tag:blogger.com,1999:blog-3818424847678287484.post1343190608089349711..comments2024-03-22T00:21:46.320-07:00Comments on CCIE Wireless: Autonomous APs: Network EAP vs. Open with EAP, the right combinationJerome Henryhttp://www.blogger.com/profile/13895973186164519112noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-3818424847678287484.post-9334486094731380882017-10-10T22:44:35.264-07:002017-10-10T22:44:35.264-07:00Waooow!!! Magnificent blogs, this is what I wanted...Waooow!!! Magnificent blogs, this is what I wanted to search. Thanks buddy<br /><a href="https://www.zeroup20.com/" rel="nofollow">Zero Up 2.0 Bonus</a><br />dirty talking tipshttps://www.blogger.com/profile/15212314501431996543noreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-48734536904272703592014-06-12T11:21:40.178-07:002014-06-12T11:21:40.178-07:00Hi Jerome,
Thanks for the excellent write up. I h...Hi Jerome,<br /><br />Thanks for the excellent write up. I have an issue in my network and would like to get some suggestion:<br /><br />I am using a 3602 AP with a 5508 WLC and the clients are windows 8 with 2013 drivers installed. I am facing connectivity issues on certain clients intermittently. I performed netmon packet captures on the problem client in local mode and ran simultaneous debugs on the WLC. My observation is:<br /> ++ The Client send an association request<br /> ++ WLC receives and send an EAP ID request with ID=1<br /> ++ Client receives the request BUT sends an EAPOL start packet<br /> ++ WLC receives this EAPOL start and then restarts the EAP process and sends another EAP ID req packet with ID=2<br /> ++ Client receives this packet but doesn't respond<br /> ++ On the WLC debugs at this point. I see one more EAPOL start packet from the client<br /> ++ Thus the WLC restarts the EAP process and send one more EAP ID req with ID=3<br /> ++ Client receives this EAP ID req packet with ID=3<br /> ++ Client responds now to the first request packet with ID=1<br /> ++ WLC debugs say that received a response with mismatched EAP ID. (expecting ID=3 but received ID=1)<br /> ++ The problem is that the client netmon captures show only 1 EAPOL start packet being sent, whereas we see 2 EAPOL start packets on the WLC debugs.<br /> ++ It's very clear that the root casue is this second EAPOL start packet being seen on the WLC which actually restarts the EAP process<br /> ++ Now, I have the following questions: <br /> >> At which exact point does the Netmon capture packet on the client ? What all components are there on the client during the traffic transmission and reception ?<br /> >> Is it possible that running the Netmon on a third machine might show us a different picture on the problem client ?<br /> >> The only component between the client and the WLC is the AP. Is it possible that the AP is replaying the EAPOL start packet twice ? or the WLC itself is replaying it ?<br /><br />Your kind suggestions will be highly appreciated.<br /><br />Thanks ,<br />ManishAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-25894906589066303642014-04-21T17:28:14.447-07:002014-04-21T17:28:14.447-07:00Nice description in the EAP-Jungle of Autonomous A...Nice description in the EAP-Jungle of Autonomous AP's...Thanks Jerome:)Amirhttp://www.flane.denoreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-66643271185518046172013-01-17T09:43:09.393-08:002013-01-17T09:43:09.393-08:00I have a problem to start this type of authenticat... I have a problem to start this type of authentication with my AP.<br />I used the config you posted but I'm not getting login.<br />I enabled some debugs and what happens is these posts:<br /><br />an 3 12:15:11.896: AAA/BIND(000000A5): Bind i/f Jan 3 12:15:11.896: dot1x-registry:registry:dot1x_ether_macaddr called Jan 3 12:15:14.943: dot1x-ev:dot1x_mgr_process_eapol_pak: dot1x eapol on dot11 interface Jan 3 12:15:14.944: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.1. Jan 3 12:15:14.944: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q Jan 3 12:15:14.944: dot1x-registry:registry:dot1x_ether_macaddr called Jan 3 12:15:27.512: dot1x-ev:dot1x_mgr_process_eapol_pak: dot1x eapol on dot11 interface Jan 3 12:15:27.512: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.1. Jan 3 12:15:27.512: dot1x-err:No dot1x subblock Jan 3 12:15:27.512: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator <br /><br />Could you and give help?<br /><br />Thanks in advanceFelipe Costa Correiahttps://www.blogger.com/profile/14135167307036925472noreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-10119860307114320182012-02-09T10:56:38.961-08:002012-02-09T10:56:38.961-08:00Hello Jerome.
First of all i would like to congra...Hello Jerome.<br /><br />First of all i would like to congratulate you about the excellent blog and the ccie channel.<br />You have helped me so much..(keep up the good work!!!).<br />I was wondering if it is possible to secure a PtP link using Peap Authentication and an external radius server.<br />Based on your config i think this scenario should work.<br />Have you tried this or something similar?<br /><br />Best regards.<br /><br />Christos.Christosnoreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-13374292774317866092011-06-22T04:36:10.266-07:002011-06-22T04:36:10.266-07:00Hi anonymous,
I would recommend using Network EAP ...Hi anonymous,<br />I would recommend using Network EAP + Open wi/ EAP when using EAP-FAST if your client is a Cisco AP. Otherwise, with a standard client, Open w/EAP is enough to make the client happy...<br />:-)Jeromehttps://www.blogger.com/profile/02514630454276942058noreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-37527305980133667912011-06-21T14:43:42.707-07:002011-06-21T14:43:42.707-07:00Thanks again for the explanation Jerome. although ...Thanks again for the explanation Jerome. although I also tried using EAP-fast with only network-eap and seems to work fine. do you recommend when using EAF-Fast to offer both network-eap and open eap?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3818424847678287484.post-10481278483973204572010-08-04T07:14:17.900-07:002010-08-04T07:14:17.900-07:00Thank you for the thorough explanation, Jerome! T...Thank you for the thorough explanation, Jerome! This makes things much clearer for me. Good job noting that for AP to AP communication Network EAP needs to be enabled - I think I would have overlooked that if it was not stated outright in your post.Timhttps://www.blogger.com/profile/14980914347735753559noreply@blogger.com