Test wlan that will uses eap ms-chapv2 self-controller to authenticate

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I have created on onboard Radius and role based firewall, ( sort of )
so this is what I have done so far,

from the CLI
#conf
# radius-server-policy RADIUS
# commit write
#radius-group Guest
#guest
#..
radius-group Corp
#..
radius-user-pool CORP-USER
User UKROI password #976301234 group corp
#commit write
#profile rfs7000 default-rfs7000
#use radius-server--policy RADIUS
#commit write

# role-policy RBFW
#user-role Guest precedence 1
#assign vlan 999
#ssid contains Guest
#..
#user-role Corp precedence 2
#assign vlan 1000
#group exact Corp
#commit write
#aaa-policy INTERNAL-AAA
#authentication server 1 onboard-controller
I have created a wlan and assigned the aaa-policy INTERNAL_AAA

then in the ap profile under settings I have added the RBFW in the wireless client role policy

The problem I have
I only have two prodution vlan's  so I can not put the AAA server to these, but I need to get to a server on the main VLAN

I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
select the ms-chapv2, then you have an option about certificate he I select none
then under the username it show anonymous <skip this as I have a password>
then drop to password enter this
then it shows connecting then gives up.
Now I think its due to the fact that Vlan 999 & 1000 do not have any dhcp server to give the device and IP

So can I setup a dhcp server on the RFS7k ( wing 5.8.5 ) that will only dish out addresses on the dot1x wlan ? then route off to our main vlan to attach to atest server

Lot of information and questions - but any help appreciated
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb

The RFS can act as a DHCP server quite easily

For example:

dhcp-server-policy RFS
 dhcp-pool Guest
  network 10.254.254.0/24
  address range 10.254.254.10 10.254.254.254
  default-router 10.254.254.1
  dns-server 8.8.8.8 8.8.4.4

In the RFS's config you need to "use" the dhcp server policy to activate it.

You also need to have a switch virtual interface vlan defined in the same subnet, and this same vlan # must be used in the WLAN config.

You can use the "show ip dhcp status" command to verify that the DHCP server is actually running.

Lastly, how do you plan on getting return traffic back to vlan 999 or 1000 ?    IE: if a host on vlan 999 communicates with server X, it will receive the packet just fine, but how is it going to know where to send the reply to? 


Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi Andrew
    thanks for the very swift response,  So I have setup the test wlan the device that will connect via this is a tablet, all the test wlan is for is to prove that our device will support peap.
so the devBod at our place has asked if its possible to
connect to the dot1x network - with a username and passord that he has supplied me, then for it to connect to a test server on a different vlan ( vlan 1 )

.
so on the switch there is no DHCP server running.

so the device will be on vlan 999 but the test server is on vlan 1. ( it looks like this might get complicated )
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb

If you want to test proof of concept, I would suggest you make your test wlan terminate on vlan 1.  This will keep it simple and allow you to demonstrate the peap authentication without having to re-engineer your network.

There is no restriction on having multiple WLANs with different security levels all connect to the same vlan. 

Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
I think I tried that, but I must have done something wrong, as all the users on the wifi were being prompted for a username and password, I must have done something wrong with regards the AAA server ? - there is no AAA server/service on vlan1.
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb

The AAA service is only used on the WLAN if you call for it to be used.  I suspect the role policy might have something to do with that.  In reality you don't really need the role policy here.  You're trying to change the vlan based on the name of the ssid, but that is something that you can define in a wlan.

Consider the following:

wlan corp
ssid corp
vlan 1
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 some-secret-key
...

wlan test
ssid test
vlan 1
encryption-type ccmp
authentication-type eap
use aaa-policy your-aaa-server-policy
...


In the above scenario both corp and test are using vlan 1, but corp uses WPA2-PSK and test uses WPA2-Enterprise (dot1x).


(Edited)
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi Andrew
    I have set the wlan to use VLAN1 under the basic setting ( GUI ) - Bridging mode = Tunnel
then in security its set to use Internal-AAA

under Security > wireless Client Roles - my role - in the firewall roles I have set the Vlan ID to 1

? What is the difference between onboard-controller and onboard-self - not there is no punch line to this one :-))

It will not connect , tries but fails

Looking at the logs, It is a tiimeout
Radius server Internal-AAA timeout authenticating client xx:xx--95:D2 on wlan "Group-1-Dot1x
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb

Hi Phil,

With regards to the bridging mode, use the same mode that you are using on the existing wlan that is working.

For the onboard question:

Onboard-controller: The service runs on the controller that has adopted the APs

Onboard-self: The service runs on the device (AP or controller)

In your instance, you want to run it on the controller.

You seem to be missing the radius server policy, this tells the radius server what groups to use, as well as what method of EAP you want to use.  In order for PEAP to function, there is also the question of certificates (server side only.  it can be a self signed certificate, but your clients won't trust it implicitly).  

Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi Andrew, I have checked and it all seems to be there. this is from the running config

role-policy RBFW
 user-role GUEST precedence 1
  assign vlan 1
  ssid contains GUEST
 user-role Corp precedence 2
  assign vlan 1
  group exact Corp

profile ap71xx Mic71xxx
 ip default-gateway 172.17.144.254
 autoinstall configuration
 autoinstall firmware
 device-upgrade persist-images
 use radius-server-policy RADIUS

wlan Group-1-DOT1X
 ssid Group-1-DOT1X
 vlan 1
 bridging-mode tunnel
 encryption-type ccmp
 authentication-type eap
 radio-resource-measurement
 radius vlan-assignment
 use aaa-policy Internal-AAA
 use ip-access-list out BROADCAST-MULTICAST-CONTROL
 use mac-access-list out PERMIT-ARP-AND-IPv4

!
radius-group Corp
 guest
 policy vlan 1
!
radius-group GUEST
 guest
 policy vlan 1
!

Is there a password limit length  ? the oassword I have been sent to add into the system is 44 characters long with / and an = in it
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb

Hi Phil,

Role-policy != Radius Policy.  You will need a radius policy to make it work.

Please see section 11.6 in: http://documentation.extremenetworks.com/WiNG/5.8.5/WING_5.8.5_SRG_MN-002942-01_A_EN.pdf

Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi Andrew
       I have checked against 11.6, what I have looks the same  other than the LDAP group

looking at the logs" Radius Server Internal-AAA:1 timeout authenticating client <MAC Address) on wlan "Group-1-DOT1x" Radio AP7131-6-R1"
I'm missing something, Maybe Monday will throw some light on it.

Your help is appreciated very much it  helping me get this working 
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi
 This has raised its head again, I have gone through my notes and a guide from a student lab ( although this refers to the VX900 controller  ) I'm using the RFS7k with wing 5.8.5. In the guide I have it "Onboard Radius & Role Based Firewall "
anyway when I try and connect I get a radius timeout


I have missed somthing but not sure what ?
any advise / help please
(Edited)
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Could someone offer advice to get this working  ?
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
I have been looking at the event history on the AP that I'm trying to connect too
in the message i get
Client "20-14-B0-7E-22-11" disassociated from wlan "Group-1-DOT1X2 Radio "ap7532-82BCF4-eap"R1" authentication rejected by radius server timeout (reason code:23 )
the device associates then fails on the timeout authenticating.

If anyone has a simplified guide to setting this this up, I would be very greatful, stating from scratch for just one user to test that eap works and that it can connect to the test server on vlan 1
thanks
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
This is the DEBUG

[ap7532-82BCF4-eap] 08:47:11.27: mgmt:rx auth-req from 20-14-B0-7E-22-11 on radio 0 (mgmt.c:3872)
[ap7532-82BCF4-eap] 08:47:11.27: mgmt:tx auth-rsp to 20-14-B0-7E-22-11 on radio 0. status: success (mgmt.c:1302)
[ap7532-82BCF4-eap] 08:47:11.31: mgmt:rx association-req from 20-14-B0-7E-22-11 on radio ap7532-82BCF4-eap:R1 signal-strength is -45dBm (mgmt.c:38
[ap7532-82BCF4-eap] 08:47:11.31: client:MU 20-14-B0-7E-22-11 panBU enab_cap=00 00 00 00, supp_cap=00 00 00 00 (mgmt.c:3112)
[ap7532-82BCF4-eap] 08:47:11.31: client:using cached vlan 1 for wireless client 20-14-B0-7E-22-11 (mgmt.c:3347)
[ap7532-82BCF4-eap] 08:47:11.31: mgmt:Client 20-14-B0-7E-22-11 negotiated WPA2-EAP on wlan (Group-1-DOT1X) (mgmt.c:3412)
[ap7532-82BCF4-eap] 08:47:11.31: mgmt:tx association-rsp success to 20-14-B0-7E-22-11 on wlan (Group-1-DOT1X) (ssid:RKOI) with ftie 0 (mgmt.c:3467
[ap7532-82BCF4-eap] 08:47:11.31: client:no pmkid from client 20-14-B0-7E-22-11 (mgmt.c:1197)
[ap7532-82BCF4-eap] 08:47:11.31: client:state MU_STATE_DOT1X for client 20-14-B0-7E-22-11 (mgmt.c:1206)
[ap7532-82BCF4-eap] 08:47:11.31: client:wireless client 20-14-B0-7E-22-11 changing state from [Roaming] to [802.1x/EAP Auth] (mgmt.c:622)
[ap7532-82BCF4-eap] 08:47:11.31: eap:sending eap-code-request code 1, type 1 to 20-14-B0-7E-22-11 (eap.c:963)
[ap7532-82BCF4-eap] 08:47:11.31: eap:sending eap-id-req to 20-14-B0-7E-22-11 (eap.c:990)
[ap7532-82BCF4-eap] 08:47:11.31: client:transmitting roam notification for 20-14-B0-7E-22-11 (mgmt.c:345)
[ap7532-82BCF4-eap] 08:47:11.32: client:os-info in credcache for 20-14-B0-7E-22-11 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:915)
[ap7532-82BCF4-eap] 08:47:11.32: client:user-info in credcache for 20-14-B0-7E-22-11 (loyalty_app:0) (credcache.c:956)
[ap7532-82BCF4-eap] 08:47:11.39: eap:rx eap id-response from 20-14-B0-7E-22-11 (eap.c:696)
[ap7532-82BCF4-eap] 08:47:11.39: radius:aaa-policy INTERNAL-AAA user: DT-355856050632419 mac: 20-14-B0-7E-22-11 server_is_candidate: 1 0 0 0 0 0 (
[ap7532-82BCF4-eap] 08:47:11.40: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 1) for 20-14-B0-7E-22-11
[ap7532-82BCF4-eap] 08:47:14.54: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 2) for 20-14-B0-7E-22-11
[ap7532-82BCF4-eap] 08:47:17.75: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 3) for 20-14-B0-7E-22-11
[ap7532-82BCF4-eap] 08:47:20.94: eap:sending eap-failure to 20-14-B0-7E-22-11 (eap.c:1006)
[ap7532-82BCF4-eap] %%%%>08:47:20.94: radius:no response from radius server INTERNAL-AAA:1 for wireless client 20-14-B0-7E-22-11 (eap.c:373)
[ap7532-82BCF4-eap] %%%%>08:47:20.94: radius:alarm num_eap_s_tout ++ 1 (eap.c:394)
[ap7532-82BCF4-eap] 08:47:20.94: mgmt:tx deauthentication [reason: radius server timeout (code:23)] to 20-14-B0-7E-22-11 (mgmt.c:1836)


Hope this means somthing to someone
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb
Phil, 

It appears as if you've set the aaa-policy to use onboard controller or onboard centralized-controller, but perhaps the controller isn't "using" the radius server policy hence the timeouts.
Perhaps debug the controller side to see what its doing with the radius requests.

Can you post a show running-config...
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi Andrew
   here is the running config, Its not pretty ( have have removed some IP and other info )
I wnat to set this on only one AP, for the test
!
! Configuration of RFS7000 version 5.8.5.0-016R
!
!
version 2.5
!
!
client-identity Android-X
 dhcp 1 message-type request option 55 exact hexstring 012103060f1c333a3b
 dhcp 2 message-type request option 60 exact ascii dhcpcd-5.5.6
 dhcp-match-message-type request
!
client-identity Motorola-Android
 dhcp 1 message-type request option 55 starts-with hexstring 012103060f1c2c333a3b
 dhcp-match-message-type request
!
client-identity Windows-10
 dhcp 1 message-type request option 55 exact hexstring 01002710792c78
 dhcp 5 message-type request option 60 exact ascii "MSFT 5.0"
 dhcp-match-message-type request
!
client-identity iPhone-iPad
 dhcp 4 message-type request option 55 exact hexstring 017903060f77fc
 dhcp 10 message-type request option 55 exact hexstring 0103060f77fc
 dhcp 1 message-type request option-codes exact hexstring 3537393d32330c
 dhcp 2 message-type request option-codes exact hexstring 3537393d32360c
 dhcp 3 message-type request option-codes exact hexstring 3537393d3233
 dhcp 6 message-type request option-codes exact hexstring 3537393d330c
 dhcp-match-message-type request
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 permit ip any 224.0.0.0/4 rule-precedence 21 rule-description "Allow IP multicast for Chromecast and Apple TV Boxes to work"
 permit ip any host 255.255.255.255 rule-precedence 22 rule-description "allow IP local broadcast for Chromecast and Apple TV Boxes to work"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
 permit proto 254 any any rule-precedence 101 rule-description Sip traffic
 permit tcp any eq 5061 any rule-precedence 102 rule-description sip traffic
 permit ip any xxx.245.xx.0/21 rule-precedence 103 rule-description RC Network
 permit ip any xxx.23.xxx.0/22 rule-precedence 104 rule-description RC Network
 permit ip any xxx.255.xxx.0/22 rule-precedence 106 rule-description RC Network
 permit ip any xxx.68.xxx.0/22 rule-precedence 107 rule-description RC Network
 permit tcp any range 8008 8009 any range 8008 8009 rule-precedence 108
 permit udp any eq 53 any rule-precedence 110
 permit udp any eq 1900 any rule-precedence 111
 permit tcp any xxx.236.xxx.128/2x eq https rule-precedence 113
 permit tcp any xxx.241.xxx.192/2x eq https rule-precedence 114
 permit tcp any xxx.246.xxx.128/2x eq https rule-precedence 115
 permit tcp any xxx.207.xxx.192/2x eq https rule-precedence 116
 permit tcp any xxx.58.xxx.160/2x eq https rule-precedence 117
 permit tcp any xxx.11.xxx.96/2x eq https rule-precedence 118
 permit tcp any xxx.153.xxx.160/2x eq https rule-precedence 119
 permit tcp any xxx.249.xxx.128/2x eq https rule-precedence 121
 permit tcp any xxx.22xxx.112/2x eq https rule-precedence 122
 permit tcp any 54.175.63.64/26 eq https rule-precedence 123
 permit tcp any 54.93.127.192/26 eq https rule-precedence 124
 permit tcp any xxx.209.xxx.64/2x eq https rule-precedence 125
 permit tcp any xxx.241.xxx.64/2x eq https rule-precedence 126
 permit tcp any xxx.219.xxx.192/2x eq https rule-precedence 127
 permit tcp any xxx.4.xxx.128/2x eq https rule-precedence 128
 permit tcp any xxx.233.xxx.192/2x eq https rule-precedence 129
 permit tcp any xxx.219.xxx.64/2x eq https rule-precedence 130
 permit tcp any xxx.175.xxx.192/2x eq https rule-precedence 131
 permit tcp any xxx.250.xxx.0/2x eq https rule-precedence 132
 permit tcp any xxx.171.xxx.192/2x eq https rule-precedence 133
 permit tcp any xxx.93.xxx.192/x eq https rule-precedence 134
 permit udp any range 5060 5061 any range 5060 5061 rule-precedence 135
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
 deny host 00-1F-3B-26-02-A5 host 00-1F-3B-26-02-A5 rule-precedence 30
!
ip snmp-access-list Mic_HQ
 permit host xxx.17.1xx.xxx
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
 storm-control multicast log warnings
 ip-mac conflict log-and-drop log-level debugging
 no ipv6 firewall enable
 no stateful-packet-inspection-l2
!
role-policy RBFW
 user-role Guest precedence 1
  assign vlan 1
  ssid contains RKOI
 user-role Corp precedence 2
  assign vlan 1
  group exact Corp
!
!
mint-policy global-default
!
meshpoint-qos-policy default
 accelerated-multicast autodetect classification voice
!
wlan-qos-policy default
 classification normal
 classification non-unicast normal
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
 no admission-control implicit-tspec
 admission-control voice
 admission-control video
 admission-control video max-airtime-percent 15
 accelerated-multicast max-streams 60
!
aaa-policy INTERNAL-AAA
 authentication server 1 onboard controller
!
association-acl-policy Mic_Ban
 deny 4C-0B-BE-04-F1-04 4C-0B-BE-04-F1-04 precedence 1
!
wlan 1
 description Guest
 ssid HOTSPOT
 vlan 10
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 no answer-broadcast-probes
 radio-resource-measurement
 no radio-resource-measurement channel-report
 fast-bss-transition
 wpa-wpa2 psk 0 6hbZ5r5sYJ
 wpa-wpa2 handshake timeout 200 300 400 500
 wpa-wpa2 handshake attempts 5
 use ip-access-list out BROADCAST-MULTICAST-CONTROL
 use mac-access-list out PERMIT-ARP-AND-IPv4
!
wlan 2
 description Microlise WLAN
 ssid WLANBG
 vlan 1
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 no answer-broadcast-probes
 fast-bss-transition
 wpa-wpa2 psk 0 xxxxxxxxxx
 wpa-wpa2 handshake timeout 200 300 400 500
 wpa-wpa2 handshake attempts 5
 accounting syslog host xxx.17.154.xx port 514 proxy-mode through-controller
 data-rates 2.4GHz gn
 data-rates 5GHz an
 ip arp trust
 ip dhcp trust
 use ip-access-list out BROADCAST-MULTICAST-CONTROL
 use mac-access-list out PERMIT-ARP-AND-IPv4
!
wlan 3
 description ICT Test
 ssid DOMTEST
 vlan 10
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 no answer-broadcast-probes
 radio-resource-measurement
 fast-bss-transition
 wpa-wpa2 psk 0 Dxuxles1x
 wpa-wpa2 handshake timeout 200 300 400 500
 wpa-wpa2 handshake attempts 5
 wing-extensions ft-over-ds-aggregate
 no client-load-balancing allow-single-band-clients 5ghz
!
wlan 4
 description Company Mobile Phone
 ssid VoipT
 vlan 10
 bridging-mode tunnel
 encryption-type tkip-ccmp
 authentication-type none
 no answer-broadcast-probes
 radio-resource-measurement
 fast-bss-transition
 wpa-wpa2 psk 0 Un1fyxxx
 wpa-wpa2 handshake timeout 200 300 400 500
 wpa-wpa2 handshake attempts 5
 data-rates 2.4GHz gn
 data-rates 5GHz an
 use ip-access-list out BROADCAST-MULTICAST-CONTROL
 use mac-access-list out PERMIT-ARP-AND-IPv4
!
wlan Group-1-DOT1X
 description PEAP-TEST
 shutdown
 ssid RKOI
 vlan 1
 bridging-mode tunnel
 encryption-type ccmp
 authentication-type eap
 radio-resource-measurement
 fast-bss-transition
 use aaa-policy INTERNAL-AAA
 registration device-OTP group-name tesco expiry-time 4320
 service monitor aaa-server
!
meshpoint link
 meshid link
 beacon-format mesh-point
 control-vlan 1
 allowed-vlans 1-4094
 neighbor inactivity-timeout 60
 security-mode none
 wpa2 psk 0 hellomoto
 no root
!
smart-rf-policy Wood2
 channel-width 5GHz auto
 channel-width 2.4GHz auto
!
radius-group Corp
 policy ssid RKOI
!
radius-group Guest
 guest
!
radius-group Test-eap
 policy vlan 1
 policy ssid RKOI
!
radius-user-pool-policy CORP-USER
 user John password 0 doe group Corp
!
radius-user-pool-policy Test-eap
 user DT-355856050632419 password 0 Pa55w0rd group Corp Test-eap
!
radius-server-policy RADIUS
 use radius-user-pool-policy Test-eap
 no ldap-group-verification
!
!
management-policy default
 no telnet
 no http server
 https server
 no ftp
 ssh
 user admin password 1 ab38cb210d7336ec17bcad7b2d0d7fa644e98f9fcd32c691c5ac1875f5858854 role superuser access all
 allowed-location MHQ locations MHQ
 snmp-server manager v1
 snmp-server manager v2
 no snmp-server manager v3
 snmp-server community 0 public ro ip-snmp-access-list Mic_HQ
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
 snmp-server enable traps
 snmp-server host xxx.xx.146.1x v2c 161 community 0 public
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
!
event-system-policy Mesh
 event mesh meshpoint-loop-prevent-on email off
 event mesh meshpoint-eap-server-timeout email off
 event mesh mp-rescan email off
 event mesh mesh-link-down email on
 event mesh mpr-chan-change email off
 event mesh meshpoint-eap-failed email off
 event mesh meshpoint-root-change email off
 event mesh meshpoint-down email off
 event mesh meshpoint-eap-success email off
 event mesh meshpoint-eap-client-timeout email off
 event mesh meshpoint-up email off
 event mesh meshpoint-path-change email off
 event mesh meshpoint-loop-prevent-off email off
 event mesh mp-chan-change email off
 event mesh mesh-link-up email on
!
ex3500-management-policy default
 snmp-server community public ro
 snmp-server community private rw
 snmp-server notify-filter 1 remote 127.0.0.1
 snmp-server view defaultview 1 included
!
ex3500-qos-class-map-policy default
!
ex3500-qos-policy-map default
!
l2tpv3 policy default
!
profile rfs7000 default-rfs7000
 autoinstall configuration
 autoinstall firmware
 use radius-server-policy RADIUS
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface me1
 interface ge1
 interface ge2
 interface ge3
 interface ge4
 interface pppoe1
 use firewall-policy default
 use role-policy RBFW
 cluster member ip 172.xxx.146.105 level 1
 cluster member ip 172.xxx.146.106 level 1
 cluster member vlan 1
 logging on
 logging syslog debugging
 logging host 1xx.xxx.154.4x
 no logging forward
 no lldp run
 service pm sys-restart
 router ospf
!
profile ap7532 AP7532_De
 dscp-mapping 46 priority 7
 autoinstall configuration
 autoinstall firmware
 led flash-pattern
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 logging on
