10-26-2004 05:49 AM - edited 03-10-2019 01:52 PM
I have been using the ACS 3.2 for some time now and use it to authenticate users on all of my switches and routers. However, I am now trying to setup an aironet 1200 access point to authenticate to the ACS with radius and find myself stumped as to why it fails every single time. I did a packet trace on the ACS server and found that it is indeed responding to the radius requests with an accept packet, but the AP still kicks me out of the interface. Has anyone ever run into a similar situation? Any suggestions or comments will be greatly appreciated.
10-26-2004 12:57 PM
what does your config look like? It should be similar to this assuming you are using ACS for authenticate administrative users, not wireless authentication.
aaa authentication login default group radius line
aaa authentication login console group radius line
aaa authorization console
aaa authorization exec default group radius
10-27-2004 05:27 AM
That is the config that is currently in the AP. However there is also the directive:
ip http authentication aaa
in the config as well to authenticate the web interface, which is what I have been trying to use. However, whether I am using ssh or html to access the AP, they both fail after the ACS 'accepts' my login. Local users work perfectly in this setup.
10-27-2004 01:40 PM
Ok, I know the same exact problem that you are talking about. I think the problem is that you are authenticating but not authorizing and getting the proper privilege levels. I think that is the one advantage to using TACACS+ over RADIUS, is the added flexability of assigning privilege levels ans shell command authorizations per user. I was unable to find a fix and eventually rolled over and now use TACACS+. You will notice in the group settings on ACS that there are advanced TACACS+ settings. If you decide to go the TACACS+ method, I can give you more info, but as far as RADIUS goes, Ido not know the workaround for the http authentication. Sorry I could not be more help.
10-29-2004 04:05 AM
OK, that makes sense, I will roll over to TACACS and see what happens. However I cannot use TACACS for EAP authentication, but if what your saying is true, then there is no reason that RADIUS would not work for EAP, it just blows up on the admin login.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide