TPreston Posted October 3, 2012 Share Posted October 3, 2012 Im trying to get WPA2 enterprise working on my cisco 877w using a server 2008R2 NPS (already setup for console radius authentication) I have a SSL cert for the radius server signed by an external ca and ive tried supplying a ad dns cert (nps server template) using the nps eap options but i keep getting a generic could not connect to the network exception after selecting use my windows user account. i also have no radius traffic shown on my firewall so it looks like its a ios isue Is a positive ssl cert http://www.namecheap.com/ssl-certificates/comodo/positivessl-certificate.aspx adequate for this purpose or do i need to use my CA ? my config is below i followed this guide http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part2.html Is version 15.1 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Cisco877W ! boot-start-marker boot-end-marker ! ! logging buffered 51200 logging console informational ! aaa new-model ! ! aaa group server radius SecureGateway server 10.0.0.3 ! aaa authentication login authlist local group SecureGateway ! ! ! ! ! aaa session-id common crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-3982983999 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3982983999 revocation-check none rsakeypair TP-self-signed-3982983999 ! ! crypto pki certificate chain TP-self-signed-3982983999 quit dot11 syslog dot11 vlan-name GuestWiFi vlan 3 dot11 vlan-name DomainName-WiFi-Access vlan 2 ! dot11 ssid Guest_WiFi vlan 3 mbssid guest-mode ! dot11 ssid DomainName.us vlan 2 authentication open eap SecureGateway authentication network-eap SecureGateway mbssid guest-mode ! ip source-route ! ! ! ip cef ip domain name DomainName.us ip name-server 8.8.8.8 ! ! ! ! username localadmin privilege 15 secret 5 ! ! ! ! ! ! ! ! interface ATM0 no ip address no atm ilmi-keepalive ! interface ATM0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 switchport access vlan 10 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Dot11Radio0 no ip address ip flow ingress ip flow egress ! encryption vlan 2 mode ciphers aes-ccm ! encryption vlan 3 mode ciphers aes-ccm ! ssid Guest_WiFi ! ssid DomainName.us ! mbssid speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 no preamble-short station-role root access-point ! interface Dot11Radio0.2 encapsulation dot1Q 2 ip address 10.0.1.1 255.255.255.0 ip flow ingress ip flow egress ! interface Dot11Radio0.3 encapsulation dot1Q 3 ip address 10.0.3.1 255.255.255.0 ip flow ingress ip flow egress ! interface Vlan1 ip address 10.0.0.10 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412 ! interface Vlan2 no ip address ip flow ingress ip flow egress ! interface Vlan3 no ip address ip flow ingress ip flow egress ! interface Vlan10 ip address 10.0.2.1 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412 ! interface Dialer0 ip address negotiated ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname eircom ppp chap password 7 0111140B5A0F040E2F481F ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip flow-export version 9 ip flow-export destination 10.0.0.1 2055 ! ip nat inside source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip radius source-interface FastEthernet1 logging 10.0.0.1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.0.255 access-list 1 permit 10.0.2.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! ! snmp-server community public RO snmp-server enable traps snmp linkdown linkup coldstart warmstart snmp-server host 10.0.0.1 version 2c public ! radius-server local ! radius-server host 10.0.0.3 radius-server key 7 ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 login authentication authlist transport input ssh ! sntp logging sntp server 10.0.0.2 Link to comment Share on other sites More sharing options...
Recommended Posts