Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need help setting up RADIUS for Cisco wireless Access Point

Posted on 2012-03-27
7
Medium Priority
?
1,108 Views
Last Modified: 2012-09-07
I have a Cisco Aironet AP operating in H-REAP mode with Local Authentication (clients simply use the Pre-Shared Key) and Local Switching. I want to setup RADIUS authentication so that wireless clients authenticate against Active Directory through the Wireless Controller. So what i want is "Central Authentication, Local Switching".

some questions:
- How do clients provide their username/password? Can authentication happen silently using the user's domain account from the client?
- Is the PSK independent of using RADIUS? Can I have both? Do i have to use RADIUS-only without a Pre-Shared Key?

thanks!  :-)
0
Comment
Question by:criskrit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37775111
1. Users can authenticate with their username and password available in AD. You can register IAS (Radius server on WIndows 2003) to register with the AD and read info from the AD. Alternatively  a Cisco ACS server can also be used as a radius server and made to read info from the AD.

2. When you use radius servers, you would typically need a supplicant on the client PC's. You would be using protocols like PEAP-MSCHAP v2 / EAP-TLS etc for connecting to the AP and authenticating with the Radius Server. Pre-shared keys are not used here. The client and the radius server would generate random keys for every session dynamically.
0
 

Author Comment

by:criskrit
ID: 37777294
hi Andrew and thanks for the reply. The AP is at a Satellite location, the Controller is at the main office. We already have an IAS setup in the main office so this is not an issue. A couple more questions:
- from a user-experience perspective, will the users have to enter a username/password or everything happens automatically (using the domain credentials from their laptop)?
- can you explain a bit more about the things i have to add to the client's PC? Is it some application or what? Where do i find this?
thx!
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37777380
If you are using a Windows based computer, you don't need additional software. You could used the link below to understand what needs to be configured on the client PC.

http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication

You would need to select on the adapter, what type of authentication you would be using like PEAP-MSCHAP v2 or EAP-TLS. There is an option on the network adapter (for 802.1x) where you select - "Use your windows login name and password for authentication". So the users do need to provide the username and password explicitly.
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 

Author Comment

by:criskrit
ID: 37779909
great info, thanks! Okay I found these on the Windows clients. Now is there some documentation how to setup Win2008 NPS for use with Cisco Wireless? Also which settings (ie 802.1X, WPA+WPA2 with 802.1X authentication etc) to use on the AP? thx!
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 1200 total points
ID: 37863727
The documentation that Cisco has for IAS applies to NPS.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Using PSK and EAP are mutually exclusive onthe same SSID. If you want to use both, you need multiple SSIDs.

I have taken the configuration from my AP and made it a little more generic. Please enter in your own values.

aaa group server radius rad_eap
 server 192.168.1.1 auth-port 1645 acct-port 1646
 server 192.168.1.2 auth-port 1645 acct-port 1646
 ip radius source-interface BVI1
!
aaa authentication login eap_methods group rad_eap
!
dot11 ssid WIRELESS1
   vlan 2
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 here_is_your_presharedkey
!
dot11 ssid WIRELESS2
   vlan 3
   authentication open eap eap_methods
   authentication key-management wpa version 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 3 mode ciphers aes-ccm
 !
 ssid WIRELESS1
 !
 ssid WIRELESS2
 !
 station-role root
 no dot11 extension aironet
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 description Network with PSK
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
 description Network with EAP
 encapsulation dot1Q 3
 no ip route-cache
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled

interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 no cdp enable
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 35
 no ip route-cache
 no cdp enable
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface BVI1
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.2.1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key here-is-your-radius-key1
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key here-is-your-radius-key2
radius-server retransmit 2
radius-server timeout 4
radius-server deadtime 1
radius-server vsa send accounting
bridge 1 route ip

Open in new window

0
 

Author Comment

by:criskrit
ID: 37920839
thanks for all the info and sorry for the delay, i have been pulled into a number of different projects, will try to find some time and test this in the near future.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Considering cloud tradeoffs and determining the right mix for your organization.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question