Using Debug Messages | Cisco Systems OL-6415-04 instruction

Chapter 4

Configure a Local Authenticator

The second section lists stats for each access point (NAS) authorized to use the local authenticator. The EAP-FAST statistics in this section include these stats:

•Auto provision success—the number of PACs generated automatically

•Auto provision failure—the number of PACs not generated because of an invalid handshake packet or invalid username or password

•PAC refresh—the number of PACs renewed by clients

•Invalid PAC received—the number of PACs received that were expired, that the authenticator could not decrypt, or that were assigned to a client username not in the authenticator’s database

The third section lists stats for individual users. If a user is blocked and the lockout time is set to infinite, blocked appears at the end of the stat line for that user. If the lockout time is not infinite, Unblocked in x seconds appears at the end of the stat line for that user.

Use this privileged exec mode command to reset local authenticator statistics to zero:

router# clear radius local-server statistics

Using Debug Messages

In privileged exec mode, enter this command to control the display of debug messages for the local authenticator:

router# debug radius local-server { client eapfast error packets}

Use the command options to display this debug information:

•Use the client option to display error messages related to failed client authentications.

•Use the eapfast option to display error messages related to EAP-FAST authentication. Use the sub-options to select specific debugging information:

–encryption —displays information on the encryption and decryption of received and transmitted packets

–events—displays information on all EAP-FAST events

–pac—displays information on events related to PACs, such as PAC generation and verification

–pkts—displays packets sent to and received from EAP-FAST clients

•Use the error option to display error messages related to the local authenticator.

•Use the packets option to turn on display of the content of RADIUS packets sent and received.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

4-12	OL-6415-04

Image 76

Cisco Systems OL-6415-04 manual Using Debug Messages

Contents

Corporate Headquarters Text Part Number 0L-6415-04Page N T E N T S Ssid Configuration Methods Supported by Cisco IOS Releases Creating Cipher Suites Protocol Filters Local Authenticator Messages Contents Cisco Wireless Router and Hwic Configuration Guide Preface AudiencePurpose Preface provides information on the following topics Organization Conventions Preface Conventions Related Publications Cisco Product Document Title Obtaining Documentation Cisco.com Product Documentation DVD Documentation FeedbackOrdering Documentation Reporting Security Problems in Cisco Products Cisco Product Security Overview Obtaining Technical Assistance Submitting a Service RequestCisco Technical Support & Documentation Website Definitions of Service Request Severity Obtaining Additional Publications and Information Preface Obtaining Additional Publications and Information Wireless Device Management Overview Network Configuration Example Root Unit on a Wired LAN Features Overview Features Overview Overview Cisco Wireless Router and Hwic Configuration Guide Configuring Radio Settings Command Purpose Enabling the Radio InterfaceRoles in Radio Network Cisco Role in Radio Network Eries ISRs Configuring Network or Fallback Role Sample Bridging Configuration Bridge Features Not SupportedFollowing is a sample of a Root Bridge Configuration Following is a sample of Non-Root Bridge Configuration Interface Dot11Radio0/1/0 no ip address Universal Client Mode Configuring Universal Client Mode NAT Network Address Translation Following configuration is supported on NATVirtual interface to aid NAT translation No service password-encryption Hostname C1803WUC Configuring Radio Data Rates Configuring Radio Settings Configuring Radio Data Rates Throughput ofdm default Speed11.0 2.0 5.5 basic-1.0 2.0 5.5 6.0 9.0 Configuring Radio Transmit Power End Return to privileged Exec modeDBm 100 125 150 200 250 Limiting the Power Level for Associated Client Devices Power local5 6 7 10 13 15 17 Maximum Configuring Radio Channel Settings Power client20 30 50 100 maximum 10 20 30 50 Maximum Regulatory Domains Center ChannelIdentifier MHz 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Channel DFS Automatically Enabled on Some 5-GHz Radio Channels GHz Channels on Which DFS is Automatically Enabled Enabling and Disabling World Mode Confirming that DFS is EnabledThis example shows how to unblock all frequencies for DFS Blocking Channels from DFS Selection Enabling and Disabling Short Radio Preambles Configuring Transmit and Receive Antennas Antenna receiveDiversity left right Antenna transmit Disable Access Point extensions Disabling and Enabling Access Point ExtensionsNo dot11 extension aironet Snap or 802.1h dot1h, the default setting Payload-encapsulationSet the encapsulation transformation method to RFC1042 Snap dot1h Enable Pspf Configure terminal Enter global configuration modeBridge-group group port-protected Configuring Beacon Period and Dtim Configuring Protected Ports Configuring RTS Threshold and Retries Configuring Maximum Data RetriesRts threshold value Rts retries value Configuring Fragmentation Threshold Bytes for the 2.4-GHz radio. Enter a setting from 256 toEnabling Short Slot Time for 802.11g Radios Fragment-threshold value Performing a Carrier Busy Test OL-6415-04 Configuring Multiple SSIDs Understanding Multiple SSIDs Ssid Configuration Methods Supported by Cisco IOS ReleasesVlan Configuring Multiple SSIDs Creating an Ssid Globally Command Purpose Viewing SSIDs Configured Globally Using a Radius Server to Restrict SSIDsUsing Spaces in SSIDs Requirements for Configuring Multiple BSSIDs Configuring Multiple Basic SSIDsGuidelines for Using Multiple BSSIDs CLI Configuration Example Displaying Configured BSSIDsEnabling Mbssid and Ssidl at the same time Information-element ssidl Sample Configuration for Enabling Mbssid and Ssidl Use the no form of the command to disable Ssidl IEsBelow is a sample configuration for enabling Mbssid Below is a sample configuration for enabling Ssidl Interface Dot11Radio0/0/0 no ip address OL-6415-04 Configuring an Access Point as a Local Authenticator Understand Local Authentication Configure a Local Authenticator Guidelines for Local Authenticators Configuration OverviewConfiguring the Local Authenticator Access Point Aaa new-model Enable AAA Reauthentication time seconds Radius-server localVlan vlan Ssid ssid Password nthash password Mac-auth-only This example shows how to set up EAP-FAST authentication End Routerconfig# aaa new-model Configuring EAP-FAST Settings Configuring PAC Settings Configuring Server Keys Configuring an Authority IDPossible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Viewing Local Authenticator StatisticsThis example shows local authenticator statistics Unblocking Locked Usernames Using Debug Messages Configuring Encryption Types Understand Encryption Types, Configure Encryption Types, Understand Encryption Types Configure Encryption Types Creating WEP Keys Security Configuration WEP Key Restriction WEP Key RestrictionsEncryption Key Access Point Associated Device Slot Transmit? Key Contents Example WEP Key SetupCreating Cipher Suites Cipher Suites Compatible with WPA Compatible Cipher Suites Enabling and Disabling Broadcast Key RotationWPA Security Type in Universal Client Mode Security Tkip AES TKIP+AES Universal client configurationWEP 