resource-measurement
    fast-bss-transition
    wpa-wpa2 psk 0 Dxuxles1x
    wpa-wpa2 handshake timeout 200 300 400 500
    wpa-wpa2 handshake attempts 5
    wing-extensions ft-over-ds-aggregate
    no client-load-balancing allow-single-band-clients 5ghz
    !
    wlan 4
    description Company Mobile Phone
    ssid VoipT
    vlan 10
    bridging-mode tunnel
    encryption-type tkip-ccmp
    authentication-type none
    no answer-broadcast-probes
    radio-resource-measurement
    fast-bss-transition
    wpa-wpa2 psk 0 Un1fyxxx
    wpa-wpa2 handshake timeout 200 300 400 500
    wpa-wpa2 handshake attempts 5
    data-rates 2.4GHz gn
    data-rates 5GHz an
    use ip-access-list out BROADCAST-MULTICAST-CONTROL
    use mac-access-list out PERMIT-ARP-AND-IPv4
    !
    wlan Group-1-DOT1X
    description PEAP-TEST
    shutdown
    ssid RKOI
    vlan 1
    bridging-mode tunnel
    encryption-type ccmp
    authentication-type eap
    radio-resource-measurement
    fast-bss-transition
    use aaa-policy INTERNAL-AAA
    registration device-OTP group-name tesco expiry-time 4320
    service monitor aaa-server
    !
    meshpoint link
    meshid link
    beacon-format mesh-point
    control-vlan 1
    allowed-vlans 1-4094
    neighbor inactivity-timeout 60
    security-mode none
    wpa2 psk 0 hellomoto
    no root
    !
    smart-rf-policy Wood2
    channel-width 5GHz auto
    channel-width 2.4GHz auto
    !
    radius-group Corp
    policy ssid RKOI
    !
    radius-group Guest
    guest
    !
    radius-group Test-eap
    policy vlan 1
    policy ssid RKOI
    !
    radius-user-pool-policy CORP-USER
    user John password 0 doe group Corp
    !
    radius-user-pool-policy Test-eap
    user DT-355856050632419 password 0 Pa55w0rd group Corp Test-eap
    !
    radius-server-policy RADIUS
    use radius-user-pool-policy Test-eap
    no ldap-group-verification
    !
    !
    management-policy default
    no telnet
    no http server
    https server
    no ftp
    ssh
    user admin password 1 ab38cb210d7336ec17bcad7b2d0d7fa644e98f9fcd32c691c5ac1875f5858854 role superuser access all
    allowed-location MHQ locations MHQ
    snmp-server manager v1
    snmp-server manager v2
    no snmp-server manager v3
    snmp-server community 0 public ro ip-snmp-access-list Mic_HQ
    snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
    snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
    snmp-server enable traps
    snmp-server host xxx.xx.146.1x v2c 161 community 0 public
    t5 snmp-server community public ro 192.168.0.1
    t5 snmp-server community private rw 192.168.0.1
    !
    event-system-policy Mesh
    event mesh meshpoint-loop-prevent-on email off
    event mesh meshpoint-eap-server-timeout email off
    event mesh mp-rescan email off
    event mesh mesh-link-down email on
    event mesh mpr-chan-change email off
    event mesh meshpoint-eap-failed email off
    event mesh meshpoint-root-change email off
    event mesh meshpoint-down email off
    event mesh meshpoint-eap-success email off
    event mesh meshpoint-eap-client-timeout email off
    event mesh meshpoint-up email off
    event mesh meshpoint-path-change email off
    event mesh meshpoint-loop-prevent-off email off
    event mesh mp-chan-change email off
    event mesh mesh-link-up email on
    !
    ex3500-management-policy default
    snmp-server community public ro
    snmp-server community private rw
    snmp-server notify-filter 1 remote 127.0.0.1
    snmp-server view defaultview 1 included
    !
    ex3500-qos-class-map-policy default
    !
    ex3500-qos-policy-map default
    !
    l2tpv3 policy default
    !
    profile rfs7000 default-rfs7000
    autoinstall configuration
    autoinstall firmware
    use radius-server-policy RADIUS
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto remote-vpn-client
    interface me1
    interface ge1
    interface ge2
    interface ge3
    interface ge4
    interface pppoe1
    use firewall-policy default
    use role-policy RBFW
    cluster member ip 172.xxx.146.105 level 1
    cluster member ip 172.xxx.146.106 level 1
    cluster member vlan 1
    logging on
    logging syslog debugging
    logging host 1xx.xxx.154.4x
    no logging forward
    no lldp run
    service pm sys-restart
    router ospf
    !
    profile ap7532 AP7532_De
