01-04-2024 02:41 AM
Hello Team,
Is it applicable to convert 1700 series or 1600 series AP to standalone and configure it to authenticate with Radius server?
It would be appreciated if there is a document or a guide that describe how to configure it to authenticate with the external server in steps, please.
Consider giving it a static IP and it already broadcasting SSIDs, the main concern is regarding how to configure it to authenticate with the external server in steps, please.
Thank you,
01-04-2024 03:23 AM
- FYI : https://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/
M.
01-04-2024 03:35 AM
Hi,
yes it is possible,
if you need doc search for: Cisco IOS Configuration Guide for Autonomous Cisco Aironet Access Points
here you have my config from one 2602 and 2702 that I used with radius server for WIFI2 and WIFI3,
you can easy find the relevant parts for radius server authentication:
!
! Last configuration change at 17:44:08 +0200 Mon Mar 6 2023
! NVRAM config last updated at 17:47:07 +0200 Mon Mar 6 2023
! NVRAM config last updated at 17:47:07 +0200 Mon Mar 6 2023
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Cisco_2702-4
!
!
logging buffered 40960
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server name 192.168.110.1
!
aaa group server radius rad_mac
server name 192.168.110.1
!
aaa group server radius rad_acct
server name 192.168.110.1
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0200 2 0
led display dim
no ip source-route
no ip cef
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid WIFI1
vlan 1
band-select
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxx
!
dot11 ssid WIFI2
vlan 111
band-select
authentication open mac-address mac_methods eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
accounting acct_methods
!
dot11 ssid WIFI3
vlan 113
band-select
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
accounting acct_methods
mbssid guest-mode
!
dot11 band-select parameters
cycle-count 2
cycle-threshold 200
expire-supression 20
expire-dual-band 60
client-rssi 71
!
dot11 aaa csid ietf
!
no ipv6 cef
!
crypto pki trustpoint TP-self-signed-1571329712
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1571329712
revocation-check none
rsakeypair TP-self-signed-1571329712
!
!
crypto pki certificate chain TP-self-signed-1571329712
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
username whatname secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 111 mode ciphers aes-ccm
!
encryption vlan 113 mode ciphers aes-ccm
!
encryption vlan 115 mode ciphers aes-ccm
!
ssid WIFI1
!
ssid WIFI2
!
ssid WIFI3
!
antenna gain 0
stbc
mbssid
power client local
channel 2432
station-role root access-point
world-mode dot11d country-code RO both
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.111
encapsulation dot1Q 111
bridge-group 111
bridge-group 111 subscriber-loop-control
bridge-group 111 spanning-disabled
bridge-group 111 block-unknown-source
no bridge-group 111 source-learning
no bridge-group 111 unicast-flooding
!
interface Dot11Radio0.113
encapsulation dot1Q 113
bridge-group 113
bridge-group 113 subscriber-loop-control
bridge-group 113 spanning-disabled
bridge-group 113 port-protected
bridge-group 113 block-unknown-source
no bridge-group 113 source-learning
no bridge-group 113 unicast-flooding
!
interface Dot11Radio0.115
encapsulation dot1Q 115
bridge-group 115
bridge-group 115 subscriber-loop-control
bridge-group 115 spanning-disabled
bridge-group 115 block-unknown-source
no bridge-group 115 source-learning
no bridge-group 115 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 111 mode ciphers aes-ccm
!
encryption vlan 113 mode ciphers aes-ccm
!
encryption vlan 115 mode ciphers aes-ccm
!
ssid WIFI1
!
ssid WIFI2
!
ssid WIFI3
!
antenna gain 0
probe-response gratuitous
no peakdetect
no dfs band block
stbc
mbssid
power client local
channel width 40-above
channel 5660
station-role root access-point
world-mode dot11d country-code RO both
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.111
encapsulation dot1Q 111
bridge-group 111
bridge-group 111 subscriber-loop-control
bridge-group 111 spanning-disabled
bridge-group 111 block-unknown-source
no bridge-group 111 source-learning
no bridge-group 111 unicast-flooding
!
interface Dot11Radio1.113
encapsulation dot1Q 113
bridge-group 113
bridge-group 113 subscriber-loop-control
bridge-group 113 spanning-disabled
bridge-group 113 port-protected
bridge-group 113 block-unknown-source
no bridge-group 113 source-learning
no bridge-group 113 unicast-flooding
!
interface Dot11Radio1.115
encapsulation dot1Q 115
bridge-group 115
bridge-group 115 subscriber-loop-control
bridge-group 115 spanning-disabled
bridge-group 115 block-unknown-source
no bridge-group 115 source-learning
no bridge-group 115 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.111
encapsulation dot1Q 111
bridge-group 111
bridge-group 111 spanning-disabled
no bridge-group 111 source-learning
!
interface GigabitEthernet0.113
encapsulation dot1Q 113
bridge-group 113
bridge-group 113 spanning-disabled
no bridge-group 113 source-learning
!
interface GigabitEthernet0.115
encapsulation dot1Q 115
bridge-group 115
bridge-group 115 spanning-disabled
no bridge-group 115 source-learning
!
interface GigabitEthernet1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
mac-address xxxx.xxxx.xxxx
ip address 192.168.62.34 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
ip http secure-port 12221
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
no cdp run
!
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
!
radius server 192.168.110.1
address ipv4 192.168.110.1 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxxxxxxxxxx
!
bridge 1 route ip
!
!
wlccp wds aaa csid ietf
!
line con 0
line vty 0 4
length 0
transport input all
!
sntp server 192.168.62.1
sntp broadcast client
end
01-08-2024 11:07 AM
Thank you all for your support.
Actually, i’ve followed the documentations, but I am facing this error while trying to connect the ssid.
%DOT11-7-AUTH_FAILED: Station 645a.04c6.abcs Authentication failed
01-08-2024 11:55 AM
If that mac address it is from AP then I think you are missing authentication secret between AP and radius server required for radius server to accept requests from AP.
01-08-2024 12:06 PM
This MAC belongs to the client who was trying to get in the SSID but couldn’t
01-08-2024 12:07 PM
I can share my config if you would like to check something, would be surely appreciated.
01-08-2024 12:26 PM
Check the log from radius server also, you can have more details there ( enable max details in log ).
At this moment I can think at this problems:
- what type of client it is: mobile phone or computer Linux or windows, it has domain policy enforced ?
- is this the only client you are testing or the one that have problem ?
- certificate if you use it it is uploaded to client ?!
- if you use client MAC authentication be sure it is properly added in radius server ?!
...
01-08-2024 12:37 PM
No logs at ISE side. I could ping it.
windows with domain policy… all clients have same issue, it asks me to enter the username and password over and over again with the error mentioned above.
neither certificate nor mac authentication. Just a simple trial of authenticating standalone ap with external radius.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide