01-25-2006 06:51 PM - edited 07-04-2021 11:33 AM
I like to AP's admin authentication by RADIUS. The authentication is ok by console connection. but telnet or http authentication is fail cause limiting level_15_access. Is there any misconfiguration? Check this out please.Thaks
*****************************
ap#show run
Building configuration...
Current configuration : 2845 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_admin
server *.*.*.* auth-port 1645 acct-port 1646
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default cache rad_admin group rad_admin
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default cache rad_admin group rad_admin
aaa authorization network default group radius
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
power inline negotiation prestandard source
!
!
username Cisco password xxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address x.x.x.x 255.255.255.192
no ip route-cache
!
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 091D1C5A4D
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
authorization commands 15 radius
transport preferred all
transport input all
transport output all
line vty 5 15
authorization commands 15 radius
transport preferred all
transport input all
transport output all
!
end
01-30-2006 07:55 PM
just try this first
aaa authentication login vty group rad_admin
aaa authentication login http group rad_admin
line vty 0 4
login authentication vty
ip http authentication aaa login-authentication http
02-02-2006 06:56 AM
i was having the same problem. (except i use MS IAS for radius). i pasted in your command list, now instead of getting a weird ppp negotiate error, i get user authorization failed. but i looked in the IAS logs, and i'm actually getting authenticated, it's just not making it back to my ap..
any advice?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide