11-12-2012 09:04 AM - edited 03-04-2019 06:06 PM
Hello...
I have been given a new project at work, to configure a 881W for wireless capebilities. So far on this guy I have figured out how to get it to work using local database for the users to authenticate against, but our goal is to authenticate against a radius server that we have in place for existing Juniper AP's.
I have looked at some documentation out there and I cant seem to find what Im looking for. What I need to find out is an example of how to setup a radius server so that the wireless user can authenticate against. I have found some docs on google but those go over radius server setups for logons to the router etc.
If anyone has done such config and can help I would appreciate it
Thanks
here is what I got so far
Building configuration...
Current configuration : 2005 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 881W_AP
!
logging rate-limit console 9
enable secret 5 $1$J4nD$nzQb7LVYMr4Ju9s75jxEZ/
!
aaa new-model
!
!
aaa group server radius Test
server 172.26.0.223 auth-port 1645 acct-port 1646
!
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid Test1
vlan 1
authentication open
authentication key-management wpa
accounting accounting-list-for-Test1
guest-mode
!
dot11 network-map
!
!
username admin privilege 15 secret 5 $1$24156465415645646546d5f651f65d
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
ssid Test1
!
antenna gain 0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.30.252.15 255.255.255.0
no ip route-cache
!
ip default-gateway 172.30.252.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server host 172.26.0.223 auth-port 1645 acct-port 1646 key 7 0000255621456324
radius-server key 7 104546235646843
bridge 1 route ip
!
!
!
line con 0
no activation-character
line vty 0 4
exec-timeout 60 0
!
end
881W_AP#
I have used the following doccumentation to set this up
I am getting this when I try to connecto from my notebook to wireless
*Oct 22 08:02:51.895: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 08:03:06.959: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS
*Oct 22 08:03:12.151: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 08:03:27.207: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS *Oct 22 08:02:51.895: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 08:03:06.959: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS
*Oct 22 08:03:12.151: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 08:03:27.207: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS
Any ideas?
Thank you
11-13-2012 06:09 AM
Anyone?
11-13-2012 06:28 AM
I have never actually done this but I reckon you will need to use eap and then back those auth attempts to the the Radius server.
Have a look at these documents:
11-13-2012 06:32 AM
Hello,
I get Page Forbiden when trying to open those documents...
11-13-2012 06:46 AM
Try logging in?
I have just tried them myself and they work fine...
Below are the pdf versions:
http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37auth.pdf
http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37radi.pdf
11-13-2012 07:02 AM
Thank you,
I will look at the docs and see if I can get it to work.
11-13-2012 09:16 AM
Hello,
This is a litle weird what Im gouing throug now. I am able to gett histo work and authenticate against radius server if im not using any encryption..
here is example
----------------------------------------------------------------------------------------------------------------------
|
but when I add this command to the ssid
|
and this command to the interface dot11radio0
|
I lose connection. Why would it be that it is working without encryption but loses connectivity when adding encryption?
11-14-2012 02:36 AM
Again I have to emphasise that this really is not my area but I think the issue is because you are trying to use WPA which isn't something the RADIUS protocol can carry over to the RADIUS server (someone correct me if I am wrong).
You can use WPA alongside EAP so users can connect using a PSK or RADIUS authentication.
You will need to use EAP/dot1x between the router and the wireless client (authenticator and supplicant respectively) for it to be compatible with the RADIUS authentication, the configuration is something I cannot help you with but I would check out this doc for some better understanding:
PDF:
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_11_JA/configuration/guide/s11auth.pdf
You would have got a lot more response if you had put this topic in the Wireless section.
** Remember to rate useful replies :-)
11-20-2013 12:31 PM
please check below link and help me resolving the issue
Thank
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: