topic RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate in ExtremeWireless (WiNG)

Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Tue, 13 Jun 2017 19:40:00 GMT

I have created on onboard Radius and role based firewall, ( sort of )
so this is what I have done so far,

from the CLI
#conf
# radius-server-policy RADIUS
# commit write
#radius-group Guest
#guest
#..
radius-group Corp
#..
radius-user-pool CORP-USER
User UKROI password #976301234 group corp
#commit write
#profile rfs7000 default-rfs7000
#use radius-server--policy RADIUS
#commit write

# role-policy RBFW
#user-role Guest precedence 1
#assign vlan 999
#ssid contains Guest
#..
#user-role Corp precedence 2
#assign vlan 1000
#group exact Corp
#commit write
#aaa-policy INTERNAL-AAA
#authentication server 1 onboard-controller
I have created a wlan and assigned the aaa-policy INTERNAL_AAA

then in the ap profile under settings I have added the RBFW in the wireless client role policy

The problem I have
I only have two prodution vlan's so I can not put the AAA server to these, but I need to get to a server on the main VLAN

I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
select the ms-chapv2, then you have an option about certificate he I select none
then under the username it show anonymous
then drop to password enter this
then it shows connecting then gives up.
Now I think its due to the fact that Vlan 999 & 1000 do not have any dhcp server to give the device and IP

So can I setup a dhcp server on the RFS7k ( wing 5.8.5 ) that will only dish out addresses on the dot1x wlan ? then route off to our main vlan to attach to atest server

Lot of information and questions - but any help appreciated

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Tue, 13 Jun 2017 20:01:00 GMT

The RFS can act as a DHCP server quite easily

For example:

dhcp-server-policy RFS
dhcp-pool Guest
network 10.254.254.0/24
address range 10.254.254.10 10.254.254.254
default-router 10.254.254.1
dns-server 8.8.8.8 8.8.4.4In the RFS's config you need to "use" the dhcp server policy to activate it.

You also need to have a switch virtual interface vlan defined in the same subnet, and this same vlan # must be used in the WLAN config.

You can use the "show ip dhcp status" command to verify that the DHCP server is actually running.

Lastly, how do you plan on getting return traffic back to vlan 999 or 1000 ? IE: if a host on vlan 999 communicates with server X, it will receive the packet just fine, but how is it going to know where to send the reply to?

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Tue, 13 Jun 2017 20:23:00 GMT

Hi Andrew
thanks for the very swift response, So I have setup the test wlan the device that will connect via this is a tablet, all the test wlan is for is to prove that our device will support peap.
so the devBod at our place has asked if its possible to
connect to the dot1x network - with a username and passord that he has supplied me, then for it to connect to a test server on a different vlan ( vlan 1 )

.
so on the switch there is no DHCP server running.

so the device will be on vlan 999 but the test server is on vlan 1. ( it looks like this might get complicated )

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Tue, 13 Jun 2017 20:29:00 GMT

If you want to test proof of concept, I would suggest you make your test wlan terminate on vlan 1. This will keep it simple and allow you to demonstrate the peap authentication without having to re-engineer your network.

There is no restriction on having multiple WLANs with different security levels all connect to the same vlan.

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Tue, 13 Jun 2017 20:43:00 GMT

I think I tried that, but I must have done something wrong, as all the users on the wifi were being prompted for a username and password, I must have done something wrong with regards the AAA server ? - there is no AAA server/service on vlan1.

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Tue, 13 Jun 2017 20:53:00 GMT

The AAA service is only used on the WLAN if you call for it to be used. I suspect the role policy might have something to do with that. In reality you don't really need the role policy here. You're trying to change the vlan based on the name of the ssid, but that is something that you can define in a wlan.

Consider the following:

wlan corp
ssid corp
vlan 1
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 some-secret-key
...
wlan test
ssid test
vlan 1
encryption-type ccmp
authentication-type eap
use aaa-policy your-aaa-server-policy
...

In the above scenario both corp and test are using vlan 1, but corp uses WPA2-PSK and test uses WPA2-Enterprise (dot1x).

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Wed, 14 Jun 2017 13:25:00 GMT

Hi Andrew
I have set the wlan to use VLAN1 under the basic setting ( GUI ) - Bridging mode = Tunnel
then in security its set to use Internal-AAA

under Security > wireless Client Roles - my role - in the firewall roles I have set the Vlan ID to 1

? What is the difference between onboard-controller and onboard-self - not there is no punch line to this one :-))

It will not connect , tries but fails

Looking at the logs, It is a tiimeout
Radius server Internal-AAA timeout authenticating client xx:xx--95:D2 on wlan "Group-1-Dot1x

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Wed, 14 Jun 2017 19:43:00 GMT

Hi Phil,

With regards to the bridging mode, use the same mode that you are using on the existing wlan that is working.

For the onboard question:

Onboard-controller: The service runs on the controller that has adopted the APs

Onboard-self: The service runs on the device (AP or controller)

In your instance, you want to run it on the controller.

You seem to be missing the radius server policy, this tells the radius server what groups to use, as well as what method of EAP you want to use. In order for PEAP to function, there is also the question of certificates (server side only. it can be a self signed certificate, but your clients won't trust it implicitly).

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Thu, 15 Jun 2017 12:30:00 GMT

Hi Andrew, I have checked and it all seems to be there. this is from the running config

role-policy RBFW
user-role GUEST precedence 1
assign vlan 1
ssid contains GUEST
user-role Corp precedence 2
assign vlan 1
group exact Corp

profile ap71xx Mic71xxx
ip default-gateway 172.17.144.254
autoinstall configuration
autoinstall firmware
device-upgrade persist-images
use radius-server-policy RADIUS

wlan Group-1-DOT1X
ssid Group-1-DOT1X
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type eap
radio-resource-measurement
radius vlan-assignment
use aaa-policy Internal-AAA
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4

!
radius-group Corp
guest
policy vlan 1
!
radius-group GUEST
guest
policy vlan 1
!

Is there a password limit length ? the oassword I have been sent to add into the system is 44 characters long with / and an = in it

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Thu, 15 Jun 2017 18:14:00 GMT

Hi Phil,

Role-policy != Radius Policy. You will need a radius policy to make it work.

Please see section 11.6 in: http://documentation.extremenetworks.com/WiNG/5.8.5/WING_5.8.5_SRG_MN-002942-01_A_EN.pdf

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Fri, 16 Jun 2017 17:26:00 GMT

Hi Andrew
I have checked against 11.6, what I have looks the same other than the LDAP group

looking at the logs" Radius Server Internal-AAA:1 timeout authenticating client I'm missing something, Maybe Monday will throw some light on it.

Your help is appreciated very much it helping me get this working

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Tue, 01 Aug 2017 17:00:00 GMT

Hi
This has raised its head again, I have gone through my notes and a guide from a student lab ( although this refers to the VX900 controller ) I'm using the RFS7k with wing 5.8.5. In the guide I have it "Onboard Radius & Role Based Firewall "
anyway when I try and connect I get a radius timeout

I have missed somthing but not sure what ?
any advise / help please

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Thu, 31 Aug 2017 11:03:00 GMT

Could someone offer advice to get this working ?

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Thu, 31 Aug 2017 13:08:00 GMT

I have been looking at the event history on the AP that I'm trying to connect too
in the message i get
Client "20-14-B0-7E-22-11" disassociated from wlan "Group-1-DOT1X2 Radio "ap7532-82BCF4-eap"R1" authentication rejected by radius server timeout (reason code:23 )
the device associates then fails on the timeout authenticating.

If anyone has a simplified guide to setting this this up, I would be very greatful, stating from scratch for just one user to test that eap works and that it can connect to the test server on vlan 1
thanks

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Thu, 31 Aug 2017 13:51:00 GMT

This is the DEBUG

[ap7532-82BCF4-eap] 08:47:11.27: mgmt:rx auth-req from 20-14-B0-7E-22-11 on radio 0 (mgmt.c:3872)
[ap7532-82BCF4-eap] 08:47:11.27: mgmt:tx auth-rsp to 20-14-B0-7E-22-11 on radio 0. status: success (mgmt.c:1302)
[ap7532-82BCF4-eap] 08:47:11.31: mgmt:rx association-req from 20-14-B0-7E-22-11 on radio ap7532-82BCF4-eap:R1 signal-strength is -45dBm (mgmt.c:38
[ap7532-82BCF4-eap] 08:47:11.31: client:MU 20-14-B0-7E-22-11 panBU enab_cap=00 00 00 00, supp_cap=00 00 00 00 (mgmt.c:3112)
[ap7532-82BCF4-eap] 08:47:11.31: client:using cached vlan 1 for wireless client 20-14-B0-7E-22-11 (mgmt.c:3347)
[ap7532-82BCF4-eap] 08:47:11.31: mgmt:Client 20-14-B0-7E-22-11 negotiated WPA2-EAP on wlan (Group-1-DOT1X) (mgmt.c:3412)
[ap7532-82BCF4-eap] 08:47:11.31: mgmt:tx association-rsp success to 20-14-B0-7E-22-11 on wlan (Group-1-DOT1X) (ssid:RKOI) with ftie 0 (mgmt.c:3467
[ap7532-82BCF4-eap] 08:47:11.31: client:no pmkid from client 20-14-B0-7E-22-11 (mgmt.c:1197)
[ap7532-82BCF4-eap] 08:47:11.31: client:state MU_STATE_DOT1X for client 20-14-B0-7E-22-11 (mgmt.c:1206)
[ap7532-82BCF4-eap] 08:47:11.31: client:wireless client 20-14-B0-7E-22-11 changing state from [Roaming] to [802.1x/EAP Auth] (mgmt.c:622)
[ap7532-82BCF4-eap] 08:47:11.31: eap:sending eap-code-request code 1, type 1 to 20-14-B0-7E-22-11 (eap.c:963)
[ap7532-82BCF4-eap] 08:47:11.31: eap:sending eap-id-req to 20-14-B0-7E-22-11 (eap.c:990)
[ap7532-82BCF4-eap] 08:47:11.31: client:transmitting roam notification for 20-14-B0-7E-22-11 (mgmt.c:345)
[ap7532-82BCF4-eap] 08:47:11.32: client:os-info in credcache for 20-14-B0-7E-22-11 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:915)
[ap7532-82BCF4-eap] 08:47:11.32: client:user-info in credcache for 20-14-B0-7E-22-11 (loyalty_app:0) (credcache.c:956)
[ap7532-82BCF4-eap] 08:47:11.39: eap:rx eap id-response from 20-14-B0-7E-22-11 (eap.c:696)
[ap7532-82BCF4-eap] 08:47:11.39: radius:aaa-policy INTERNAL-AAA user: DT-355856050632419 mac: 20-14-B0-7E-22-11 server_is_candidate: 1 0 0 0 0 0 (
[ap7532-82BCF4-eap] 08:47:11.40: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 1) for 20-14-B0-7E-22-11
[ap7532-82BCF4-eap] 08:47:14.54: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 2) for 20-14-B0-7E-22-11
[ap7532-82BCF4-eap] 08:47:17.75: radius:access-req sent to wireless controller to be proxied to 127.0.0.1:1812. (attempt 3) for 20-14-B0-7E-22-11
[ap7532-82BCF4-eap] 08:47:20.94: eap:sending eap-failure to 20-14-B0-7E-22-11 (eap.c:1006)
[ap7532-82BCF4-eap] %%%%>08:47:20.94: radius:no response from radius server INTERNAL-AAA:1 for wireless client 20-14-B0-7E-22-11 (eap.c:373)
[ap7532-82BCF4-eap] %%%%>08:47:20.94: radius:alarm num_eap_s_tout ++ 1 (eap.c:394)
[ap7532-82BCF4-eap] 08:47:20.94: mgmt:tx deauthentication [reason: radius server timeout (code:23)] to 20-14-B0-7E-22-11 (mgmt.c:1836)

Hope this means somthing to someone

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Thu, 31 Aug 2017 18:13:00 GMT

Phil,

It appears as if you've set the aaa-policy to use onboard controller or onboard centralized-controller, but perhaps the controller isn't "using" the radius server policy hence the timeouts.
Perhaps debug the controller side to see what its doing with the radius requests.

Can you post a show running-config...

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Fri, 01 Sep 2017 12:22:00 GMT

Hi Andrew
here is the running config, Its not pretty ( have have removed some IP and other info )
I wnat to set this on only one AP, for the test
!
! Configuration of RFS7000 version 5.8.5.0-016R
!
!
version 2.5
!
!
client-identity Android-X
dhcp 1 message-type request option 55 exact hexstring 012103060f1c333a3b
dhcp 2 message-type request option 60 exact ascii dhcpcd-5.5.6
dhcp-match-message-type request
!
client-identity Motorola-Android
dhcp 1 message-type request option 55 starts-with hexstring 012103060f1c2c333a3b
dhcp-match-message-type request
!
client-identity Windows-10
dhcp 1 message-type request option 55 exact hexstring 01002710792c78
dhcp 5 message-type request option 60 exact ascii "MSFT 5.0"
dhcp-match-message-type request
!
client-identity iPhone-iPad
dhcp 4 message-type request option 55 exact hexstring 017903060f77fc
dhcp 10 message-type request option 55 exact hexstring 0103060f77fc
dhcp 1 message-type request option-codes exact hexstring 3537393d32330c
dhcp 2 message-type request option-codes exact hexstring 3537393d32360c
dhcp 3 message-type request option-codes exact hexstring 3537393d3233
dhcp 6 message-type request option-codes exact hexstring 3537393d330c
dhcp-match-message-type request
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
permit ip any 224.0.0.0/4 rule-precedence 21 rule-description "Allow IP multicast for Chromecast and Apple TV Boxes to work"
permit ip any host 255.255.255.255 rule-precedence 22 rule-description "allow IP local broadcast for Chromecast and Apple TV Boxes to work"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
permit proto 254 any any rule-precedence 101 rule-description Sip traffic
permit tcp any eq 5061 any rule-precedence 102 rule-description sip traffic
permit ip any xxx.245.xx.0/21 rule-precedence 103 rule-description RC Network
permit ip any xxx.23.xxx.0/22 rule-precedence 104 rule-description RC Network
permit ip any xxx.255.xxx.0/22 rule-precedence 106 rule-description RC Network
permit ip any xxx.68.xxx.0/22 rule-precedence 107 rule-description RC Network
permit tcp any range 8008 8009 any range 8008 8009 rule-precedence 108
permit udp any eq 53 any rule-precedence 110
permit udp any eq 1900 any rule-precedence 111
permit tcp any xxx.236.xxx.128/2x eq https rule-precedence 113
permit tcp any xxx.241.xxx.192/2x eq https rule-precedence 114
permit tcp any xxx.246.xxx.128/2x eq https rule-precedence 115
permit tcp any xxx.207.xxx.192/2x eq https rule-precedence 116
permit tcp any xxx.58.xxx.160/2x eq https rule-precedence 117
permit tcp any xxx.11.xxx.96/2x eq https rule-precedence 118
permit tcp any xxx.153.xxx.160/2x eq https rule-precedence 119
permit tcp any xxx.249.xxx.128/2x eq https rule-precedence 121
permit tcp any xxx.22xxx.112/2x eq https rule-precedence 122
permit tcp any 54.175.63.64/26 eq https rule-precedence 123
permit tcp any 54.93.127.192/26 eq https rule-precedence 124
permit tcp any xxx.209.xxx.64/2x eq https rule-precedence 125
permit tcp any xxx.241.xxx.64/2x eq https rule-precedence 126
permit tcp any xxx.219.xxx.192/2x eq https rule-precedence 127
permit tcp any xxx.4.xxx.128/2x eq https rule-precedence 128
permit tcp any xxx.233.xxx.192/2x eq https rule-precedence 129
permit tcp any xxx.219.xxx.64/2x eq https rule-precedence 130
permit tcp any xxx.175.xxx.192/2x eq https rule-precedence 131
permit tcp any xxx.250.xxx.0/2x eq https rule-precedence 132
permit tcp any xxx.171.xxx.192/2x eq https rule-precedence 133
permit tcp any xxx.93.xxx.192/x eq https rule-precedence 134
permit udp any range 5060 5061 any range 5060 5061 rule-precedence 135
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
deny host 00-1F-3B-26-02-A5 host 00-1F-3B-26-02-A5 rule-precedence 30
!
ip snmp-access-list Mic_HQ
permit host xxx.17.1xx.xxx
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos tcp-sequence-past-window
storm-control multicast log warnings
ip-mac conflict log-and-drop log-level debugging
no ipv6 firewall enable
no stateful-packet-inspection-l2
!
role-policy RBFW
user-role Guest precedence 1
assign vlan 1
