1252 Aironet - Wireless Authentication via Radius (Windows NPS)

Steven Tolzmann · ‎03-25-2016

Hi Everyone,

I recently began using Radius for our networks to authenticate Cisco Console Logins, and VPN Connection Requests (anyconnect), which has been working great. Our network isn't huge (3 ASA5505's with site to site VPNs, 1 site with a Wireless AP).

I would like to setup our Wireless Access Point to have (1) SSID that authenticates users via Radius (to Windows NPS on our Domain Controller). I have a Windows Security Group called "Wireless Users" setup and I want users to be able to login to the Wireless using their AD account.

We do not have multiple VLANs or anything complicated.

I am unable to find a solution for this on Autonomous IOS Version 12.4, and was wondering if anyone could assist.

Thank you!! (config below)

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx-AP
!
enable secret xxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius radius-admin
 server-private 192.168.12.2 auth-port 1812 acct-port 1813 key xxxxxxxxxxxxxxxx
!
aaa authentication login userAuthent group radius-admin local
aaa authorization exec userAuthor local group radius-admin if-authenticated
!
aaa session-id common
no ip domain lookup
ip domain name xxxxxxxxxxx
!
!
login block-for 60 attempts 3 within 30
dot11 syslog
!
!
dot11 ssid ssid1
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii xxxxxxxxxxxxxxxx
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-###########
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-###########
 revocation-check none
 rsakeypair TP-self-signed-############
!
!
username admin privilege 15 secret xxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 broadcast-key change 3600
 !
 !
 ssid ssid1
 !
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 broadcast-key change 3600
 !
 antenna gain 0
 dfs band 3 block
 mbssid
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.12.254 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
access-list 1 permit 192.168.0.0 0.0.255.255
no cdp run
bridge 1 route ip
!
!
banner login ^CC
xxxxxxxxx - AUTHORIZED ACCESS ONLY ^C
!
line con 0
 logging synchronous
line vty 0 4
 access-class 1 in
 authorization exec userAuthor
 login authentication userAuthent
 transport input ssh
line vty 5 15
 access-class 1 in
 authorization exec userAuthor
 login authentication userAuthent
 transport input ssh
!
end

Aditya Ganjoo · ‎03-25-2016

Hi Steven,

Please find the following links for setting up NPS/WLC radius authentication:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44721-WPAOverview.html

Regards,

Aditya

Please rate helpful posts.