cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
0
Helpful
1
Replies

1252 Aironet - Wireless Authentication via Radius (Windows NPS)

Hi Everyone,

I recently began using Radius for our networks to authenticate Cisco Console Logins, and VPN Connection Requests (anyconnect), which has been working great. Our network isn't huge (3 ASA5505's with site to site VPNs, 1 site with a Wireless AP).

I would like to setup our Wireless Access Point to have (1) SSID that authenticates users via Radius (to Windows NPS on our Domain Controller). I have a Windows Security Group called "Wireless Users" setup and I want users to be able to login to the Wireless using their AD account.

We do not have multiple VLANs or anything complicated.

I am unable to find a solution for this on Autonomous IOS Version 12.4, and was wondering if anyone could assist.

Thank you!! (config below)

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx-AP
!
enable secret xxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius radius-admin
server-private 192.168.12.2 auth-port 1812 acct-port 1813 key xxxxxxxxxxxxxxxx
!
aaa authentication login userAuthent group radius-admin local
aaa authorization exec userAuthor local group radius-admin if-authenticated
!
aaa session-id common
no ip domain lookup
ip domain name xxxxxxxxxxx
!
!
login block-for 60 attempts 3 within 30
dot11 syslog
!
!
dot11 ssid ssid1
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii xxxxxxxxxxxxxxxx
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-###########
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-###########
revocation-check none
rsakeypair TP-self-signed-############
!
!
username admin privilege 15 secret xxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid ssid1
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
broadcast-key change 3600
!
antenna gain 0
dfs band 3 block
mbssid
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.12.254 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
access-list 1 permit 192.168.0.0 0.0.255.255
no cdp run
bridge 1 route ip
!
!
banner login ^CC
xxxxxxxxx - AUTHORIZED ACCESS ONLY ^C
!
line con 0
logging synchronous
line vty 0 4
access-class 1 in
authorization exec userAuthor
login authentication userAuthent
transport input ssh
line vty 5 15
access-class 1 in
authorization exec userAuthor
login authentication userAuthent
transport input ssh
!
end
Everyone's tags (3)
1 REPLY 1
Cisco Employee

Hi Steven,

Hi Steven,

Please find the following links for setting up NPS/WLC radius authentication:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44721-WPAOverview.html

Regards,

Aditya 

Please rate helpful posts.