坑爹!iOS8不支持LEAP了!

作者: lesca 分类: Tutorials 发布时间: 2014-10-25 14:50

故事背景

这两天研究了下Cisco无线AP的Local Radius Server功能。本来是思路很清楚的事情,可是配好后发现我的iphone怎么也连不上去!
后来调查了一下,才发现iOS8竟然不支持LEAP了[4]!!折腾了两天~~ 还是把主要步骤写下吧~~

配置命令

VLAN
SZH2_Mobile1(config)#interface Dot11Radio 0.1
SZH2_Mobile1(config-subif)#encapsulation dot1Q 1 native
SZH2_Mobile1(config-subif)#exit
SZH2_Mobile1(config)#interface gigabitEthernet 0.1
SZH2_Mobile1(config-subif)#encapsulation dot1Q 1 native
SZH2_Mobile1(config-subif)#exit
SZH2_Mobile1(config)#dot11 vlan-name GuestNet vlan 1

SSID
SZH2_Mobile1(config)#dot11 ssid GuestNet
SZH2_Mobile1(config-ssid)#vlan 1
SZH2_Mobile1(config-ssid)#authentication open
SZH2_Mobile1(config-ssid)#guest-mode
SZH2_Mobile1(config-ssid)#mbssid guest-mode

Interface dot11Radio 0
SZH2_Mobile1(config)#interface dot11Radio 0
SZH2_Mobile1(config-if)#encryption vlan 1 mode ciphers aes-ccm
SZH2_Mobile1(config-if)#mbssid
SZH2_Mobile1(config-if)#ssid GuestNet

Local Radius Server
SZH2_Mobile1(config)#aaa new-model
SZH2_Mobile1(config)#radius-server local
SZH2_Mobile1(config-radsrv)#no authentication eapfast
SZH2_Mobile1(config-radsrv)#no authentication mac
SZH2_Mobile1(config-radsrv)#nas 192.168.0.10 key SharedKey
SZH2_Mobile1(config-radsrv)#group users
SZH2_Mobile1(config-radsrv-group)#vlan 1
SZH2_Mobile1(config-radsrv-group)#ssid GuestNet
SZH2_Mobile1(config-radsrv-group)#exit
SZH2_Mobile1(config-radsrv)#user lesca password bugaosuni group users
SZH2_Mobile1(config-radsrv)#exit

Radius Server Management
SZH2_Mobile1(config)#radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key SharedKey

AAA Settings
SZH2_Mobile1(config)#aaa group server radius rad_eap
SZH2_Mobile1(config-sg-radius)#server 192.168.0.10 auth-port 1812 acct-port 1813
SZH2_Mobile1(config-sg-radius)#exit
SZH2_Mobile1(config)#aaa authentication login eap_methods group rad_eap
SZH2_Mobile1(config)#dot11 ssid GuestNet
SZH2_Mobile1(config-ssid)#authentication open eap eap_methods
SZH2_Mobile1(config-ssid)#authentication network-eap eap_methods
SZH2_Mobile1(config-ssid)#authentication key-management wpa version 2

调试命令

连接统计:

show radius local-server statistics

清空统计:

clear radius local-server user username

详细日志:

debug radius authentication

错误日志

*Mar  1 02:52:38.879: RADIUS/ENCODE(0000010E):Orig. component type = DOT11
*Mar  1 02:52:38.883: RADIUS:  AAA Unsupported Attr: ssid              [347] 8
*Mar  1 02:52:38.883: RADIUS:   47 75 65 73 74 4E            [ GuestN]
*Mar  1 02:52:38.883: RADIUS:  AAA Unsupported Attr: service-type      [345] 4   1
*Mar  1 02:52:38.883: RADIUS:  AAA Unsupported Attr: interface         [222] 3
*Mar  1 02:52:38.883: RADIUS:   32                 [ 2]
*Mar  1 02:52:38.883: RADIUS(0000010E): Config NAS IP: 192.168.0.10
*Mar  1 02:52:38.883: RADIUS(0000010E): Config NAS IPv6:
*Mar  1 02:52:38.883: RADIUS/ENCODE(0000010E): acct_session_id: 260
*Mar  1 02:52:38.883: RADIUS(0000010E): Config NAS IP: 192.168.0.10
*Mar  1 02:52:38.883: RADIUS(0000010E): sending
*Mar  1 02:52:38.883: RADIUS(0000010E): Send Access-Request to 192.168.0.10:1812 id 1645/24, len 150
*Mar  1 02:52:38.883: RADIUS:  authenticator ED E3 97 5D CC 60 CD A8 - BB A1 C9 2E FF 9C E3 AF
*Mar  1 02:52:38.883: RADIUS:  User-Name           [1]   7   "lesca"
*Mar  1 02:52:38.883: RADIUS:  Framed-MTU          [12]  6   1400
*Mar  1 02:52:38.883: RADIUS:  Called-Station-Id   [30]  28  "3C-0E-23-**-**-**:GuestNet"
*Mar  1 02:52:38.883: RADIUS:  Calling-Station-Id  [31]  16  "0c77.1a**.****"
*Mar  1 02:52:38.883: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  1 02:52:38.883: RADIUS:  Message-Authenticato[80]  18
*Mar  1 02:52:38.883: RADIUS:   E1 6A 58 C7 66 34 97 55 D8 A5 8E 04 E6 41 64 9A           [ jXf4UAd]
*Mar  1 02:52:38.883: RADIUS:  EAP-Message         [79]  12
*Mar  1 02:52:38.883: RADIUS:   02 01 00 0A 01 6C 65 73 63 61             [ lesca]
*Mar  1 02:52:38.883: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
*Mar  1 02:52:38.883: RADIUS:  NAS-Port            [5]   6   268
*Mar  1 02:52:38.883: RADIUS:  NAS-Port-Id         [87]  5   "268"
*Mar  1 02:52:38.883: RADIUS:  NAS-IP-Address      [4]   6   192.168.0.10
*Mar  1 02:52:38.883: RADIUS:  Nas-Identifier      [32]  14  "SZH2_Mobile1"
*Mar  1 02:52:38.883: RADIUS(0000010E): Sending a IPv4 Radius Packet
*Mar  1 02:52:38.883: RADIUS(0000010E): Started 5 sec timeout
*Mar  1 02:52:38.883: RADIUS: Received from id 1645/24 192.168.0.10:1812, Access-Challenge, len 117
*Mar  1 02:52:38.883: RADIUS:  authenticator AF 51 F2 FA 93 AB CB CE - 46 59 E4 C9 4A 79 C0 84
*Mar  1 02:52:38.883: RADIUS:  EAP-Message         [79]  23
*Mar  1 02:52:38.883: RADIUS:   01 0D 00 15 11 01 00 08 E8 F9 72 BD CB 22 14 63 6C 65 73 63 61          [ r"clesca]
*Mar  1 02:52:38.883: RADIUS:  Session-Timeout     [27]  6   10
*Mar  1 02:52:38.883: RADIUS:  State               [24]  50
*Mar  1 02:52:38.883: RADIUS:   E8 F9 72 BD CB 22 14 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 6A CD CB C5 85 0C 53 21 0B 78 E9 6E 28 BA 44       [ r"c6jS!xn(D]
*Mar  1 02:52:38.883: RADIUS:  Message-Authenticato[80]  18
*Mar  1 02:52:38.883: RADIUS:   38 55 F5 5E 32 FC F1 86 B1 22 AF 86 12 9E 9C 1C             [ 8U^2"]
*Mar  1 02:52:38.883: RADIUS(0000010E): Received from id 1645/24
*Mar  1 02:52:38.883: RADIUS/DECODE: EAP-Message fragments, 21, total 21 bytes
*Mar  1 02:52:38.983: RADIUS/ENCODE(0000010E):Orig. component type = DOT11
*Mar  1 02:52:38.987: RADIUS:  AAA Unsupported Attr: ssid              [347] 8
*Mar  1 02:52:38.987: RADIUS:   47 75 65 73 74 4E            [ GuestN]
