Autonomus AP with external ISE (Radius server)

lAhmed Saadl · ‎01-04-2024

Hello Team,

Is it applicable to convert 1700 series or 1600 series AP to standalone and configure it to authenticate with Radius server?

It would be appreciated if there is a document or a guide that describe how to configure it to authenticate with the external server in steps, please.

Consider giving it a static IP and it already broadcasting SSIDs, the main concern is regarding how to configure it to authenticate with the external server in steps, please.

Thank you,

marce1000 · ‎01-04-2024

- FYI : https://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

RxTx · ‎01-04-2024

Hi,

yes it is possible,

if you need doc search for: Cisco IOS Configuration Guide for Autonomous Cisco Aironet Access Points

here you have my config from one 2602 and 2702 that I used with radius server for WIFI2 and WIFI3,

you can easy find the relevant parts for radius server authentication:

!
! Last configuration change at 17:44:08 +0200 Mon Mar 6 2023
! NVRAM config last updated at 17:47:07 +0200 Mon Mar 6 2023
! NVRAM config last updated at 17:47:07 +0200 Mon Mar 6 2023
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Cisco_2702-4
!
!
logging buffered 40960
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server name 192.168.110.1
!
aaa group server radius rad_mac
 server name 192.168.110.1
!
aaa group server radius rad_acct
 server name 192.168.110.1
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0200 2 0
led display dim
no ip source-route
no ip cef
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid WIFI1
   vlan 1
   band-select
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxx
!
dot11 ssid WIFI2
   vlan 111
   band-select
   authentication open mac-address mac_methods eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   accounting acct_methods
!
dot11 ssid WIFI3
   vlan 113
   band-select
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   accounting acct_methods
   mbssid guest-mode
!
dot11 band-select parameters
   cycle-count 2
   cycle-threshold 200
   expire-supression 20
   expire-dual-band 60
   client-rssi 71
!
dot11 aaa csid ietf
!
no ipv6 cef
!
crypto pki trustpoint TP-self-signed-1571329712
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1571329712
 revocation-check none
 rsakeypair TP-self-signed-1571329712
!
!
crypto pki certificate chain TP-self-signed-1571329712
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
username whatname secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 111 mode ciphers aes-ccm 
 !
 encryption vlan 113 mode ciphers aes-ccm 
 !
 encryption vlan 115 mode ciphers aes-ccm 
 !
 ssid WIFI1
 !
 ssid WIFI2
 !
 ssid WIFI3
 !
 antenna gain 0
 stbc
 mbssid
 power client local
 channel 2432
 station-role root access-point
 world-mode dot11d country-code RO both
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.111
 encapsulation dot1Q 111
 bridge-group 111
 bridge-group 111 subscriber-loop-control
 bridge-group 111 spanning-disabled
 bridge-group 111 block-unknown-source
 no bridge-group 111 source-learning
 no bridge-group 111 unicast-flooding
!
interface Dot11Radio0.113
 encapsulation dot1Q 113
 bridge-group 113
 bridge-group 113 subscriber-loop-control
 bridge-group 113 spanning-disabled
 bridge-group 113 port-protected
 bridge-group 113 block-unknown-source
 no bridge-group 113 source-learning
 no bridge-group 113 unicast-flooding
!
interface Dot11Radio0.115
 encapsulation dot1Q 115
 bridge-group 115
 bridge-group 115 subscriber-loop-control
 bridge-group 115 spanning-disabled
 bridge-group 115 block-unknown-source
 no bridge-group 115 source-learning
 no bridge-group 115 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 111 mode ciphers aes-ccm 
 !
 encryption vlan 113 mode ciphers aes-ccm 
 !
 encryption vlan 115 mode ciphers aes-ccm 
 !
 ssid WIFI1
 !
 ssid WIFI2
 !
 ssid WIFI3
 !
 antenna gain 0
 probe-response gratuitous
 no peakdetect
 no dfs band block
 stbc
 mbssid
 power client local
 channel width 40-above
 channel 5660
 station-role root access-point
 world-mode dot11d country-code RO both
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.111
 encapsulation dot1Q 111
 bridge-group 111
 bridge-group 111 subscriber-loop-control
 bridge-group 111 spanning-disabled
 bridge-group 111 block-unknown-source
 no bridge-group 111 source-learning
 no bridge-group 111 unicast-flooding
!
interface Dot11Radio1.113
 encapsulation dot1Q 113
 bridge-group 113
 bridge-group 113 subscriber-loop-control
 bridge-group 113 spanning-disabled
 bridge-group 113 port-protected
 bridge-group 113 block-unknown-source
 no bridge-group 113 source-learning
 no bridge-group 113 unicast-flooding
!
interface Dot11Radio1.115
 encapsulation dot1Q 115
 bridge-group 115
 bridge-group 115 subscriber-loop-control
 bridge-group 115 spanning-disabled
 bridge-group 115 block-unknown-source
 no bridge-group 115 source-learning
 no bridge-group 115 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.111
 encapsulation dot1Q 111
 bridge-group 111
 bridge-group 111 spanning-disabled
 no bridge-group 111 source-learning
!
interface GigabitEthernet0.113
 encapsulation dot1Q 113
 bridge-group 113
 bridge-group 113 spanning-disabled
 no bridge-group 113 source-learning
!
interface GigabitEthernet0.115
 encapsulation dot1Q 115
 bridge-group 115
 bridge-group 115 spanning-disabled
 no bridge-group 115 source-learning
!
interface GigabitEthernet1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet1.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 mac-address xxxx.xxxx.xxxx
 ip address 192.168.62.34 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
ip http secure-port 12221
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
!
no cdp run
!
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
!
radius server 192.168.110.1
 address ipv4 192.168.110.1 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxxxxxxxxxxxxx
!
bridge 1 route ip
!
!
wlccp wds aaa csid ietf
!
line con 0
line vty 0 4
 length 0
 transport input all
!
sntp server 192.168.62.1
sntp broadcast client
end

lAhmed Saadl · ‎01-08-2024

Thank you all for your support.

Actually, i’ve followed the documentations, but I am facing this error while trying to connect the ssid.

%DOT11-7-AUTH_FAILED: Station 645a.04c6.abcs Authentication failed

RxTx · ‎01-08-2024

If that mac address it is from AP then I think you are missing authentication secret between AP and radius server required for radius server to accept requests from AP.

lAhmed Saadl · ‎01-08-2024

This MAC belongs to the client who was trying to get in the SSID but couldn’t

lAhmed Saadl · ‎01-08-2024

I can share my config if you would like to check something, would be surely appreciated.

RxTx · ‎01-08-2024

Check the log from radius server also, you can have more details there ( enable max details in log ).

At this moment I can think at this problems:

- what type of client it is: mobile phone or computer Linux or windows, it has domain policy enforced ?

- is this the only client you are testing or the one that have problem ?

- certificate if you use it it is uploaded to client ?!

- if you use client MAC authentication be sure it is properly added in radius server ?!

...

lAhmed Saadl · ‎01-08-2024

No logs at ISE side. I could ping it.
windows with domain policy… all clients have same issue, it asks me to enter the username and password over and over again with the error mentioned above.
neither certificate nor mac authentication. Just a simple trial of authenticating standalone ap with external radius.