I recently began using Radius for our networks to authenticate Cisco Console Logins, and VPN Connection Requests (anyconnect), which has been working great. Our network isn't huge (3 ASA5505's with site to site VPNs, 1 site with a Wireless AP).
I would like to setup our Wireless Access Point to have (1) SSID that authenticates users via Radius (to Windows NPS on our Domain Controller). I have a Windows Security Group called "Wireless Users" setup and I want users to be able to login to the Wireless using their AD account.
We do not have multiple VLANs or anything complicated.
I am unable to find a solution for this on Autonomous IOS Version 12.4, and was wondering if anyone could assist.
Thank you!! (config below)
version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxx-AP ! enable secret xxxxxxxxxxxxxxxx ! aaa new-model ! ! aaa group server radius radius-admin server-private 192.168.12.2 auth-port 1812 acct-port 1813 key xxxxxxxxxxxxxxxx ! aaa authentication login userAuthent group radius-admin local aaa authorization exec userAuthor local group radius-admin if-authenticated ! aaa session-id common no ip domain lookup ip domain name xxxxxxxxxxx ! ! login block-for 60 attempts 3 within 30 dot11 syslog ! ! dot11 ssid ssid1 authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii xxxxxxxxxxxxxxxx ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-########### enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-########### revocation-check none rsakeypair TP-self-signed-############ ! ! username admin privilege 15 secret xxxxxxxxxxxxxxxx ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! broadcast-key change 3600 ! ! ssid ssid1 ! antenna gain 0 station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! broadcast-key change 3600 ! antenna gain 0 dfs band 3 block mbssid channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.12.254 255.255.255.0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! access-list 1 permit 192.168.0.0 0.0.255.255 no cdp run bridge 1 route ip ! ! banner login ^CC xxxxxxxxx - AUTHORIZED ACCESS ONLY ^C ! line con 0 logging synchronous line vty 0 4 access-class 1 in authorization exec userAuthor login authentication userAuthent transport input ssh line vty 5 15 access-class 1 in authorization exec userAuthor login authentication userAuthent transport input ssh ! end