Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need help setting up RADIUS for Cisco wireless Access Point

Posted on 2012-03-27
7
Medium Priority
?
1,113 Views
Last Modified: 2012-09-07
I have a Cisco Aironet AP operating in H-REAP mode with Local Authentication (clients simply use the Pre-Shared Key) and Local Switching. I want to setup RADIUS authentication so that wireless clients authenticate against Active Directory through the Wireless Controller. So what i want is "Central Authentication, Local Switching".

some questions:
- How do clients provide their username/password? Can authentication happen silently using the user's domain account from the client?
- Is the PSK independent of using RADIUS? Can I have both? Do i have to use RADIUS-only without a Pre-Shared Key?

thanks!  :-)
0
Comment
Question by:criskrit
  • 3
  • 2
7 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37775111
1. Users can authenticate with their username and password available in AD. You can register IAS (Radius server on WIndows 2003) to register with the AD and read info from the AD. Alternatively  a Cisco ACS server can also be used as a radius server and made to read info from the AD.

2. When you use radius servers, you would typically need a supplicant on the client PC's. You would be using protocols like PEAP-MSCHAP v2 / EAP-TLS etc for connecting to the AP and authenticating with the Radius Server. Pre-shared keys are not used here. The client and the radius server would generate random keys for every session dynamically.
0
 

Author Comment

by:criskrit
ID: 37777294
hi Andrew and thanks for the reply. The AP is at a Satellite location, the Controller is at the main office. We already have an IAS setup in the main office so this is not an issue. A couple more questions:
- from a user-experience perspective, will the users have to enter a username/password or everything happens automatically (using the domain credentials from their laptop)?
- can you explain a bit more about the things i have to add to the client's PC? Is it some application or what? Where do i find this?
thx!
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37777380
If you are using a Windows based computer, you don't need additional software. You could used the link below to understand what needs to be configured on the client PC.

http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication

You would need to select on the adapter, what type of authentication you would be using like PEAP-MSCHAP v2 or EAP-TLS. There is an option on the network adapter (for 802.1x) where you select - "Use your windows login name and password for authentication". So the users do need to provide the username and password explicitly.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:criskrit
ID: 37779909
great info, thanks! Okay I found these on the Windows clients. Now is there some documentation how to setup Win2008 NPS for use with Cisco Wireless? Also which settings (ie 802.1X, WPA+WPA2 with 802.1X authentication etc) to use on the AP? thx!
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 1200 total points
ID: 37863727
The documentation that Cisco has for IAS applies to NPS.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Using PSK and EAP are mutually exclusive onthe same SSID. If you want to use both, you need multiple SSIDs.

I have taken the configuration from my AP and made it a little more generic. Please enter in your own values.

aaa group server radius rad_eap
 server 192.168.1.1 auth-port 1645 acct-port 1646
 server 192.168.1.2 auth-port 1645 acct-port 1646
 ip radius source-interface BVI1
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid WIRELESS1
   vlan 2
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 here_is_your_presharedkey
!
dot11 ssid WIRELESS2
   vlan 3
   authentication open eap eap_methods
   authentication key-management wpa version 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 3 mode ciphers aes-ccm
 !
 ssid WIRELESS1
 !
 ssid WIRELESS2
 !
 station-role root
 no dot11 extension aironet
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 description Network with PSK
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
 description Network with EAP
 encapsulation dot1Q 3
 no ip route-cache
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled

interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 35
 no ip route-cache
 no cdp enable
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface BVI1
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.2.1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key here-is-your-radius-key1
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key here-is-your-radius-key2
radius-server retransmit 2
radius-server timeout 4
radius-server deadtime 1
radius-server vsa send accounting
bridge 1 route ip

Open in new window

0
 

Author Comment

by:criskrit
ID: 37920839
thanks for all the info and sorry for the delay, i have been pulled into a number of different projects, will try to find some time and test this in the near future.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question