Solved: RADIUS per SSID configs for iosxe router

rohitSan · ‎08-06-2024

I have connected cisco ISR 4331 to AP and WLC.
I need to authenticate end points via AP to the router which is serving as RADIUS server/DHCP server and DNS server as well.

The config shown in below document seems to be obsolete.
How can we use cisco router as NAS server and authenticate for the end points that connect to a particular SSID.

Configuring RADIUS or a Local Authenticator in a Wireless LAN - Cisco

I am looking for below configs, that 17.3.4a IOSXE OS does not accepts.

enable

configure terminal

aaa new-model

radius-server local

nas 172.16.31.13 key CTradkey@123

group labexp

ssid labexpssid

reauthentication time 1800

block count 3 time 200

exit

!

user ctadminexp password ctadminexp@123 group labexp

ahollifield · ‎08-06-2024

You don’t, this is an ANCIENT document. Also this line: “ As a local authenticator, an AP performs Lightweight Extensible Authentication Protocol (LEAP) and MAC-based authentication for up to 50 client devices.”

You should no longer use LEAP… you should configure and external RADIUS server like ISE or FreeRADIUS.

View solution in original post

ahollifield · ‎08-06-2024

Can you expand on this? You have a router (what model?) and have a WLC and AP plugged into that router? And want to use 802.1X and MAB on the router ports? Or are you talking about the SSIDs on the WLC?

rohitSan · ‎08-06-2024

I have a cisco ISR 4331, with IOS XE 17.3.4a, that is configured as radius server.
The router is connected to a L2 switch. and the L2 switch is connected to a WLC 2500. WLC2500 is connected to wireless AP via its POE port. The AP is discovered in WLC. I have configured WLAN in WLC with the same AP and with routers IP as radius server.

I want all end points connecting to the AP get authenticated from radius service configured on ROUTER.

as shown in the document link: Configuring RADIUS or a Local Authenticator in a Wireless LAN - Cisco

!
aaa new-model
!
!
aaa group server radius GR
server IP
!
aaa authentication login default local
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
!
!
!
!
!
!
aaa session-id common
!
!
!
!
username USERNAME privilege 15 secret 9 PASSWORD
!
!
!
!
interface GigabitEthernet0/0/0
description "CONNECTED-TO-LAN-SW"
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.1155
description "TO-LAN"
encapsulation dot1Q 1155
ip address IP SM
!
!
ip radius source-interface GigabitEthernet0/0/0.1155
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server configure-nas
radius-server retransmit 5
radius-server deadtime 5
radius-server key RADIUS_KEY
!
radius server RS
address ipv4 IP auth-port 1612 acct-port 1612
retransmit 5
non-standard
key RADIUS_KEY
!
radius server LAB-RTR
!
!

rohitSan · ‎08-06-2024

as per cisco feature navigator, the router supports RADIUS server per SSID feature.

ahollifield · ‎08-06-2024

ISR cannot be a RAIDUS Server... Those commands are for configuring the ISR to talk to an external RADIUS server. I'm not aware of any functionality that allows an ISR to respond to RADIUS requests.

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/select-isr4k-series-platform-eol.html

https://www.cisco.com/c/en/us/products/collateral/wireless/2504-wireless-controller/eos-eol-notice-c51-740645.html

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html

rohitSan · ‎08-06-2024

How can i replicate the setup illustrated: Configuring RADIUS or a Local Authenticator in a Wireless LAN - Cisco

or do I have to use an external radius server like free radius.

ahollifield · ‎08-06-2024

You don’t, this is an ANCIENT document. Also this line: “ As a local authenticator, an AP performs Lightweight Extensible Authentication Protocol (LEAP) and MAC-based authentication for up to 50 client devices.”

You should no longer use LEAP… you should configure and external RADIUS server like ISE or FreeRADIUS.