03-08-2012 07:14 AM - edited 07-03-2021 09:45 PM
Hi all :
I am testing a Aironet1040 in AP setting. During the process of trial run of GUI on this 1040, I saw a local radius setting and it can set something like FAST-EAP.
Is it after using this setting (plus other steps), I can set this Aironet1040 as an AP with the capability of simple Radius Server for authentication purpose?
If not by this way as I mentioned above, can Aironet1040 be set as simple Radius Server? This is because if it can set as simple Radius Server and not need to work with an external Radius Server, that would be great and save trouble to find another server.
Thanks!
03-08-2012 08:29 AM
This should be feasible. Here is the section of the IOS AP config guide that describes how to do what you want.
03-10-2012 11:45 AM
Hi David :
Thanks to your help on this!
I follow the link and found Chapter 9 of the book for Local Authenticator configuration. I did the following commands :
conf t
aaa new-model
radius-server local
nas 192.168.50.5 key 12345678 --> this 192.168.50.5 is the Cisco AP IP
group clerks
exit
user jsmith password 12345678 group clerks
end
wr
conf t
aaa new-model
radius-server host 192.168.50.5 auth-port 1812 acct-port 1813 key 12345678
After setting, when tried to connect with the network, it is not OK. When it prompted the user and password, I keyed in jsmith and 12345678 but all the times cannot pass.
There are error messages appear in the config file editor as below for your reference :
*Mar 1 10:25:59.745: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5
*Mar 1 10:26:09.438: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.50.5:1812,1813 is not responding.
*Mar 1 10:26:09.438: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.50.5:1812,1813 is being marked alive.
*Mar 1 10:26:18.526: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:26:49.585: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:26:51.106: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5
*Mar 1 10:27:09.920: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:27:25.235: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6
*Mar 1 10:27:25.236: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6
*Mar 1 10:27:25.237: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6
*Mar 1 10:27:25.239: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6
*Mar 1 10:27:40.974: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:28:12.020: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:28:18.704: %DOT11-4-MAXRETRIES: Packet to client 68a3.c487.43be reached max retries, removing the client
*Mar 1 10:28:21.587: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5
*Mar 1 10:28:39.698: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.50.5:1812,1813 is not responding.
*Mar 1 10:28:39.698: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.50.5:1812,1813 is being marked alive.
*Mar 1 10:28:39.699: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:28:53.694: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5
*Mar 1 10:29:12.499: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:29:43.563: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
*Mar 1 10:30:14.623: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed
May I know what wrong and anything you can help? Thanks!
Best regard,
tangsuan
03-11-2012 11:12 AM
there is a key mismatch between the mad config and the server config. You may have but an inadvertent space if you cut and pasted the local radius config. Reset the keys manually and try again
Steve
Sent from Cisco Technical Support iPhone App
03-11-2012 10:47 PM
Hi Stephen :
Thanks for your answer!
1. Can you more specify what is the meaning of mad config and where can I find in the GUI or command line to change the key? I think the server config is the GUI of server config at the left hand side of AP website -- correct me if I am wrong.
2. In Windows 7, there is Security Type of WPA2-Personal and WPA2-Enterprise, for authentication purpose, I think we always select WPA2-Enterprise. For Cisco AP1040 to work under WPA2-Enterprise, what should we set in the Cisco AP?
3. In certain case I know that, when set the Authentication like EAP, the wireless preshare key for WPA2 has to be empty. Like this way, is it alright and the wireless security actually transferred from wireless security to authentication by only fill in the user name and password, am I right?
4. I know in Windows Radius Authentication, there is user data base like active directory. Where and how to set the user data base in this AP1040 if we want to use this AP1040 act as Local Radius Server? Is it a way and please advise.
Many thanks in advance on answering my questions.
Best regards,
tangsuan
03-17-2012 11:47 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide