Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1482
Views
0
Helpful
0
Replies

Freeradius + WPA2 authentication

oncledave
Level 1
Level 1

‎10-01-2012 03:14 AM

Hi,

I have been trying to use a freeradius server to authenticate wifi users with WPA2 entreprise.

The AP connects to the radius server but the users are always refused.

Are there attributes ( like Cisco-AVPair ?) that need to be added to the user in freeradius ?

Or is there something missing in my AP config ?

When I test the authentication from my ASA firewall, it tells me that it works well.

Thanks in advance for the help.

Aironet 1042 config :

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname XXXXXX.local.org

!

logging rate-limit console 9

enable secret 5 XXXXXXX

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.1.6 auth-port 1812 acct-port 1813

server 192.168.1.7 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap local

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

!

dot11 ssid Wifi

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

!

!

!

username XXXX password 7 XXXXXXXXX

username XXXX privilege 15 password 7 XXXXXXXXXXXX

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

!

encryption mode ciphers aes-ccm

!

broadcast-key vlan 1 change 300

!

broadcast-key change 300

!

!

ssid Wifi

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

!

encryption mode ciphers aes-ccm

!

broadcast-key vlan 1 change 300

!

broadcast-key change 300

!

!

ssid Wifi

!

antenna gain 0

no dfs band block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

ip address 192.168.1.7 255.255.255.0

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip default-gateway 192.168.192.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server local

  nas 192.168.1.7 key 7 XXXXXXX

  group localusers

  !

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.192.7 auth-port 1812 acct-port 1813 key 7 XXXXXX

radius-server host 192.168.192.6 auth-port 1812 acct-port 1813 key 7 XXXXXX

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents