Re: About Aironet 1700 AP configure wireless security by using localRA

Gabe1918 · ‎01-08-2023

Hello,

I am studing Cisco's technology, and I want to make a LAB environment in my home, so I used 3 older 1700 series autonomous AP, and I tried to change the authentication method to username and password by using local RADIUS built-in. But no matter how I configured it, I could not get the user to connect to what I had created with the username and password I created. I configure serve management and the local RADIUS server under the security tab. In the mobile phone I see the WPA2 enterprise, but I enter the username and password I created in the local RADIUS server don't work.

I also configure a freeRADIUS in pfSense and try to use that, still has no effect.

But the WDS I configure by using RADIUS authentication work.

Any help would be appreciated, because I do not know what I may have missed, or if the security verification method is wrong.

Thanks

balaji.bandi · ‎01-08-2023

check basic authentication steps as below :

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44844-leapserver.html

if you having issue run debug on AP and post the config logs here to understand the issue.

check some video examples:

https://www.youtube.com/watch?v=bWTt5EqmpQQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gabe1918 · ‎01-08-2023

Thanks for the video, but I tried the video method it didn't work for my local RADIUS either.

Local RADIUS server statistics have no failures or successes attempt see: https://ibb.co/fGPQJcj

Here is my config:

Note: My VLAN 10 can talk to all VLAN, VLAN 20 is the web interface and Local RADIUS server, SSID "MAN" on the VLAN 10, is the SSID I am trying to use 802.1x authentication.

BOOTLDR: C1700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.3() [ TRUE]

Product/Model Number : AIR-CAP1702I-A-K9

!
! Last configuration change at 14:27:49 UTC Sun Mar 7 1993
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HOUSE-Network3
!
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server name AP3-client
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server name AP3-client
!
aaa group server radius rad_admin
server name AP3-client
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap4
server name AP3-client
!
aaa group server radius rad_acct4
server name AP3-client
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods4 group rad_eap4
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods4 start-stop group rad_acct4
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip domain name HOUSE.local
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name Guest_Network vlan 40
dot11 vlan-name HOUSE_Network vlan 20
dot11 vlan-name IoT_Network vlan 30
dot11 vlan-name Management vlan 10
!
dot11 ssid HOUSE-Net
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxx
!
dot11 ssid HOUSE_Guest
vlan 40
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid IOT
vlan 30
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 0xxxxxxxxxxxxxxxxx
!
dot11 ssid MAN
vlan 10
authentication open eap eap_methods4
authentication network-eap eap_methods4
accounting acct_methods4
mbssid guest-mode
!
!
!
no ipv6 cef
!
!
username GABE privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 30 mode ciphers aes-ccm
!
encryption vlan 40 mode ciphers aes-ccm
!
encryption vlan 10 key 1 size 40bit 7 2B4859701297 transmit-key
encryption vlan 10 mode wep mandatory
!
ssid HOUSE-Net
!
antenna gain 0
stbc
mbssid
station-role root
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.30
encapsulation dot1Q 30
no cdp enable
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio0.40
encapsulation dot1Q 40
no cdp enable
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 spanning-disabled
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
!
interface Dot11Radio0.50
encapsulation dot1Q 50
no cdp enable
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 spanning-disabled
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 30 mode ciphers aes-ccm
!
encryption vlan 40 mode ciphers aes-ccm
!
encryption vlan 10 key 1 size 40bit 7 E1E65A9502DE transmit-key
encryption vlan 10 mode wep mandatory
!
ssid HOUSE-Net
!
ssid HOUSE_Guest
!
ssid MAN
!
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
channel width 80
channel dfs
station-role root
!
interface Dot11Radio1.10
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.30
encapsulation dot1Q 30
no cdp enable
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio1.40
encapsulation dot1Q 40
no cdp enable
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 spanning-disabled
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.10
description Management Trunk
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
description Home_Network trunk
encapsulation dot1Q 20 native
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.30
description IoT Trunk
encapsulation dot1Q 30
no cdp enable
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
!
interface GigabitEthernet0.40
description Guest Trunk
encapsulation dot1Q 40
no cdp enable
bridge-group 40
bridge-group 40 spanning-disabled
no bridge-group 40 source-learning
!
interface GigabitEthernet0.50
encapsulation dot1Q 50
no cdp enable
bridge-group 50
bridge-group 50 spanning-disabled
no bridge-group 50 source-learning
!
interface GigabitEthernet1
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
mac-address 188b.9d8c.daac
ip address 10.20.20.52 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 10.20.20.55
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip ssh version 2
ip radius source-interface BVI1
!
no cdp run
!
radius-server local
nas 10.20.20.52 key 7 passwdxxxx
group Management
block count 10 time 3
reauthentication time 10
!
user josy nthash 7 xxxxxxxxxxxxxxxxxxxxxxxx
user Gabe nthash 7 xxxxxxxxxxxxxxxxxxxxxxxx group Management
user tim nthash 7 xxxxxxxxxxxxxxxxxxxxxxxx
user Zach nthash 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
radius-server attribute 32 include-in-access-req format %h
!
radius server AP3-client
address ipv4 10.20.20.52 auth-port 1812 acct-port 1813
key 7 passwdxxxx
!
bridge 1 route ip
!
!
wlccp ap username Gabe password 7 xxxxxxxxxxxxxxxxxx
wlccp ap wds ip address 10.20.20.54
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end

About Aironet 1700 AP configure wireless security by using localRADIUS