*Mar  1 02:52:38.987: RADIUS:  AAA Unsupported Attr: service-type      [345] 4   1
*Mar  1 02:52:38.987: RADIUS:  AAA Unsupported Attr: interface         [222] 3
*Mar  1 02:52:38.987: RADIUS:   32                 [ 2]
*Mar  1 02:52:38.987: RADIUS(0000010E): Config NAS IP: 192.168.0.10
*Mar  1 02:52:38.987: RADIUS(0000010E): Config NAS IPv6:
*Mar  1 02:52:38.987: RADIUS/ENCODE(0000010E): acct_session_id: 260
*Mar  1 02:52:38.987: RADIUS(0000010E): Config NAS IP: 192.168.0.10
*Mar  1 02:52:38.987: RADIUS(0000010E): sending
*Mar  1 02:52:38.987: RADIUS(0000010E): Send Access-Request to 192.168.0.10:1812 id 1645/25, len 196
*Mar  1 02:52:38.987: RADIUS:  authenticator B5 A0 21 99 AE DF 3B 26 - 7A C6 49 B8 E2 7A C3 8E
*Mar  1 02:52:38.987: RADIUS:  User-Name           [1]   7   "lesca"
*Mar  1 02:52:38.987: RADIUS:  Framed-MTU          [12]  6   1400
*Mar  1 02:52:38.987: RADIUS:  Called-Station-Id   [30]  28  "3C-0E-23-**-**-**:GuestNet"
*Mar  1 02:52:38.987: RADIUS:  Calling-Station-Id  [31]  16  "0c77.1a4c.e91f"
*Mar  1 02:52:38.987: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  1 02:52:38.987: RADIUS:  Message-Authenticato[80]  18
*Mar  1 02:52:38.987: RADIUS:   3C 3F F6 F7 B6 AF 59 96 65 E3 C8 5E A8 11 6D DA            [ <?Ye^m]
*Mar  1 02:52:38.987: RADIUS:  EAP-Message         [79]  8
*Mar  1 02:52:38.987: RADIUS:   02 0D 00 06 03 19
*Mar  1 02:52:38.987: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
*Mar  1 02:52:38.987: RADIUS:  NAS-Port            [5]   6   268
*Mar  1 02:52:38.987: RADIUS:  NAS-Port-Id         [87]  5   "268"
*Mar  1 02:52:38.987: RADIUS:  State               [24]  50
*Mar  1 02:52:38.987: RADIUS:   E8 F9 72 BD CB 22 14 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 6A CD CB C5 85 0C 53 21 0B 78 E9 6E 28 BA 44       [ r"c6jS!xn(D]
*Mar  1 02:52:38.987: RADIUS:  NAS-IP-Address      [4]   6   192.168.0.10
*Mar  1 02:52:38.987: RADIUS:  Nas-Identifier      [32]  14  "SZH2_Mobile1"
*Mar  1 02:52:38.987: RADIUS(0000010E): Sending a IPv4 Radius Packet
*Mar  1 02:52:38.987: RADIUS(0000010E): Started 5 sec timeout
*Mar  1 02:52:38.987: RADIUS: Received from id 1645/25 192.168.0.10:1812, Access-Reject, len 94
*Mar  1 02:52:38.987: RADIUS:  authenticator BC F5 A2 BA B1 4D B1 54 - 57 4B F7 75 42 FA 18 64
*Mar  1 02:52:38.987: RADIUS:  EAP-Message         [79]  6
*Mar  1 02:52:38.987: RADIUS:   04 0D 00 04
*Mar  1 02:52:38.987: RADIUS:  State               [24]  50
*Mar  1 02:52:38.987: RADIUS:   E8 F9 72 BD CB 22 14 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 6A CD CB C5 85 0C 53 21 0B 78 E9 6E 28 BA 44       [ r"c6jS!xn(D]
*Mar  1 02:52:38.987: RADIUS:  Message-Authenticato[80]  18
*Mar  1 02:52:38.987: RADIUS:   3B D3 E8 46 6D 03 08 06 16 88 CA 00 6B 43 21 93            [ ;FmkC!]
*Mar  1 02:52:38.987: RADIUS(0000010E): Received from id 1645/25
*Mar  1 02:52:38.987: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar  1 02:52:38.987: %DOT11-7-AUTH_FAILED: Station 0c77.1a**.**** Authentication failed

References:

[1] Configuring an Access Point as a Local Authenticator
[2] Autonomous AP as Local Radius Server
[3] LEAP Authentication on a Local RADIUS Server
[4] WPA2 Enterprise and iOS8

版权声明

本文出自 Lesca 技术宅,转载时请注明出处及相应链接。

本文永久链接: https://www.lesca.cn/archives/ios8-does-not-support-cisco-ap-local-radius-server.html

如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作!