- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2018 05:24 AM - edited 07-05-2021 09:38 AM
I've been asked to set up user credentials for a network I've recently acquired. I don't have access to a WLC, but I have managed to set up a local RADUIS server on one of the 1600 series AAP's. For all of this I'm using the web interface. On the local authenticator, I've entered each AP as a NAS and created a test user and a few MAC authentication only users. On the other AP's, I've entered the local authenticator as a RADIUS server with Authentication Port as 1812 and Accounting Port as 1813. I have the SSID set to Open Authentication with MAC Authentication or EAP and I have Web Authentication checked. The encryption is set for Mandatory WEP. The issue is I can't get a client device to connect to the network and route to the web authentication page. I know the AP has communication with the local RADIUS server because my MAC Authentication only users are authenticating with out issue, their state under the association tab is MAC-Associated. The client device's (a laptop in this case) state is Association processing. Any thoughts?
Thanks
Solved! Go to Solution.
- Labels:
-
Aironet Access Points
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2019 05:23 AM
What you could do, would be an SSID with enabled 802.1x and there you'd point to the Radius AP and use EAP-FAST for username/password authentication. I've never done that though and I think this is also not anymore secure.
I suggest to use EAP-PEAP for authentication with MSCHAPv2, if you want to use username/password. This requires a valid certificate to function without issues on the radius server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2019 04:02 AM
Use WPA2 with AES encryption only.
Now to you problem, I've never heard about (ab)using an access point as a radius server, I'm not even sure that this is supported.
My suggestion is to use a Linux Server with Freeradius or a Windows Server with the Radius feature as a radius server. Then you'd also have logging functionality and troubleshooting features.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2019 05:07 AM
Thanks for the reply.
I used this guide, https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3/cg15-3-3-chap9-localauth.html, to set up the RADUIS server on the ap. I'm by no means an IT professional, but it seems to be working based on the MAC only authentications working. My real issue seems to be figuring out how to set up web authentication via the ap. I will look into using an actual server for RADIUS, though.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2019 05:23 AM
What you could do, would be an SSID with enabled 802.1x and there you'd point to the Radius AP and use EAP-FAST for username/password authentication. I've never done that though and I think this is also not anymore secure.
I suggest to use EAP-PEAP for authentication with MSCHAPv2, if you want to use username/password. This requires a valid certificate to function without issues on the radius server.
