Wireless Access

In a migration phase from Cisco to Aruba and also ACS to Clearpass, so i need to get 1 SSID connecting to our old Cisco Radius servers to authenicate until we can migrate to clearpass.

Issue is when we use LEAP to authicate the users as they are set to currenty we get the below, so i have allowed the 2 Aruba controllers as a source and can authicate using MS-Chap Peap etc just not Leap so it is like Radius is not getting something from Aruba with Leap anyone seen before?

EAP_LEAP Type not configured

Which Opmode (Encryption type) are you using?

 

Typically you would enable "use-session-key" in the corresponding dot1x profile when using LEAP:  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/1cli-commands/aaa-auth-dot1x.htm?Highlight=use-session-key

WPA2-Enterprise  Leap username and Password

 

I have enabled that session key setting on the SSID AAA profile but it did not appear to make any difference.

Okay.  Have you already set the EAP type? https://community.cisco.com/t5/wireless-and-mobility/eap-peap-type-not-configured/td-p/1700849

 

 

Yes that is already set on the ACS server and it allowed Leap from my Cisco wireless controllers fine

The WLC is typically agnostic to the eap type. The eap type is set between the radius server and the client....

Yes and that is the bit that has me confused as to what the Aubra is doing differnent as it passes them on.

 

Options for the Radius types on the ACS are below i went with IETF but the fact other non Leap authenication is working means i dont think it is that.

LEAP Allow LEAP - Use to enable LEAP authentication for users accessing the network from Cisco Aironet Access Point devices.

 

This option is ticked

Is it hitting that rule?

Logs on the old ACS are limited and that is a gobal option on the acs server so i have changed the type to Cisco Aironet instead of IETF and going to try a test.