Radius Server

I need to build a 2003 Server with Radius on it. Can someone recommend software for this project. I looked into Cisco ACACS but thats extremely expensive.  I basically need it for 12 access points.
WellingtonISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WellingtonISAuthor Commented:
I have Cisco Aeronet AP 1131AG access points. I'm going to try this.. thanks.
0
WellingtonISAuthor Commented:
How do you setup SSIDs?
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

WellingtonISAuthor Commented:
Can this do wpa2?
0
Jakob DigranesSenior ConsultantCommented:
WPA2 - encryption is handled by the Access Point, and dependent on firmware on AP - most likely you have this ability...
And give that clients are at least XP SP2
0
WellingtonISAuthor Commented:
OK I have a radius server set up.  I'm using the Aironet 1130 ag I can get the access point to the server but I can't figure out how to get WPA2 installed.  Can this even be done?  According to Cisco it can but how??
0
Craig BeckCommented:
As jakob says, the AP does WPA2 (as we've already established in another thread), not the RADIUS.  The RADIUS only facilitates the dynamic encryption key between the client and AP.
OK I have a radius server set up.  I'm using the Aironet 1130 ag I can get the access point to the server but I can't figure out how to get WPA2 installed.  Can this even be done?  According to Cisco it can but how??
You told me Cisco said it couldn't!?  Anyway...

If you:

1] Configure a RADIUS server on the AP
2] Configure the Encryption for the SSID as Cipher with AES-CCM
3] Specify the WPA version as WPA2 in the SSID


...you will be using WPA2.

Here's a great link to help getting the IAS configured.  Just ignore the WLC references.

https://supportforums.cisco.com/servlet/JiveServlet/download/1262833-34588/Windows%20IAS%20setting%20for%20Cisco%20Wireless%20Controllers.pdf

Here's a great reference link...

https://supportforums.cisco.com/thread/2166509

Everything you need is there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
Yes he is correct.  I did get it to work with only 1 wpa2.  My challenge is added the rest.  When I do that  i lose the clients.
0
WellingtonISAuthor Commented:
got this set up so far 1 vlan the test pc is connect but I can't get an IP address.  what am I doing wrong?
0
Craig BeckCommented:
Can you post an IAS event from the Security log on the server?
0
WellingtonISAuthor Commented:
Here ya go.  It authenticates but it only gets a 169 address...  I did exactly what the instructions said. It's on VLAN 7 but its not finding DHCP
log.png
0
Craig BeckCommented:
That's not the IAS security events.  That's the AP log.

However you're not even using RADIUS - The client authenticated using PSK.

Can you post the AP config?
0
WellingtonISAuthor Commented:
Humm. I have the radius set up in there. Anyway here's t he config.
ap.txt
0
Craig BeckCommented:
The RADIUS config isn't being used... you've specified a PSK...

dot11 ssid WRMC-INTERNAL
   vlan 7
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 06315C2D401F070D5519534A4F
0
WellingtonISAuthor Commented:
OK so is this the reason i'm not getting an IP from my DHCP server?
0
Craig BeckCommented:
Maybe...

If you turn off WPA and just use a wide-open SSID do you get an IP address?

The config doesn't look very clean to me.  Have you edited it in the CLI?
0
WellingtonISAuthor Commented:
Actually I used the GUI in the AP.
0
Craig BeckCommented:
You don't have a native VLAN configured.  The GUI won't let you not select a native VLAN as it relies on it for management.
0
WellingtonISAuthor Commented:
correct. - so I have to do t hat via command?  If I don't put in a VLAN and just hook up one ssid it works.  SOmething with the VLANS. again connecting to the ap but no IP address.
0
Craig BeckCommented:
No, if you have more than one VLAN configured on the AP you HAVE to select at least one VLAN to be the native VLAN.  The GUI won't work if you don't have a native VLAN configured as there is no VLAN1 in your config.  That means the AP won't know which interface to attach to BVI1 (where the management IP address is).