    dscp-mapping 46 priority 7
    autoinstall configuration
    autoinstall firmware
    led flash-pattern
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    interface ge1
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    ip dhcp client request options all
    interface pppoe1
    use firewall-policy default
    logging on
    no lldp run
    service pm sys-restart
    router ospf
    traffic-shape total-bandwidth 20 Mbps
    traffic-shape enable
    !
    profile ap7532 Mic_7532
    dscp-mapping 46 priority 7
    ip default-gateway xxx.xxx.xxx.xxx
    autoinstall configuration
    autoinstall firmware
    led flash-pattern
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    data-rates gn
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 4 primary
    antenna-mode 3x3
    antenna-diversity
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 4 primary
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 1
    no switchport trunk native tagged
    switchport trunk allowed vlan 1,10
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    ip dhcp client request options all
    interface pppoe1
    use firewall-policy default
    ntp server xxx.xxx.144.1xx prefer version 3
    ntp server xxx.xxx.144.xxx version 3
    use role-policy RBFW
    logging on
    no cdp run
    no lldp run
    service pm sys-restart
    router ospf
    traffic-shape total-bandwidth 20 Mbps
    traffic-shape enable
    !
    profile ap7532 default-ap7532
    dscp-mapping 46 priority 7
    autoinstall configuration
    autoinstall firmware
    led flash-pattern
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    interface ge1
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    ip dhcp client request options all
    interface pppoe1
    use firewall-policy default
    ntp server xxx.xxx.144.1xx prefer version 3
    ntp server xxx.xxx.144.1xx version 3
    logging on
    no cdp run
    no lldp run
    service pm sys-restart
    router ospf
    traffic-shape total-bandwidth 20 Mbps
    traffic-shape enable
    !
    profile ap7532 mic-mesh
    no autoinstall configuration
    no autoinstall firmware
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    placement outdoor
    interface radio2
    placement outdoor
    meshpoint link bss 1
    non-unicast tx-rate lowest-basic
    no dynamic-chain-selection
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 1
    no switchport trunk native tagged
    switchport trunk allowed vlan 1-4094
    interface pppoe1
    use event-system-policy Mesh
    use firewall-policy default
    email-notification host dom02 sender WifiBridge@microlise.com port 25
    email-notification recipient support@microlise.com
    no cdp run
    service pm sys-restart
    router ospf
    !
    profile ap7532 wood_2
    no autoinstall configuration
    no autoinstall firmware
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    interface radio2
    interface ge1
    interface pppoe1
    use firewall-policy default
    use role-policy RBFW
    no cdp run
    no lldp run
    service pm sys-restart
    router ospf
    !
    profile ap71xx Mic71xxx
    ip default-gateway xxx.xxx.144.xxx
    autoinstall configuration
    autoinstall firmware
    device-upgrade persist-images
    load-balancing balance-ap-loads
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto remote-vpn-client
    interface radio1
    data-rates custom basic-5.5 basic-11 basic-12 basic-18 basic-24 basic-36 basic-48 basic-54 basic-mcs-1s mcs-2s
    rate-selection opportunistic
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    wlan 4 bss 4 primary
    preamble-short
    no dynamic-chain-selection
    no adaptivity recovery
    interface radio2
    data-rates custom basic-12 basic-18 basic-24 basic-36 basic-48 basic-54 basic-mcs-1s mcs-2s
    rate-selection opportunistic
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    wlan 4 bss 4 primary
    no dynamic-chain-selection
    no adaptivity recovery
    interface radio3
    shutdown
    interface ge1
    interface ge2
    shutdown
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    ip dhcp client request options all
    interface wwan1
    interface pppoe1
    use firewall-policy default
    ntp server xxx.xxx.144.150 prefer version 3
    ntp server xxx.xxx.144.151 version 3