 no lldp run
 service pm sys-restart
 router ospf
 traffic-shape total-bandwidth 20 Mbps
 traffic-shape enable
!
profile ap7532 Mic_7532
 dscp-mapping 46 priority 7
 ip default-gateway xxx.xxx.xxx.xxx
 autoinstall configuration
 autoinstall firmware
 led flash-pattern
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  data-rates gn
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  antenna-mode 3x3
  antenna-diversity
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 ntp server xxx.xxx.144.1xx prefer version 3
 ntp server xxx.xxx.144.xxx version 3
 use role-policy RBFW
 logging on
 no cdp run
 no lldp run
 service pm sys-restart
 router ospf
 traffic-shape total-bandwidth 20 Mbps
 traffic-shape enable
!
profile ap7532 default-ap7532
 dscp-mapping 46 priority 7
 autoinstall configuration
 autoinstall firmware
 led flash-pattern
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 ntp server xxx.xxx.144.1xx prefer version 3
 ntp server xxx.xxx.144.1xx version 3
 logging on
 no cdp run
 no lldp run
 service pm sys-restart
 router ospf
 traffic-shape total-bandwidth 20 Mbps
 traffic-shape enable
!
profile ap7532 mic-mesh
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  placement outdoor
 interface radio2
  placement outdoor
  meshpoint link bss 1
  non-unicast tx-rate lowest-basic
  no dynamic-chain-selection
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1-4094
 interface pppoe1
 use event-system-policy Mesh
 use firewall-policy default
 email-notification host dom02 sender WifiBridge@microlise.com port 25
 email-notification recipient support@microlise.com
 no cdp run
 service pm sys-restart
 router ospf
!
profile ap7532 wood_2
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface pppoe1
 use firewall-policy default
 use role-policy RBFW
 no cdp run
 no lldp run
 service pm sys-restart
 router ospf
!
profile ap71xx Mic71xxx
 ip default-gateway xxx.xxx.144.xxx
 autoinstall configuration
 autoinstall firmware
 device-upgrade persist-images
 load-balancing balance-ap-loads
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
  data-rates custom basic-5.5 basic-11 basic-12 basic-18 basic-24 basic-36 basic-48 basic-54 basic-mcs-1s mcs-2s
  rate-selection opportunistic
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
  wlan 4 bss 4 primary
  preamble-short
  no dynamic-chain-selection
  no adaptivity recovery
 interface radio2
  data-rates custom basic-12 basic-18 basic-24 basic-36 basic-48 basic-54 basic-mcs-1s mcs-2s
  rate-selection opportunistic
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
  wlan 4 bss 4 primary
  no dynamic-chain-selection
  no adaptivity recovery
 interface radio3
  shutdown
 interface ge1
 interface ge2
  shutdown
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 ntp server xxx.xxx.144.150 prefer version 3
 ntp server xxx.xxx.144.151 version 3
 logging on
 no lldp run
 no auto-learn staging-config
 service pm sys-restart
 traffic-shape enable
!
profile ap71xx default-ap71xx
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface wwan1
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
!
profile ap650 default-ap650
 ip default-gateway xxx.xxx.144.xxx
 autoinstall configuration
 autoinstall firmware
 no device-upgrade auto
 load-balancing balance-ap-loads
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  power 20
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
  wlan 4 bss 4 primary
 interface radio2
  power 20
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 logging on
 service pm sys-restart
!
rf-domain Wood_2
 location ML_HQ
 timezone Europe/London
 country-code gb
 use smart-rf-policy Wood2
!
rf-domain default
 no country-code
!
rfs7000 00-15-70-38-0A-F9
 use profile default-rfs7000
 use rf-domain Wood_2
 hostname rfs7000-Backup
 layout-coordinates 145.5 212.5
 no mint mlcp ipv6
 no mint tunnel-across-extended-vlan
 no spanning-tree mst enable bridge-forward
 spanning-tree portfast bpduguard default
 spanning-tree portfast bpdufilter default
 spanning-tree mst region RFS_ML
 spanning-tree mst revision 2
 ip name-server xxx.xxx.144.1xx
 ip name-server xxx.xxx.144.xxx
 ip domain-name l.local
 area "Mez Floor"
 ip default-gateway xxx.xxx.144.xxx
 interface ge1
  speed 1000
  duplex full
 interface vlan1
  ip address xxx.xxx.xxx.106/2x
 interface vlan10
  ip address dhcp
 cluster name M_HQ_Cluster
 cluster mode standby
 cluster member vlan 1
 cluster master-priority 100
 cluster handle-stp
 cluster force-configured-state
!
rfs7000 00-15-70-81-BE-8E
 use profile default-rfs7000
 use rf-domain Wood_2
 hostname rfs7000-Primary
 layout-coordinates 481.5 9.5
 license AP baa10e1a4916c4f89b2c620c20ab86b72fd7aefe10c9d75c90cfe595682b28cc0cff4e7c66e1796b
 timezone Europe/London
 country-code gb
 channel-list 2.4GHz 1,2,3,4,5,7,8,10,11,12,13,14
 no mint mlcp ipv6
 no mint tunnel-across-extended-vlan
 ip igmp snooping
 ip igmp snooping querier
 no spanning-tree mst enable bridge-forward
 spanning-tree portfast bpduguard default
 spanning-tree portfast bpdufilter default
 spanning-tree mst region RFS_ML
 spanning-tree mst revision 2
 ip name-server xxx.xxx.144.1xx
 ip name-server xxx.xxx.144.1xx
 ip domain-name m.local
 area "B4 SRm"
 floor GF
 ip default-gateway xxx.xxx.144.xxx
 no use radius-server-policy
 interface me1
  ip address 10.10.10.10/24
 interface ge1
  speed 1000
  duplex full
  switchport mode trunk
  switchport trunk native vlan 1
  switchport trunk native tagged
  switchport trunk allowed vlan 1,10-11
  no ipv6 nd raguard
  no ip arp trust
  ip arp header-mismatch-validation
 interface vlan1
  description Ron
  ip address xxx.xxx.146.1xx/20
  use ip-access-list in BROADCAST-MULTICAST-CONTROL
 interface vlan10
  ip address dhcp
  ip dhcp client request options all
 ntp server xxx.xxx.144.1xx prefer version 3
 ntp server xxx.xxx.144.1xx version 3
 cluster name M_HQ_Cluster
 cluster member vlan 1
 cluster master-priority 200
 cluster handle-stp
 cluster force-configured-state
 traffic-shape class 1 rate 70 Mbps
 traffic-shape total-bandwidth 70 Mbps
 traffic-shape enable
!
ap7532 84-24-8D-80-C3-AC
 use profile Mic_7532
 use rf-domain Wood_2
 hostname ap7532-2-Delivery
 area HR-Accounts-CEO
 floor B4-First-Floor
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 3 primary
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 3 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
 interface vlan1
  ip address dhcp
!
ap7532 84-24-8D-80-C5-F4
 use profile Mic_7532
 use rf-domain Wood_2
 hostname AP7532-ICT-B4a
 location B4a-Sdesk
 contact ICT
 ip name-server xxx.xx.144.xx
 ip name-server xxx.xx.144.xxx
 ip domain-name m.local
 ip default-gateway xxx.xxx.144.1.xxx
 no ip default-gateway failover
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
  wlan 4 bss 4 primary
  no adaptivity recovery
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 3 bss 3 primary
  wlan 4 bss 4 primary
  antenna-mode 3x3
  antenna-diversity
  no adaptivity recovery
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
!
ap7532 84-24-8D-80-C6-24
 use profile Mic_7532
 use rf-domain Wood_2
 hostname AP7532-Reception-Landing
 layout-coordinates -72.5 -198.5
 area B4
 floor First-floor-Theatre
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
!
ap7532 84-24-8D-82-BC-78
 use profile mic-mesh
 use rf-domain Wood_2
 hostname ap7532-Remote-Bridge
 layout-coordinates -179.5 -291.5
 geo-coordinates 53.0151 -1.3156
 ip igmp snooping
 interface radio1
  shutdown
  power smart
  no mesh
  mesh psk 0 RUc6UnarePa&
 interface radio2
  power smart
  no mesh
  mesh psk 0 RUc6UnarePa&
  antenna-gain 0.0
  antenna-mode 3x3
  antenna-diversity
 interface vlan1
  ip address 172.17.148.252/20
  ip address zeroconf secondary
!
ap7532 84-24-8D-82-BC-F4
 use profile Mic_7532
 use rf-domain Wood_2
  ap7532-82BCF4-eap
 layout-coordinates 159.5 -1hostname86.5
 area TBC
 floor TBC
 interface radio1
  wlan Group-1-DOT1X bss 1 primary
 interface radio2
  wlan Group-1-DOT1X bss 1 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
!
ap7532 84-24-8D-82-BD-80
 use profile Mic_7532
 use rf-domain Wood_2
 hostname ap7532-Reception
 layout-coordinates 214.5 -155.5
 area Reception-by-Lift
 floor Ground-Floor
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface ge1
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
!
ap7532 84-24-8D-82-BF-18
 use profile m-mesh
 use rf-domain Wood_2
 hostname ap7532-HQ-Bridge
 layout-coordinates 258.5 -298.5
 geo-coordinates xx.0137 -1.3146
 bridge vlan 1
 ip default-gateway xxx.xxx.144.1.xxx
 interface radio1
  shutdown
  data-rates gn
  placement outdoor
  no mesh
  antenna-gain 0.0
  antenna-mode default
  no antenna-diversity
 interface radio2
  power smart
  no mesh
  mesh psk 0 RUc6UnarePa&
  antenna-gain 0.0
  antenna-mode 3x3
  antenna-diversity
 interface vlan1
  ip address xxx.17.xx.251/2x
  ip address zeroconf secondary
 meshpoint-device link
  root
!
ap7532 84-24-8D-82-C7-88
 use profile Mic_7532
 use rf-domain Wood_2
 hostname ap7532-1-Delivery
 layout-coordinates x48.5 -201.5
 area Delivery
 floor B4-First-Floor-Kitchen-Sec-end
 interface radio1
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 3 primary
 interface radio2
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 3 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
!
ap71xx 00-15-70-EB-7C-A8
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname ap7131-7-PC01
 layout-coordinates -396.5 -39.4
 area "PortaCabin- Embedded Team"
 floor B4a-GF
 interface radio1
  no shutdown
  channel smart
  power smart
  data-rates default
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 5 primary
  non-unicast tx-rate lowest-basic
  no antenna-diversity
 interface radio2
  no shutdown
  channel smart
  power smart
  data-rates an
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  non-unicast tx-rate lowest-basic
 interface ge1
  speed auto
  duplex auto
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
 interface ge2
  switchport mode access
  switchport access vlan 2100
 interface vlan1
  ip address dhcp
 auto-learn staging-config
 traffic-shape enable
!
ap71xx 00-15-70-EB-7D-00