ssid contains RKOI
user-role Corp precedence 2
assign vlan 1
group exact Corp
!
!
mint-policy global-default
!
meshpoint-qos-policy default
accelerated-multicast autodetect classification voice
!
wlan-qos-policy default
classification normal
classification non-unicast normal
qos trust dscp
qos trust wmm
!
radio-qos-policy default
no admission-control implicit-tspec
admission-control voice
admission-control video
admission-control video max-airtime-percent 15
accelerated-multicast max-streams 60
!
aaa-policy INTERNAL-AAA
authentication server 1 onboard controller
!
association-acl-policy Mic_Ban
deny 4C-0B-BE-04-F1-04 4C-0B-BE-04-F1-04 precedence 1
!
wlan 1
description Guest
ssid HOTSPOT
vlan 10
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
no answer-broadcast-probes
radio-resource-measurement
no radio-resource-measurement channel-report
fast-bss-transition
wpa-wpa2 psk 0 6hbZ5r5sYJ
wpa-wpa2 handshake timeout 200 300 400 500
wpa-wpa2 handshake attempts 5
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
!
wlan 2
description Microlise WLAN
ssid WLANBG
vlan 1
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
no answer-broadcast-probes
fast-bss-transition
wpa-wpa2 psk 0 xxxxxxxxxx
wpa-wpa2 handshake timeout 200 300 400 500
wpa-wpa2 handshake attempts 5
accounting syslog host xxx.17.154.xx port 514 proxy-mode through-controller
data-rates 2.4GHz gn
data-rates 5GHz an
ip arp trust
ip dhcp trust
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
!
wlan 3
description ICT Test
ssid DOMTEST
vlan 10
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
no answer-broadcast-probes
radio-resource-measurement
fast-bss-transition
wpa-wpa2 psk 0 Dxuxles1x
wpa-wpa2 handshake timeout 200 300 400 500
wpa-wpa2 handshake attempts 5
wing-extensions ft-over-ds-aggregate
no client-load-balancing allow-single-band-clients 5ghz
!
wlan 4
description Company Mobile Phone
ssid VoipT
vlan 10
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
no answer-broadcast-probes
radio-resource-measurement
fast-bss-transition
wpa-wpa2 psk 0 Un1fyxxx
wpa-wpa2 handshake timeout 200 300 400 500
wpa-wpa2 handshake attempts 5
data-rates 2.4GHz gn
data-rates 5GHz an
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
!
wlan Group-1-DOT1X
description PEAP-TEST
shutdown
ssid RKOI
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type eap
radio-resource-measurement
fast-bss-transition
use aaa-policy INTERNAL-AAA
registration device-OTP group-name tesco expiry-time 4320
service monitor aaa-server
!
meshpoint link
meshid link
beacon-format mesh-point
control-vlan 1
allowed-vlans 1-4094
neighbor inactivity-timeout 60
security-mode none
wpa2 psk 0 hellomoto
no root
!
smart-rf-policy Wood2
channel-width 5GHz auto
channel-width 2.4GHz auto
!
radius-group Corp
policy ssid RKOI
!
radius-group Guest
guest
!
radius-group Test-eap
policy vlan 1
policy ssid RKOI
!
radius-user-pool-policy CORP-USER
user John password 0 doe group Corp
!
radius-user-pool-policy Test-eap
user DT-355856050632419 password 0 Pa55w0rd group Corp Test-eap
!
radius-server-policy RADIUS
use radius-user-pool-policy Test-eap
no ldap-group-verification
!
!
management-policy default
no telnet
no http server
https server
no ftp
ssh
user admin password 1 ab38cb210d7336ec17bcad7b2d0d7fa644e98f9fcd32c691c5ac1875f5858854 role superuser access all
allowed-location MHQ locations MHQ
snmp-server manager v1
snmp-server manager v2
no snmp-server manager v3
snmp-server community 0 public ro ip-snmp-access-list Mic_HQ
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
snmp-server enable traps
snmp-server host xxx.xx.146.1x v2c 161 community 0 public
t5 snmp-server community public ro 192.168.0.1
t5 snmp-server community private rw 192.168.0.1
!
event-system-policy Mesh
event mesh meshpoint-loop-prevent-on email off
event mesh meshpoint-eap-server-timeout email off
event mesh mp-rescan email off
event mesh mesh-link-down email on
event mesh mpr-chan-change email off
event mesh meshpoint-eap-failed email off
event mesh meshpoint-root-change email off
event mesh meshpoint-down email off
event mesh meshpoint-eap-success email off
