cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2896
Views
5
Helpful
8
Replies

Cisco 881W Radius Client Configuration

krock1983
Level 1
Level 1

Hello...

I have been given a new project at work, to configure a 881W for wireless capebilities. So far on this guy I have figured out how to get it to work using local database for the users to authenticate against, but our goal is to authenticate against a radius server that we have in place for existing Juniper AP's.

I have looked at some documentation out there and I cant seem to find what Im looking for. What I need to find out is an example of how to setup a radius server so that the wireless user can authenticate against. I have found some docs on google but those go over radius server setups for logons to the router etc.

If anyone has done such config and can help I would appreciate it

Thanks

here is what I got so far

Building configuration...

Current configuration : 2005 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 881W_AP
!
logging rate-limit console 9
enable secret 5 $1$J4nD$nzQb7LVYMr4Ju9s75jxEZ/
!
aaa new-model
!
!
aaa group server radius Test
server 172.26.0.223 auth-port 1645 acct-port 1646
!
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid Test1
   vlan 1
   authentication open
   authentication key-management wpa
   accounting accounting-list-for-Test1
   guest-mode
!
dot11 network-map
!
!
username admin privilege 15 secret 5 $1$24156465415645646546d5f651f65d
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
ssid Test1
!
antenna gain 0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.30.252.15 255.255.255.0
no ip route-cache
!
ip default-gateway 172.30.252.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server host 172.26.0.223 auth-port 1645 acct-port 1646 key 7 0000255621456324
radius-server key 7 104546235646843
bridge 1 route ip
!        
!
!
line con 0
no activation-character
line vty 0 4
exec-timeout 60 0
!
end

881W_AP#            

I have used the following doccumentation to set this up

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap13-radius-tacacs.html

I am getting this when I try to connecto from my notebook to wireless

*Oct 22 08:02:51.895: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   001f.e1cf.6164 Associated KEY_MGMT[WPA]

*Oct 22 08:03:06.959: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS

*Oct 22 08:03:12.151: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   001f.e1cf.6164 Associated KEY_MGMT[WPA]

*Oct 22 08:03:27.207: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS *Oct 22 08:02:51.895: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 08:03:06.959: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS
*Oct 22 08:03:12.151: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 08:03:27.207: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS

Any ideas?

Thank you

8 Replies 8

krock1983
Level 1
Level 1

Anyone?

I have never actually done this but I reckon you will need to use eap and then back those auth attempts to the the Radius server.

Have a look at these documents:

http://www.cisco.com/en/US/partner/docs/routers/access/1800/wireless/configuration/guide/s37auth.html

http://www.cisco.com/en/US/partner/docs/routers/access/1800/wireless/configuration/guide/s37radi.html

Hello,

I get Page Forbiden when trying to open those documents...

Thank you,

I will look at the docs and see if I can get it to work.

Hello,

This is a litle weird what Im gouing throug now. I am able to gett histo work and authenticate against radius server if im not using any encryption..

here is example

----------------------------------------------------------------------------------------------------------------------

dot11 ssid 881W_Test

vlan 1

authentication open

accounting 881W_Test-Accounting_Method

guest-mode

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid 881W_Test

!

antenna gain 0

station-role root

but when I add this command to the ssid

authentication key-management wpa

and this command to the interface dot11radio0

encryption vlan 1 mode ciphers tkip


I lose connection. Why would it be that it is working without encryption but loses connectivity when adding encryption?

Again I have to emphasise that this really is not my area but I think the issue is because you are trying to use WPA which isn't something the RADIUS protocol can carry over to the RADIUS server (someone correct me if I am wrong).

You can use WPA alongside EAP so users can connect using a PSK or RADIUS authentication.

You will need to use EAP/dot1x between the router and the wireless client (authenticator and supplicant respectively) for it to be compatible with the RADIUS authentication, the configuration is something I cannot help you with but I would check out this doc for some better understanding:

http://www.cisco.com/en/US/docs/wireless/access_point/12.2_11_JA/configuration/guide/s11auth_ps430_TSD_Products_Configuration_Guide_Chapter.html

PDF:

http://www.cisco.com/en/US/docs/wireless/access_point/12.2_11_JA/configuration/guide/s11auth.pdf

You would have got a lot more response if you had put this topic in the Wireless section.

** Remember to rate useful replies :-)

Anis Momin
Level 1
Level 1

please check below link and help me resolving the issue

Thank

https://supportforums.cisco.com/thread/2252633