Solved

Need help setting up RADIUS for Cisco wireless Access Point

Posted on 2012-03-27
7
1,099 Views
Last Modified: 2012-09-07
I have a Cisco Aironet AP operating in H-REAP mode with Local Authentication (clients simply use the Pre-Shared Key) and Local Switching. I want to setup RADIUS authentication so that wireless clients authenticate against Active Directory through the Wireless Controller. So what i want is "Central Authentication, Local Switching".

some questions:
- How do clients provide their username/password? Can authentication happen silently using the user's domain account from the client?
- Is the PSK independent of using RADIUS? Can I have both? Do i have to use RADIUS-only without a Pre-Shared Key?

thanks!  :-)
0
Comment
Question by:criskrit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37775111
1. Users can authenticate with their username and password available in AD. You can register IAS (Radius server on WIndows 2003) to register with the AD and read info from the AD. Alternatively  a Cisco ACS server can also be used as a radius server and made to read info from the AD.

2. When you use radius servers, you would typically need a supplicant on the client PC's. You would be using protocols like PEAP-MSCHAP v2 / EAP-TLS etc for connecting to the AP and authenticating with the Radius Server. Pre-shared keys are not used here. The client and the radius server would generate random keys for every session dynamically.
0
 

Author Comment

by:criskrit
ID: 37777294
hi Andrew and thanks for the reply. The AP is at a Satellite location, the Controller is at the main office. We already have an IAS setup in the main office so this is not an issue. A couple more questions:
- from a user-experience perspective, will the users have to enter a username/password or everything happens automatically (using the domain credentials from their laptop)?
- can you explain a bit more about the things i have to add to the client's PC? Is it some application or what? Where do i find this?
thx!
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37777380
If you are using a Windows based computer, you don't need additional software. You could used the link below to understand what needs to be configured on the client PC.

http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication

You would need to select on the adapter, what type of authentication you would be using like PEAP-MSCHAP v2 or EAP-TLS. There is an option on the network adapter (for 802.1x) where you select - "Use your windows login name and password for authentication". So the users do need to provide the username and password explicitly.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:criskrit
ID: 37779909
great info, thanks! Okay I found these on the Windows clients. Now is there some documentation how to setup Win2008 NPS for use with Cisco Wireless? Also which settings (ie 802.1X, WPA+WPA2 with 802.1X authentication etc) to use on the AP? thx!
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 300 total points
ID: 37863727
The documentation that Cisco has for IAS applies to NPS.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Using PSK and EAP are mutually exclusive onthe same SSID. If you want to use both, you need multiple SSIDs.

I have taken the configuration from my AP and made it a little more generic. Please enter in your own values.

aaa group server radius rad_eap
 server 192.168.1.1 auth-port 1645 acct-port 1646
 server 192.168.1.2 auth-port 1645 acct-port 1646
 ip radius source-interface BVI1
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid WIRELESS1
   vlan 2
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 here_is_your_presharedkey
!
dot11 ssid WIRELESS2
   vlan 3
   authentication open eap eap_methods
   authentication key-management wpa version 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 3 mode ciphers aes-ccm
 !
 ssid WIRELESS1
 !
 ssid WIRELESS2
 !
 station-role root
 no dot11 extension aironet
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 description Network with PSK
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
 description Network with EAP
 encapsulation dot1Q 3
 no ip route-cache
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled

interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 35
 no ip route-cache
 no cdp enable
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface BVI1
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.2.1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key here-is-your-radius-key1
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key here-is-your-radius-key2
radius-server retransmit 2
radius-server timeout 4
radius-server deadtime 1
radius-server vsa send accounting
bridge 1 route ip

Open in new window

0
 

Author Comment

by:criskrit
ID: 37920839
thanks for all the info and sorry for the delay, i have been pulled into a number of different projects, will try to find some time and test this in the near future.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question