    logging on
    no lldp run
    no auto-learn staging-config
    service pm sys-restart
    traffic-shape enable
    !
    profile ap71xx default-ap71xx
    no autoinstall configuration
    no autoinstall firmware
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto remote-vpn-client
    interface radio1
    interface radio2
    interface radio3
    interface ge1
    interface ge2
    interface wwan1
    interface pppoe1
    use firewall-policy default
    service pm sys-restart
    !
    profile ap650 default-ap650
    ip default-gateway xxx.xxx.144.xxx
    autoinstall configuration
    autoinstall firmware
    no device-upgrade auto
    load-balancing balance-ap-loads
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    power 20
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    wlan 4 bss 4 primary
    interface radio2
    power 20
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    interface ge1
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    ip dhcp client request options all
    interface pppoe1
    use firewall-policy default
    logging on
    service pm sys-restart
    !
    rf-domain Wood_2
    location ML_HQ
    timezone Europe/London
    country-code gb
    use smart-rf-policy Wood2
    !
    rf-domain default
    no country-code
    !
    rfs7000 00-15-70-38-0A-F9
    use profile default-rfs7000
    use rf-domain Wood_2
    hostname rfs7000-Backup
    layout-coordinates 145.5 212.5
    no mint mlcp ipv6
    no mint tunnel-across-extended-vlan
    no spanning-tree mst enable bridge-forward
    spanning-tree portfast bpduguard default
    spanning-tree portfast bpdufilter default
    spanning-tree mst region RFS_ML
    spanning-tree mst revision 2
    ip name-server xxx.xxx.144.1xx
    ip name-server xxx.xxx.144.xxx
    ip domain-name l.local
    area "Mez Floor"
    ip default-gateway xxx.xxx.144.xxx
    interface ge1
    speed 1000
    duplex full
    interface vlan1
    ip address xxx.xxx.xxx.106/2x
    interface vlan10
    ip address dhcp
    cluster name M_HQ_Cluster
    cluster mode standby
    cluster member vlan 1
    cluster master-priority 100
    cluster handle-stp
    cluster force-configured-state
    !
    rfs7000 00-15-70-81-BE-8E
    use profile default-rfs7000
    use rf-domain Wood_2
    hostname rfs7000-Primary
    layout-coordinates 481.5 9.5
    license AP baa10e1a4916c4f89b2c620c20ab86b72fd7aefe10c9d75c90cfe595682b28cc0cff4e7c66e1796b
    timezone Europe/London
    country-code gb
    channel-list 2.4GHz 1,2,3,4,5,7,8,10,11,12,13,14
    no mint mlcp ipv6
    no mint tunnel-across-extended-vlan
    ip igmp snooping
    ip igmp snooping querier
    no spanning-tree mst enable bridge-forward
    spanning-tree portfast bpduguard default
    spanning-tree portfast bpdufilter default
    spanning-tree mst region RFS_ML
    spanning-tree mst revision 2
    ip name-server xxx.xxx.144.1xx
    ip name-server xxx.xxx.144.1xx
    ip domain-name m.local
    area "B4 SRm"
    floor GF
    ip default-gateway xxx.xxx.144.xxx
    no use radius-server-policy
    interface me1
    ip address 10.10.10.10/24
    interface ge1
    speed 1000
    duplex full
    switchport mode trunk
    switchport trunk native vlan 1
    switchport trunk native tagged
    switchport trunk allowed vlan 1,10-11
    no ipv6 nd raguard
    no ip arp trust
    ip arp header-mismatch-validation
    interface vlan1
    description Ron
    ip address xxx.xxx.146.1xx/20
    use ip-access-list in BROADCAST-MULTICAST-CONTROL
    interface vlan10
    ip address dhcp
    ip dhcp client request options all
    ntp server xxx.xxx.144.1xx prefer version 3
    ntp server xxx.xxx.144.1xx version 3
    cluster name M_HQ_Cluster
    cluster member vlan 1
    cluster master-priority 200
    cluster handle-stp
    cluster force-configured-state
    traffic-shape class 1 rate 70 Mbps
    traffic-shape total-bandwidth 70 Mbps
    traffic-shape enable
    !
    ap7532 84-24-8D-80-C3-AC
    use profile Mic_7532
    use rf-domain Wood_2
    hostname ap7532-2-Delivery
    area HR-Accounts-CEO
    floor B4-First-Floor
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 3 primary
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 3 primary
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 1
    no switchport trunk native tagged
    switchport trunk allowed vlan 1,10
    interface vlan1
    ip address dhcp
    !
    ap7532 84-24-8D-80-C5-F4
    use profile Mic_7532
    use rf-domain Wood_2
    hostname AP7532-ICT-B4a
    location B4a-Sdesk
    contact ICT
    ip name-server xxx.xx.144.xx
    ip name-server xxx.xx.144.xxx
    ip domain-name m.local
    ip default-gateway xxx.xxx.144.1.xxx
    no ip default-gateway failover
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    wlan 4 bss 4 primary
    no adaptivity recovery
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 3 bss 3 primary
    wlan 4 bss 4 primary
    antenna-mode 3x3
    antenna-diversity
    no adaptivity recovery
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    !
    ap7532 84-24-8D-80-C6-24
    use profile Mic_7532
    use rf-domain Wood_2
    hostname AP7532-Reception-Landing
    layout-coordinates -72.5 -198.5
    area B4
    floor First-floor-Theatre
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 4 primary
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 4 primary
    !
    ap7532 84-24-8D-82-BC-78
    use profile mic-mesh
    use rf-domain Wood_2
    hostname ap7532-Remote-Bridge
    layout-coordinates -179.5 -291.5
    geo-coordinates 53.0151 -1.3156
    ip igmp snooping
    interface radio1
    shutdown
    power smart
    no mesh
    mesh psk 0 RUc6UnarePa&
    interface radio2
    power smart
    no mesh
    mesh psk 0 RUc6UnarePa&
    antenna-gain 0.0
    antenna-mode 3x3
    antenna-diversity
    interface vlan1
    ip address 172.17.148.252/20
    ip address zeroconf secondary
    !
    ap7532 84-24-8D-82-BC-F4
    use profile Mic_7532
    use rf-domain Wood_2
    ap7532-82BCF4-eap
    layout-coordinates 159.5 -1hostname86.5
    area TBC
    floor TBC
    interface radio1
    wlan Group-1-DOT1X bss 1 primary
    interface radio2
    wlan Group-1-DOT1X bss 1 primary
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 1
    no switchport trunk native tagged
    switchport trunk allowed vlan 1,10
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    !
    ap7532 84-24-8D-82-BD-80
    use profile Mic_7532
    use rf-domain Wood_2
    hostname ap7532-Reception
    layout-coordinates 214.5 -155.5
    area Reception-by-Lift
    floor Ground-Floor
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 4 primary
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 4 primary
    interface ge1
    no cdp receive
    no cdp transmit
    no lldp receive
    no lldp transmit
    !
    ap7532 84-24-8D-82-BF-18
    use profile m-mesh
    use rf-domain Wood_2
    hostname ap7532-HQ-Bridge
    layout-coordinates 258.5 -298.5
    geo-coordinates xx.0137 -1.3146
    bridge vlan 1
    ip default-gateway xxx.xxx.144.1.xxx
    interface radio1
    shutdown
    data-rates gn
    placement outdoor
    no mesh
    antenna-gain 0.0
    antenna-mode default
    no antenna-diversity
    interface radio2
    power smart
    no mesh
    mesh psk 0 RUc6UnarePa&
    antenna-gain 0.0
    antenna-mode 3x3
    antenna-diversity
    interface vlan1
    ip address xxx.17.xx.251/2x
    ip address zeroconf secondary
    meshpoint-device link
    root
    !
    ap7532 84-24-8D-82-C7-88
    use profile Mic_7532
    use rf-domain Wood_2
    hostname ap7532-1-Delivery
    layout-coordinates x48.5 -201.5
    area Delivery
    floor B4-First-Floor-Kitchen-Sec-end
    interface radio1
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 3 primary
    interface radio2
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 3 primary
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 1
    no switchport trunk native tagged
    switchport trunk allowed vlan 1,10
    no cdp receive
    no cdp transmit
    no lldp receive
    no lldp transmit
    !
    ap71xx 00-15-70-EB-7C-A8
    use profile Mic71xxx
    use rf-domain Wood_2
    hostname ap7131-7-PC01
    layout-coordinates -396.5 -39.4
    area "PortaCabin- Embedded Team"
    floor B4a-GF
    interface radio1
    no shutdown
    channel smart
    power smart
    data-rates default
    wlan 1 bss 1 primary
    wlan 2 bss 2 primary
    wlan 4 bss 5 primary
    non-unicast tx-rate lowest-basic
    no antenna-diversity
    interface radio2
    no shutdown
    channel smart
    power smart
    data-rates an
    wlan 1 bss 1 primary
    wlan 2 bss 2 primar


  • 18.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-01-2017 14:51
    Phil,
    I don't see any mention of trustpoints in your config, so I'm guessing you didn't do any certificate setup as part of the Radius setup.
    EAP-anything requires a radius server-side certificate in order to function. It cannot use the default built-in trustpoint.

    I found this video to be very informative, although the presenter is setting up EAP-TLS, EAP-PEAP is similar, and you should be able to derive the correct config from there.
    https://www.youtube.com/watch?v=-f0R9tNwRX4



  • 19.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-04-2017 09:26
    So am I correct in thinking I need to use an external LDAP server with the Radius-onboard the RFS7k ?

    For this test I dont want to use certficates


  • 20.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-04-2017 17:37
    You can't NOT use certificates. EAP-PEAP-MS-CHAPv2 stipulates at a minimum that you must have server-side certificates on the RADIUS server.

    If you want to use an external LDAP that's fine, but the RADIUS server still needs a certificate.
    Similarly, if you used an external RADIUS server, it would need to have a certificate.



  • 21.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-05-2017 05:51
    Ok, So I have to compy the cert to our LDAP server ? or just create it on the RFS ?


  • 22.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-05-2017 10:30
    You need to create the certificate on the RFS. The video I linked in earlier covers those steps.


  • 23.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-07-2017 16:08
    For a simple test, just use PEAP/MSCHAPv2 on the RFS on-board radius server and on the client side, ensure that you un-select to validate server certificate. You will not need a certificate on the RFS if using PEAP/MSCHAPv2.


  • 24.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-08-2017 03:23
    Bit more, its seems there maybe a bug in 5.8.5, when you look at the context for the radius server its configured, and looks like its running, but when you sh the radius server stats its not running, and any connection comes back with "No response from radiusd " This may also explain why I could never get conneted to the captive portal, when I was trying to set one up, I could get the web page and the login detais etc but just would not connect - This was a while a ago and just me seeing how it worked



  • 25.  RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

    Posted 09-19-2017 06:47
    anyone know if there Is a release for the RFS7k 5.8.6 ?