Solved: Anonymous AP as local RADIUS server with Web Authentication

independencebridge · ‎12-30-2018

I've been asked to set up user credentials for a network I've recently acquired. I don't have access to a WLC, but I have managed to set up a local RADUIS server on one of the 1600 series AAP's. For all of this I'm using the web interface. On the local authenticator, I've entered each AP as a NAS and created a test user and a few MAC authentication only users. On the other AP's, I've entered the local authenticator as a RADIUS server with Authentication Port as 1812 and Accounting Port as 1813. I have the SSID set to Open Authentication with MAC Authentication or EAP and I have Web Authentication checked. The encryption is set for Mandatory WEP. The issue is I can't get a client device to connect to the network and route to the web authentication page. I know the AP has communication with the local RADIUS server because my MAC Authentication only users are authenticating with out issue, their state under the association tab is MAC-Associated. The client device's (a laptop in this case) state is Association processing. Any thoughts?

Thanks

patoberli · ‎01-03-2019

I'm not anymore 100% sure, but I think Web authentication is not using Radius. So you can't use this.
What you could do, would be an SSID with enabled 802.1x and there you'd point to the Radius AP and use EAP-FAST for username/password authentication. I've never done that though and I think this is also not anymore secure.
I suggest to use EAP-PEAP for authentication with MSCHAPv2, if you want to use username/password. This requires a valid certificate to function without issues on the radius server.

View solution in original post

patoberli · ‎01-03-2019

First of all, don't use WEP. WEP is completely cracked and everybody can decrypt within seconds the traffic.
Use WPA2 with AES encryption only.

Now to you problem, I've never heard about (ab)using an access point as a radius server, I'm not even sure that this is supported.
My suggestion is to use a Linux Server with Freeradius or a Windows Server with the Radius feature as a radius server. Then you'd also have logging functionality and troubleshooting features.

independencebridge · ‎01-03-2019

Thanks for the reply.

I used this guide, https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3/cg15-3-3-chap9-localauth.html, to set up the RADUIS server on the ap. I'm by no means an IT professional, but it seems to be working based on the MAC only authentications working. My real issue seems to be figuring out how to set up web authentication via the ap. I will look into using an actual server for RADIUS, though.

Thanks!

patoberli · ‎01-03-2019

I'm not anymore 100% sure, but I think Web authentication is not using Radius. So you can't use this.
What you could do, would be an SSID with enabled 802.1x and there you'd point to the Radius AP and use EAP-FAST for username/password authentication. I've never done that though and I think this is also not anymore secure.
I suggest to use EAP-PEAP for authentication with MSCHAPv2, if you want to use username/password. This requires a valid certificate to function without issues on the radius server.