So yes, the most likely issue is VLANs.

My advice is to factory-reset the AP, then reconfigure everything via the GUI only - don't touch the CLI.
0
WellingtonISAuthor Commented:
ok THANKS.  Will try
0
WellingtonISAuthor Commented:
OK I did that, made the native vlan 7 and I go at least one device connected.  THanks.
0
Craig BeckCommented:
Ok that's good... so what you need to do is make the VLAN where the management IP address sits as the native VLAN on the AP, then set up all the other SSIDs and VLANs.
0
WellingtonISAuthor Commented:
The native VLAN is 3 so I made that the native vlan.  So now I have 2 ssids with security working.  Believe it or not I can't get the guest to work!  that has no security at all.
0
Craig BeckCommented:
Check the VLANs...
0
WellingtonISAuthor Commented:
I did.  I have vlans not communication or  no showing up on  the AP.  One is my guest and one is for what's called an ascom phone.  I'm not sure what's wrong because I'm  basically doing everything the same.  The guest network is open no security - the ascom phone is aes not tpik and wpa2 with a security code.  I'm adding everything but no luck.
0
Craig BeckCommented:
Can you post your AP's current config, and switch config.
0
WellingtonISAuthor Commented:
here you go.  Keep in mind that I did all of these via the GUI on the AP itself.  I checked the switches for the VLAN info and confirmed it's set up correctly.  Vlan 4 and VLan 21 are my "problem" children.
airconfigs.txt
0
Craig BeckCommented:
I appreciate that you have checked the switch VLAN info, however I'd still like to see it.

Also, the output you provided is truncated.  I can only see as far as a few subinterfaces on the 2.4GHz radio.  I really need to see all of the config.

Can you disable shared authentication on the Guest SSID?

dot11 ssid GUEST
   vlan 4
   authentication open
  authentication shared
0
WellingtonISAuthor Commented:
ok took out the shared and I also checked the box Set SSID as guest mode.  Ill get you a better config file.
0
WellingtonISAuthor Commented:
here's the config exported from the AP.
airconfig.txt
0
Craig BeckCommented:
Ok, that looks fine.

So, does the Regi0n@l SSID work?
0
WellingtonISAuthor Commented:
YEs that's a spectralink phone. The strange thing is if I do a show VLAN I see packets transmitting.  Is it possible just not showing up in the AP?
0
Craig BeckCommented:
If you connect the spectralink phone to the Guest SSID does it work?
0
WellingtonISAuthor Commented:
Can't do that the phone is preprogramed
0
Craig BeckCommented:
Ok I need to see the switch config and the following outputs from the switch..

show interface trunk
show vlan brief
0
WellingtonISAuthor Commented:
The ap doesn't show trunk but I got the vlan...
vlanconfig.txt
0
Craig BeckCommented:
I need the SWITCH not AP config and outputs...
0
WellingtonISAuthor Commented:
ok that may take a bit.  I'll get back to you soon thanks so much for this;..
0
WellingtonISAuthor Commented:
I know what the problem is with VLAN 21 the ascom phones.  that vlan needs to have world mode enabled.  I see how to do this but It appears that this will be for everyone and I only need this on one vlan.
0
Craig BeckCommented:
Don't worry about enabling world mode globally - it just means that auto power levels won't work properly.
0
WellingtonISAuthor Commented:
OK suddenly everything is working! I can't get it into world mode because everytime I use the country code for the United States it tells Can't find Country code of World mode.  I'm using Dot11d?  I think I"m going to let that go...  I'll be closing shortly.  I'm going export the config and import it and change the IPs.  Thanks so much for ALL of your help.
0
WellingtonISAuthor Commented:
Didn't know exactly what got me to this point actually all the suggestions did it.  Thank you so much for all of this help.  I wound up using the GUI and got everything working without using Radius.  If someone  is looking for help read this all and check out the links too.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.