40-bit WEP 128-bit Debugging Caveats WEP OL-6415-04 Configuring Authentication Types Understand Authentication Types Open Authentication to Access Point Shared Key Authentication to Access Point Traffic from client EAP Authentication to Network Sequence for EAP Authentication MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using WPA Key Management 5shows the WPA key management process WPA-PSK Mode Windows XP Yes Software and Firmware Requirements for WPA and WPA-TKIPThird Party Host Supplicant Protocol Required? Systems Configure Authentication Types Assigning Authentication Types to an Ssid Authentication open Optional Set the authentication type to open for this SsidMac-address list-name alternate Optional eap list-name Authentication shared Authentication network-eapAuthentication key-management Mac-address list-name Configuring WPA Migration Mode Configuring Additional WPA Settings Wpa-psk hex ascii 0 Configuring MAC Authentication Caching Dot1x client-timeout seconds Dot11 holdoff-time secondsDot1x reauth-period seconds Server Detects two MIC failures within 60 seconds, it blocks all Security Feature Client Setting Access Point SettingTkip clients on that interface for the holdtime period WPA-PSK Security Feature Client Setting Access Point Setting Configuring Radius Servers Configuring and Enabling Radius Understanding Radius Radius Operation Configuring Radius Default Radius Configuration Identifying the Radius Server Host Acct-port port-number timeout Port for authentication requests.Optional For acct-portRadius-server timeout command is used Radius-server host hostname Configuring Radius Login Authentication Show running-config Verify your entries Aaa authentication login default Login authentication defaultAuthentication login command Include-in-access-req format %h Defining AAA Server Groups Port for authentication requests Port for accounting requestsAaa group server radius group-name Define the AAA server-group with a group name Radius Starting Radius Accounting Selecting the Csid Format Configuring Settings for All Radius ServersOption MAC Address Example Show running-config Verify your settings Radius-server vsa send accounting AuthenticationRadius-server host hostname ip-address non-standard Configuring WISPr Radius Attributes Radius-server key string Displaying the Radius Configuration Snmp-server location location Radius Attributes Sent by the Access Point Attribute ID Description VLAN-ID Acct-Terminate-Cause VSA attribute NAS-Location Disc-Cause-Ext Configuring VLANs Understanding VLANs LAN and Vlan Segmentation with Wireless Devices Related Documents Configuring VLANs Incorporating Wireless Devices into VLANs Configuring a Vlan Interface dot11radio 0.x Encapsulation dot1q vlan-id Using a Radius Server to Assign Users to VLANs Guidelines for Using Vlan NamesAssigning Names to VLANs Creating a Vlan Name Viewing VLANs Configured on the Access Point Vlan Configuration Example Ssid Vlan ID Configuring Vlan Vlan 1 Interfaces Vlan 2 Interfaces Vlan 3 Interfaces Configuring VLANs Vlan Configuration Example OL-6415-04 Configuring QoS Understanding QoS for Wireless LANs, Configuring QoS, QoS for Wireless LANs Versus QoS on Wired LANs Understanding QoS for Wireless LANsImpact of QoS on a Wireless LAN Precedence of QoS Settings Upstream and Downstream Traffic Flow Using Wi-Fi Multimedia Mode Configuring QoS Configuration GuidelinesAdjusting Radio Access Categories Fixed Slot Time Sample Configuration Using the CLI Disabling Igmp Snooping Helper Channel Settings Ieee 802.11b 2.4-GHz BandCenter Frequency Americas Japan Ieee 802.11g 2.4-GHz Band Ieee 802.11a 5-GHz BandCenter Regulatory Domains Americas -A Emea -E Japan -J Frequency Frequency North America OL-6415-04 Protocol Filters Protocol Icmp IgmpTCP EGP PUP Chaos ISO Designator Tsap POP2POP3 IMAP2 RIP RPCUucp CVS MIB List Supported MIBsIEEE802dot11-MIB Using FTP to Access the MIB Files RFC1213-MIB RFC1398-MIB SNMPv2-MIB SNMPv2-SMI SNMPv2-TC Error and Event Messages How to Read System MessagesThis appendix lists the CLI error and event messages Level Description Explanation a station associated to an access point Explanation a station disassociated from an access pointMessage Traceback Reports Association Management Messages Subsystem Messages Recommended Action None Explanation The device has begun its DFS scanning process Recommended Action None Error Message DOT11-4-RMINCAPABLE Interface interface Recommended Action Reload the system Error Message DOT11-4-CANTASSOC Cannot associate characters Recommended Action None Recommended Action Local Authenticator Messages Network with wireless stations Wireless network composed of stations without Access PointsAccess Point Operating in the 2.4-GHz band Hoc mode GL-2 LAN 802.11 specifications Wired Ethernet networkAn antenna that radiates its signal in a spherical pattern Corresponding IP addresses Transmission at 6, 9, 12, 18, 24, 36, 48, and 54 Mbps Transmission at 2 Mbps While maintaining an unbroken connection to the LAN That of a cable Computing device with an installed client adapter Wireless MultiMedia802.1X for authenticated key management EAP AES-CCMP EAP-FAST 1 IN-2 FTP Leap Ofdm Names, Vlan Network-EAPQbss Guest mode Multiple SSIDs Support Using spaces Local authentication Names Ssid 4 Vlan command 4Regulatory Domains Radius RFC World-mode command WPA migration mode Wpa-psk command IN-7 IN-8 IN-9 IN-10 IN-11 IN-12 IN-13 IN-14