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname 7131-loading-bay
 layout-coordinates -505.5 -206.5
 area "Loading bay area"
 floor GF
 power-config mode auto
 power-config at-option throughput
 power-config af-option throughput
 interface radio1
  channel smart
  power smart
  data-rates gn
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  antenna-diversity
 interface radio2
  channel smart
  power smart
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  antenna-diversity
 interface ge1
  speed 1000
  duplex full
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
 no rf-domain-manager capable
 auto-learn staging-config
 traffic-shape enable
!
ap71xx 00-15-70-EB-96-CC
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname ap7131-4-PC02
 layout-coordinates -411.5 -142.5
 ip default-gateway xxx.xxx.144.1.xxx
 interface radio1
  channel smart
  power smart
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  no antenna-diversity
 interface radio2
  channel smart
  power smart
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface ge1
  speed auto
  duplex auto
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
 interface ge2
  switchport mode access
  switchport access vlan 2100
 interface vlan1
  ip address dhcp
 no rf-domain-manager capable
 auto-learn staging-config
 traffic-shape enable
!
ap71xx 00-23-68-8B-3D-7C
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname ap7131-3-B4b
 layout-coordinates -359.5 -203.5
 ip igmp snooping
 dscp-mapping 0-7 priority 0
 dscp-mapping 8-15 priority 1
 dscp-mapping 16-23 priority 2
 dscp-mapping 25,27-31 priority 3
 dscp-mapping 24,26,32-39 priority 4
 dscp-mapping 40-45,47 priority 5
 dscp-mapping 48-55 priority 6
 dscp-mapping 46,56-63 priority 7
 ip name-server xxx.xxx.144.1.xxx
 ip name-server xxx.xxx.144.1.xxx
 ip domain-name m.local
 interface radio1
  channel smart
  power smart
  data-rates bgn
  rate-selection standard
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  wlan Group-1-DOT1X bss 5 primary
  antenna-mode default
  no antenna-diversity
 interface radio2
  shutdown
  channel smart
  power smart
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  antenna-mode default
  no antenna-diversity
  no dfs-rehome
 interface ge1
  speed 1000
  duplex full
  ip arp trust
 interface ge2
  switchport mode access
  switchport access vlan 2100
 interface vlan1
  ip address dhcp
 no ip dns-server-forward
 traffic-shape enable
!
ap71xx 00-24-38-F3-72-00
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname ap7131-lawrence-room
 timezone Europe/London
 area Prod-Purchasing
 floor B4
 power-config mode auto
 interface radio1
  channel smart
  power smart
  data-rates gn
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  no antenna-diversity
 interface radio2
  channel smart
  power smart
  data-rates an
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  antenna-diversity
 interface ge1
  speed 1000
  duplex full
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
 interface ge2
  switchport mode access
  switchport access vlan 2100
 interface vlan1
  ip address dhcp
 no rf-domain-manager capable
 auto-learn staging-config
!
ap71xx 5C-0E-8B-0A-D5-20
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname ap7131-Stores
 layout-coordinates -0.5 -207.5
 area "Stores- Prod"
 floor B4
 device-upgrade persist-images
 power-config mode auto
 power-config at-option throughput
 power-config af-option throughput
 interface radio1
  channel smart
  power smart
  data-rates gn
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 3 primary
  antenna-mode default
  antenna-diversity
 interface radio2
  channel smart
  power smart
  data-rates an
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
  antenna-mode default
  antenna-diversity
 interface ge1
  speed 1000
  duplex full
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
  no use mac-access-list in
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
 interface ge2
  shutdown
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
 no rf-domain-manager capable
 auto-learn staging-config
 traffic-shape enable
!
ap71xx B4-C7-99-6B-76-C0
 use profile Mic71xxx
 use rf-domain Wood_2
 hostname AP7131-Development
 layout-coordinates 465.5 -136.5
 area B4a
 floor First-Floor
 power-config mode 3af
 interface radio1
  channel smart
  power smart
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface radio2
  channel smart
  power smart
  wlan 1 bss 1 primary
  wlan 2 bss 2 primary
  wlan 4 bss 4 primary
 interface ge1
  speed 1000
  duplex full
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,10
  no cdp receive
  no cdp transmit
  no lldp receive
  no lldp transmit
 interface vlan1
  ip address dhcp
 auto-learn staging-config
 traffic-shape enable
!
!
end
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb
Phil,
I don't see any mention of trustpoints in your config, so I'm guessing you didn't do any certificate setup as part of the Radius setup.
EAP-anything requires a radius server-side certificate in order to function.  It cannot use the default built-in trustpoint.

I found this video to be very informative, although the presenter is setting up EAP-TLS, EAP-PEAP is similar, and you should be able to derive the correct config from there. 
https://www.youtube.com/watch?v=-f0R9tNwRX4
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
So am I correct in thinking I need to use an external LDAP server with the Radius-onboard the RFS7k ?

For this test I dont want to use certficates
(Edited)
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb
You can't NOT use certificates.  EAP-PEAP-MS-CHAPv2 stipulates at a minimum that you must have server-side certificates on the RADIUS server.

If you want to use an external LDAP that's fine, but the RADIUS server still needs a certificate.
Similarly, if you used an external RADIUS server, it would need to have a certificate.
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Ok, So I have to compy the cert to our LDAP server ? or just create it on the RFS ?
Photo of Andrew Webster

Andrew Webster

  • 1,918 Points 1k badge 2x thumb
You need to create the certificate on the RFS.  The video I linked in earlier covers those steps.
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 2,258 Points 2k badge 2x thumb
For a simple test, just use PEAP/MSCHAPv2 on the RFS on-board radius server and on the client side, ensure that you un-select to validate server certificate. You will not need a certificate on the RFS if using PEAP/MSCHAPv2. 
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Bit more, its seems there maybe a bug in 5.8.5, when you look at the context for the radius server its configured, and looks like its running, but when you sh the radius server stats its not running, and any connection comes back with "No response from radiusd "  This may also explain why I could never get conneted to the captive portal, when I was trying to set one up, I could get the web page and the login detais etc but just would not connect - This was a while a ago and just me seeing how it worked
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
anyone know if there Is a release for the RFS7k 5.8.6 ?