Need help setting up RADIUS for Cisco wireless Access Point

I have a Cisco Aironet AP operating in H-REAP mode with Local Authentication (clients simply use the Pre-Shared Key) and Local Switching. I want to setup RADIUS authentication so that wireless clients authenticate against Active Directory through the Wireless Controller. So what i want is "Central Authentication, Local Switching".

some questions:
- How do clients provide their username/password? Can authentication happen silently using the user's domain account from the client?
- Is the PSK independent of using RADIUS? Can I have both? Do i have to use RADIUS-only without a Pre-Shared Key?

thanks!  :-)
criskritAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andrew1812Commented:
1. Users can authenticate with their username and password available in AD. You can register IAS (Radius server on WIndows 2003) to register with the AD and read info from the AD. Alternatively  a Cisco ACS server can also be used as a radius server and made to read info from the AD.

2. When you use radius servers, you would typically need a supplicant on the client PC's. You would be using protocols like PEAP-MSCHAP v2 / EAP-TLS etc for connecting to the AP and authenticating with the Radius Server. Pre-shared keys are not used here. The client and the radius server would generate random keys for every session dynamically.
0
criskritAuthor Commented:
hi Andrew and thanks for the reply. The AP is at a Satellite location, the Controller is at the main office. We already have an IAS setup in the main office so this is not an issue. A couple more questions:
- from a user-experience perspective, will the users have to enter a username/password or everything happens automatically (using the domain credentials from their laptop)?
- can you explain a bit more about the things i have to add to the client's PC? Is it some application or what? Where do i find this?
thx!
0
andrew1812Commented:
If you are using a Windows based computer, you don't need additional software. You could used the link below to understand what needs to be configured on the client PC.

http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication

You would need to select on the adapter, what type of authentication you would be using like PEAP-MSCHAP v2 or EAP-TLS. There is an option on the network adapter (for 802.1x) where you select - "Use your windows login name and password for authentication". So the users do need to provide the username and password explicitly.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

criskritAuthor Commented:
great info, thanks! Okay I found these on the Windows clients. Now is there some documentation how to setup Win2008 NPS for use with Cisco Wireless? Also which settings (ie 802.1X, WPA+WPA2 with 802.1X authentication etc) to use on the AP? thx!
0
kevinhsiehCommented:
The documentation that Cisco has for IAS applies to NPS.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Using PSK and EAP are mutually exclusive onthe same SSID. If you want to use both, you need multiple SSIDs.

I have taken the configuration from my AP and made it a little more generic. Please enter in your own values.

aaa group server radius rad_eap
 server 192.168.1.1 auth-port 1645 acct-port 1646
 server 192.168.1.2 auth-port 1645 acct-port 1646
 ip radius source-interface BVI1
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid WIRELESS1
   vlan 2
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 here_is_your_presharedkey
!
dot11 ssid WIRELESS2
   vlan 3
   authentication open eap eap_methods
   authentication key-management wpa version 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 3 mode ciphers aes-ccm
 !
 ssid WIRELESS1
 !
 ssid WIRELESS2
 !
 station-role root
 no dot11 extension aironet
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 description Network with PSK
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
 description Network with EAP
 encapsulation dot1Q 3
 no ip route-cache
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled

interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 35
 no ip route-cache
 no cdp enable
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface BVI1
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.2.1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key here-is-your-radius-key1
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key here-is-your-radius-key2
radius-server retransmit 2
radius-server timeout 4
radius-server deadtime 1
radius-server vsa send accounting
bridge 1 route ip

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
criskritAuthor Commented:
thanks for all the info and sorry for the delay, i have been pulled into a number of different projects, will try to find some time and test this in the near future.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.