Solved

Need help setting up RADIUS for Cisco wireless Access Point

Posted on 2012-03-27
7
1,070 Views
Last Modified: 2012-09-07
I have a Cisco Aironet AP operating in H-REAP mode with Local Authentication (clients simply use the Pre-Shared Key) and Local Switching. I want to setup RADIUS authentication so that wireless clients authenticate against Active Directory through the Wireless Controller. So what i want is "Central Authentication, Local Switching".

some questions:
- How do clients provide their username/password? Can authentication happen silently using the user's domain account from the client?
- Is the PSK independent of using RADIUS? Can I have both? Do i have to use RADIUS-only without a Pre-Shared Key?

thanks!  :-)
0
Comment
Question by:criskrit
  • 3
  • 2
7 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37775111
1. Users can authenticate with their username and password available in AD. You can register IAS (Radius server on WIndows 2003) to register with the AD and read info from the AD. Alternatively  a Cisco ACS server can also be used as a radius server and made to read info from the AD.

2. When you use radius servers, you would typically need a supplicant on the client PC's. You would be using protocols like PEAP-MSCHAP v2 / EAP-TLS etc for connecting to the AP and authenticating with the Radius Server. Pre-shared keys are not used here. The client and the radius server would generate random keys for every session dynamically.
0
 

Author Comment

by:criskrit
ID: 37777294
hi Andrew and thanks for the reply. The AP is at a Satellite location, the Controller is at the main office. We already have an IAS setup in the main office so this is not an issue. A couple more questions:
- from a user-experience perspective, will the users have to enter a username/password or everything happens automatically (using the domain credentials from their laptop)?
- can you explain a bit more about the things i have to add to the client's PC? Is it some application or what? Where do i find this?
thx!
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37777380
If you are using a Windows based computer, you don't need additional software. You could used the link below to understand what needs to be configured on the client PC.

http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication

You would need to select on the adapter, what type of authentication you would be using like PEAP-MSCHAP v2 or EAP-TLS. There is an option on the network adapter (for 802.1x) where you select - "Use your windows login name and password for authentication". So the users do need to provide the username and password explicitly.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:criskrit
ID: 37779909
great info, thanks! Okay I found these on the Windows clients. Now is there some documentation how to setup Win2008 NPS for use with Cisco Wireless? Also which settings (ie 802.1X, WPA+WPA2 with 802.1X authentication etc) to use on the AP? thx!
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 300 total points
ID: 37863727
The documentation that Cisco has for IAS applies to NPS.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Using PSK and EAP are mutually exclusive onthe same SSID. If you want to use both, you need multiple SSIDs.

I have taken the configuration from my AP and made it a little more generic. Please enter in your own values.

aaa group server radius rad_eap
 server 192.168.1.1 auth-port 1645 acct-port 1646
 server 192.168.1.2 auth-port 1645 acct-port 1646
 ip radius source-interface BVI1
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid WIRELESS1
   vlan 2
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 here_is_your_presharedkey
!
dot11 ssid WIRELESS2
   vlan 3
   authentication open eap eap_methods
   authentication key-management wpa version 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 3 mode ciphers aes-ccm
 !
 ssid WIRELESS1
 !
 ssid WIRELESS2
 !
 station-role root
 no dot11 extension aironet
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 description Network with PSK
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
 description Network with EAP
 encapsulation dot1Q 3
 no ip route-cache
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled

interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 35
 no ip route-cache
 no cdp enable
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface BVI1
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.2.1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key here-is-your-radius-key1
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key here-is-your-radius-key2
radius-server retransmit 2
radius-server timeout 4
radius-server deadtime 1
radius-server vsa send accounting
bridge 1 route ip

Open in new window

0
 

Author Comment

by:criskrit
ID: 37920839
thanks for all the info and sorry for the delay, i have been pulled into a number of different projects, will try to find some time and test this in the near future.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now