This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- Test wlan that will uses eap ms-chapv2 self-contr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Test wlan that will uses eap ms-chapv2 self-controller to authenticate
Test wlan that will uses eap ms-chapv2 self-controller to authenticate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-13-2017 12:40 PM
I have created on onboard Radius and role based firewall, ( sort of )
so this is what I have done so far,
from the CLI
#conf
# radius-server-policy RADIUS
# commit write
#radius-group Guest
#guest
#..
radius-group Corp
#..
radius-user-pool CORP-USER
User UKROI password #976301234 group corp
#commit write
#profile rfs7000 default-rfs7000
#use radius-server--policy RADIUS
#commit write
# role-policy RBFW
#user-role Guest precedence 1
#assign vlan 999
#ssid contains Guest
#..
#user-role Corp precedence 2
#assign vlan 1000
#group exact Corp
#commit write
#aaa-policy INTERNAL-AAA
#authentication server 1 onboard-controller
I have created a wlan and assigned the aaa-policy INTERNAL_AAA
then in the ap profile under settings I have added the RBFW in the wireless client role policy
The problem I have
I only have two prodution vlan's so I can not put the AAA server to these, but I need to get to a server on the main VLAN
I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
select the ms-chapv2, then you have an option about certificate he I select none
then under the username it show anonymous
then drop to password enter this
then it shows connecting then gives up.
Now I think its due to the fact that Vlan 999 & 1000 do not have any dhcp server to give the device and IP
So can I setup a dhcp server on the RFS7k ( wing 5.8.5 ) that will only dish out addresses on the dot1x wlan ? then route off to our main vlan to attach to atest server
Lot of information and questions - but any help appreciated
so this is what I have done so far,
from the CLI
#conf
# radius-server-policy RADIUS
# commit write
#radius-group Guest
#guest
#..
radius-group Corp
#..
radius-user-pool CORP-USER
User UKROI password #976301234 group corp
#commit write
#profile rfs7000 default-rfs7000
#use radius-server--policy RADIUS
#commit write
# role-policy RBFW
#user-role Guest precedence 1
#assign vlan 999
#ssid contains Guest
#..
#user-role Corp precedence 2
#assign vlan 1000
#group exact Corp
#commit write
#aaa-policy INTERNAL-AAA
#authentication server 1 onboard-controller
I have created a wlan and assigned the aaa-policy INTERNAL_AAA
then in the ap profile under settings I have added the RBFW in the wireless client role policy
The problem I have
I only have two prodution vlan's so I can not put the AAA server to these, but I need to get to a server on the main VLAN
I can see the Dot1x wlan that is part of the test, If I use my mobile phone and try to connect it prompts for a usernsme and a password as it should, I then put thses details is
select the ms-chapv2, then you have an option about certificate he I select none
then under the username it show anonymous
then drop to password enter this
then it shows connecting then gives up.
Now I think its due to the fact that Vlan 999 & 1000 do not have any dhcp server to give the device and IP
So can I setup a dhcp server on the RFS7k ( wing 5.8.5 ) that will only dish out addresses on the dot1x wlan ? then route off to our main vlan to attach to atest server
Lot of information and questions - but any help appreciated
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-16-2017 10:26 AM
Hi Andrew
I have checked against 11.6, what I have looks the same other than the LDAP group
looking at the logs" Radius Server Internal-AAA:1 timeout authenticating client
Your help is appreciated very much it helping me get this working
I have checked against 11.6, what I have looks the same other than the LDAP group
looking at the logs" Radius Server Internal-AAA:1 timeout authenticating client
Your help is appreciated very much it helping me get this working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-15-2017 11:14 AM
Hi Phil,
Role-policy != Radius Policy. You will need a radius policy to make it work.
Please see section 11.6 in: http://documentation.extremenetworks.com/WiNG/5.8.5/WING_5.8.5_SRG_MN-002942-01_A_EN.pdf
Role-policy != Radius Policy. You will need a radius policy to make it work.
Please see section 11.6 in: http://documentation.extremenetworks.com/WiNG/5.8.5/WING_5.8.5_SRG_MN-002942-01_A_EN.pdf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-15-2017 05:30 AM
Hi Andrew, I have checked and it all seems to be there. this is from the running config
role-policy RBFW
user-role GUEST precedence 1
assign vlan 1
ssid contains GUEST
user-role Corp precedence 2
assign vlan 1
group exact Corp
profile ap71xx Mic71xxx
ip default-gateway 172.17.144.254
autoinstall configuration
autoinstall firmware
device-upgrade persist-images
use radius-server-policy RADIUS
wlan Group-1-DOT1X
ssid Group-1-DOT1X
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type eap
radio-resource-measurement
radius vlan-assignment
use aaa-policy Internal-AAA
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
!
radius-group Corp
guest
policy vlan 1
!
radius-group GUEST
guest
policy vlan 1
!
Is there a password limit length ? the oassword I have been sent to add into the system is 44 characters long with / and an = in it
role-policy RBFW
user-role GUEST precedence 1
assign vlan 1
ssid contains GUEST
user-role Corp precedence 2
assign vlan 1
group exact Corp
profile ap71xx Mic71xxx
ip default-gateway 172.17.144.254
autoinstall configuration
autoinstall firmware
device-upgrade persist-images
use radius-server-policy RADIUS
wlan Group-1-DOT1X
ssid Group-1-DOT1X
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type eap
radio-resource-measurement
radius vlan-assignment
use aaa-policy Internal-AAA
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
!
radius-group Corp
guest
policy vlan 1
!
radius-group GUEST
guest
policy vlan 1
!
Is there a password limit length ? the oassword I have been sent to add into the system is 44 characters long with / and an = in it
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-14-2017 12:43 PM
Hi Phil,
With regards to the bridging mode, use the same mode that you are using on the existing wlan that is working.
For the onboard question:
Onboard-controller: The service runs on the controller that has adopted the APs
Onboard-self: The service runs on the device (AP or controller)
In your instance, you want to run it on the controller.
You seem to be missing the radius server policy, this tells the radius server what groups to use, as well as what method of EAP you want to use. In order for PEAP to function, there is also the question of certificates (server side only. it can be a self signed certificate, but your clients won't trust it implicitly).
With regards to the bridging mode, use the same mode that you are using on the existing wlan that is working.
For the onboard question:
Onboard-controller: The service runs on the controller that has adopted the APs
Onboard-self: The service runs on the device (AP or controller)
In your instance, you want to run it on the controller.
You seem to be missing the radius server policy, this tells the radius server what groups to use, as well as what method of EAP you want to use. In order for PEAP to function, there is also the question of certificates (server side only. it can be a self signed certificate, but your clients won't trust it implicitly).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-14-2017 06:25 AM
Hi Andrew
I have set the wlan to use VLAN1 under the basic setting ( GUI ) - Bridging mode = Tunnel
then in security its set to use Internal-AAA
under Security > wireless Client Roles - my role - in the firewall roles I have set the Vlan ID to 1
? What is the difference between onboard-controller and onboard-self - not there is no punch line to this one :-))
It will not connect , tries but fails
Looking at the logs, It is a tiimeout
Radius server Internal-AAA timeout authenticating client xx:xx--95:D2 on wlan "Group-1-Dot1x
I have set the wlan to use VLAN1 under the basic setting ( GUI ) - Bridging mode = Tunnel
then in security its set to use Internal-AAA
under Security > wireless Client Roles - my role - in the firewall roles I have set the Vlan ID to 1
? What is the difference between onboard-controller and onboard-self - not there is no punch line to this one :-))
It will not connect , tries but fails
Looking at the logs, It is a tiimeout
Radius server Internal-AAA timeout authenticating client xx:xx--95:D2 on wlan "Group-1-Dot1x