event mesh meshpoint-eap-client-timeout email off
event mesh meshpoint-up email off
event mesh meshpoint-path-change email off
event mesh meshpoint-loop-prevent-off email off
event mesh mp-chan-change email off
event mesh mesh-link-up email on
!
ex3500-management-policy default
snmp-server community public ro
snmp-server community private rw
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server view defaultview 1 included
!
ex3500-qos-class-map-policy default
!
ex3500-qos-policy-map default
!
l2tpv3 policy default
!
profile rfs7000 default-rfs7000
autoinstall configuration
autoinstall firmware
use radius-server-policy RADIUS
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface me1
interface ge1
interface ge2
interface ge3
interface ge4
interface pppoe1
use firewall-policy default
use role-policy RBFW
cluster member ip 172.xxx.146.105 level 1
cluster member ip 172.xxx.146.106 level 1
cluster member vlan 1
logging on
logging syslog debugging
logging host 1xx.xxx.154.4x
no logging forward
no lldp run
service pm sys-restart
router ospf
!
profile ap7532 AP7532_De
dscp-mapping 46 priority 7
autoinstall configuration
autoinstall firmware
led flash-pattern
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
logging on
no lldp run
service pm sys-restart
router ospf
traffic-shape total-bandwidth 20 Mbps
traffic-shape enable
!
profile ap7532 Mic_7532
dscp-mapping 46 priority 7
ip default-gateway xxx.xxx.xxx.xxx
autoinstall configuration
autoinstall firmware
led flash-pattern
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
data-rates gn
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 4 primary
antenna-mode 3x3
antenna-diversity
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 4 primary
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,10
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
ntp server xxx.xxx.144.1xx prefer version 3
ntp server xxx.xxx.144.xxx version 3
use role-policy RBFW
logging on
no cdp run
no lldp run
service pm sys-restart
router ospf
traffic-shape total-bandwidth 20 Mbps
traffic-shape enable
!
profile ap7532 default-ap7532
dscp-mapping 46 priority 7
autoinstall configuration
autoinstall firmware
led flash-pattern
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
ntp server xxx.xxx.144.1xx prefer version 3
ntp server xxx.xxx.144.1xx version 3
logging on
no cdp run
no lldp run
service pm sys-restart
router ospf
traffic-shape total-bandwidth 20 Mbps
traffic-shape enable
!
profile ap7532 mic-mesh
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
placement outdoor
interface radio2
placement outdoor
meshpoint link bss 1
non-unicast tx-rate lowest-basic
no dynamic-chain-selection
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1-4094
interface pppoe1
use event-system-policy Mesh
use firewall-policy default
email-notification host dom02 sender WifiBridge@microlise.com port 25
email-notification recipient support@microlise.com
no cdp run
service pm sys-restart
router ospf
!
profile ap7532 wood_2
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface ge1
interface pppoe1
use firewall-policy default
use role-policy RBFW
no cdp run
no lldp run
service pm sys-restart
router ospf
!
profile ap71xx Mic71xxx
ip default-gateway xxx.xxx.144.xxx
autoinstall configuration
autoinstall firmware
device-upgrade persist-images
load-balancing balance-ap-loads
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface radio1
data-rates custom basic-5.5 basic-11 basic-12 basic-18 basic-24 basic-36 basic-48 basic-54 basic-mcs-1s mcs-2s
rate-selection opportunistic
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
wlan 4 bss 4 primary
preamble-short
no dynamic-chain-selection
no adaptivity recovery
interface radio2
data-rates custom basic-12 basic-18 basic-24 basic-36 basic-48 basic-54 basic-mcs-1s mcs-2s
rate-selection opportunistic
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
wlan 4 bss 4 primary
no dynamic-chain-selection
no adaptivity recovery
interface radio3
shutdown
interface ge1
interface ge2
shutdown
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface wwan1
interface pppoe1
use firewall-policy default
ntp server xxx.xxx.144.150 prefer version 3
ntp server xxx.xxx.144.151 version 3
logging on
no lldp run
no auto-learn staging-config
service pm sys-restart
traffic-shape enable
!
profile ap71xx default-ap71xx
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface radio1
interface radio2
interface radio3
interface ge1
interface ge2
interface wwan1
interface pppoe1
use firewall-policy default
service pm sys-restart
!
profile ap650 default-ap650
ip default-gateway xxx.xxx.144.xxx
autoinstall configuration
autoinstall firmware
no device-upgrade auto
load-balancing balance-ap-loads
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
power 20
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
wlan 4 bss 4 primary
interface radio2
power 20
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
logging on
service pm sys-restart
!
rf-domain Wood_2
location ML_HQ
timezone Europe/London
country-code gb
use smart-rf-policy Wood2
!
rf-domain default
no country-code
!
rfs7000 00-15-70-38-0A-F9
use profile default-rfs7000
use rf-domain Wood_2
hostname rfs7000-Backup
layout-coordinates 145.5 212.5
no mint mlcp ipv6
no mint tunnel-across-extended-vlan
no spanning-tree mst enable bridge-forward
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree mst region RFS_ML
spanning-tree mst revision 2
ip name-server xxx.xxx.144.1xx
ip name-server xxx.xxx.144.xxx
ip domain-name l.local
area "Mez Floor"
ip default-gateway xxx.xxx.144.xxx
interface ge1
speed 1000
duplex full
interface vlan1
ip address xxx.xxx.xxx.106/2x
interface vlan10
ip address dhcp
cluster name M_HQ_Cluster
cluster mode standby
cluster member vlan 1
cluster master-priority 100
cluster handle-stp
cluster force-configured-state
!
rfs7000 00-15-70-81-BE-8E
use profile default-rfs7000
use rf-domain Wood_2
hostname rfs7000-Primary
layout-coordinates 481.5 9.5
license AP baa10e1a4916c4f89b2c620c20ab86b72fd7aefe10c9d75c90cfe595682b28cc0cff4e7c66e1796b
timezone Europe/London
country-code gb
channel-list 2.4GHz 1,2,3,4,5,7,8,10,11,12,13,14
no mint mlcp ipv6
no mint tunnel-across-extended-vlan
ip igmp snooping
ip igmp snooping querier
no spanning-tree mst enable bridge-forward
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree mst region RFS_ML
spanning-tree mst revision 2
ip name-server xxx.xxx.144.1xx
ip name-server xxx.xxx.144.1xx
ip domain-name m.local
area "B4 SRm"
floor GF
ip default-gateway xxx.xxx.144.xxx
no use radius-server-policy
interface me1
ip address 10.10.10.10/24
interface ge1
speed 1000
duplex full
switchport mode trunk
switchport trunk native vlan 1
switchport trunk native tagged
switchport trunk allowed vlan 1,10-11
no ipv6 nd raguard
no ip arp trust
ip arp header-mismatch-validation
interface vlan1
description Ron
ip address xxx.xxx.146.1xx/20
use ip-access-list in BROADCAST-MULTICAST-CONTROL
interface vlan10
ip address dhcp
ip dhcp client request options all
ntp server xxx.xxx.144.1xx prefer version 3
ntp server xxx.xxx.144.1xx version 3
cluster name M_HQ_Cluster
cluster member vlan 1
cluster master-priority 200
cluster handle-stp
cluster force-configured-state
traffic-shape class 1 rate 70 Mbps
traffic-shape total-bandwidth 70 Mbps
traffic-shape enable
!
ap7532 84-24-8D-80-C3-AC
use profile Mic_7532
use rf-domain Wood_2
hostname ap7532-2-Delivery
area HR-Accounts-CEO
floor B4-First-Floor
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 3 primary
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 3 primary
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,10
interface vlan1
ip address dhcp
!
ap7532 84-24-8D-80-C5-F4
use profile Mic_7532
use rf-domain Wood_2
hostname AP7532-ICT-B4a
location B4a-Sdesk
contact ICT
ip name-server xxx.xx.144.xx
ip name-server xxx.xx.144.xxx
ip domain-name m.local
ip default-gateway xxx.xxx.144.1.xxx
no ip default-gateway failover
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
wlan 4 bss 4 primary
no adaptivity recovery
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 3 bss 3 primary
wlan 4 bss 4 primary
antenna-mode 3x3
antenna-diversity
no adaptivity recovery
interface vlan1
ip address dhcp
ip address zeroconf secondary
!
ap7532 84-24-8D-80-C6-24
use profile Mic_7532
use rf-domain Wood_2
hostname AP7532-Reception-Landing
layout-coordinates -72.5 -198.5
area B4
floor First-floor-Theatre
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 4 primary
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 4 primary
!
ap7532 84-24-8D-82-BC-78
use profile mic-mesh
use rf-domain Wood_2
hostname ap7532-Remote-Bridge
layout-coordinates -179.5 -291.5
geo-coordinates 53.0151 -1.3156
ip igmp snooping
interface radio1
shutdown
power smart
no mesh
mesh psk 0 RUc6UnarePa&
interface radio2
power smart
no mesh
mesh psk 0 RUc6UnarePa&
antenna-gain 0.0
antenna-mode 3x3
antenna-diversity
interface vlan1
ip address 172.17.148.252/20
ip address zeroconf secondary
!
ap7532 84-24-8D-82-BC-F4
use profile Mic_7532
use rf-domain Wood_2
ap7532-82BCF4-eap
layout-coordinates 159.5 -1hostname86.5
area TBC
floor TBC
interface radio1
wlan Group-1-DOT1X bss 1 primary
interface radio2
wlan Group-1-DOT1X bss 1 primary
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,10
interface vlan1
ip address dhcp
ip address zeroconf secondary
!
ap7532 84-24-8D-82-BD-80
use profile Mic_7532
use rf-domain Wood_2
hostname ap7532-Reception
layout-coordinates 214.5 -155.5
area Reception-by-Lift
floor Ground-Floor
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 4 primary
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 4 primary
interface ge1
no cdp receive
no cdp transmit
no lldp receive
no lldp transmit
!
ap7532 84-24-8D-82-BF-18
use profile m-mesh
use rf-domain Wood_2
hostname ap7532-HQ-Bridge
layout-coordinates 258.5 -298.5
geo-coordinates xx.0137 -1.3146
bridge vlan 1
ip default-gateway xxx.xxx.144.1.xxx
interface radio1
shutdown
data-rates gn
placement outdoor
no mesh
antenna-gain 0.0
antenna-mode default
no antenna-diversity
interface radio2
power smart
no mesh
mesh psk 0 RUc6UnarePa&
antenna-gain 0.0
antenna-mode 3x3
antenna-diversity
interface vlan1
ip address xxx.17.xx.251/2x
ip address zeroconf secondary
meshpoint-device link
root
!
ap7532 84-24-8D-82-C7-88
use profile Mic_7532
use rf-domain Wood_2
hostname ap7532-1-Delivery
layout-coordinates x48.5 -201.5
area Delivery
floor B4-First-Floor-Kitchen-Sec-end
interface radio1
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 3 primary
interface radio2
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 3 primary
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,10
no cdp receive
no cdp transmit
no lldp receive
no lldp transmit
!
ap71xx 00-15-70-EB-7C-A8
use profile Mic71xxx
use rf-domain Wood_2
hostname ap7131-7-PC01
layout-coordinates -396.5 -39.4
area "PortaCabin- Embedded Team"
floor B4a-GF
interface radio1
no shutdown
channel smart
power smart
data-rates default
wlan 1 bss 1 primary
wlan 2 bss 2 primary
wlan 4 bss 5 primary
non-unicast tx-rate lowest-basic
no antenna-diversity
interface radio2
no shutdown
channel smart
power smart
data-rates an
wlan 1 bss 1 primary
wlan 2 bss 2 primar

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Fri, 01 Sep 2017 21:51:00 GMT

Phil,
I don't see any mention of trustpoints in your config, so I'm guessing you didn't do any certificate setup as part of the Radius setup.
EAP-anything requires a radius server-side certificate in order to function. It cannot use the default built-in trustpoint.

I found this video to be very informative, although the presenter is setting up EAP-TLS, EAP-PEAP is similar, and you should be able to derive the correct config from there.
https://www.youtube.com/watch?v=-f0R9tNwRX4

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Phil_storey — Mon, 04 Sep 2017 16:26:00 GMT

So am I correct in thinking I need to use an external LDAP server with the Radius-onboard the RFS7k ?

For this test I dont want to use certficates

RE: Test wlan that will uses eap ms-chapv2 self-controller to authenticate

Andrew_Webster — Tue, 05 Sep 2017 00:37:00 GMT

You can't NOT use certificates. EAP-PEAP-MS-CHAPv2 stipulates at a minimum that you must have server-side certificates on the RADIUS server.

If you want to use an external LDAP that's fine, but the RADIUS server still needs a certificate.
Similarly, if you used an external RADIUS server, it would need to have a certificate.