Can Aironet1040 AP set local Radius and act as Radius Server?

Tang-Suan Tan · ‎03-08-2012

Hi all :

I am testing a Aironet1040 in AP setting. During the process of trial run of GUI on this 1040, I saw a local radius setting and it can set something like FAST-EAP.

Is it after using this setting (plus other steps), I can set this Aironet1040 as an AP with the capability of simple Radius Server for authentication purpose?

If not by this way as I mentioned above, can Aironet1040 be set as simple Radius Server? This is because if it can set as simple Radius Server and not need to work with an external Radius Server, that would be great and save trouble to find another server.

Thanks!

daviwatk · ‎03-08-2012

This should be feasible. Here is the section of the IOS AP config guide that describes how to do what you want.

http://www.cisco.com/en/US/docs/wireless/access_point/12.4.25d.JA/Configuration/guide/scg12.4.25d.JA-chap9-localauth.html

Tang-Suan Tan · ‎03-10-2012

Hi David :

Thanks to your help on this!

I follow the link and found Chapter 9 of the book for Local Authenticator configuration. I did the following commands :

conf t

aaa new-model

radius-server local

nas 192.168.50.5 key 12345678 --> this 192.168.50.5 is the Cisco AP IP

group clerks

exit

user jsmith password 12345678 group clerks

end

wr

conf t

aaa new-model

radius-server host 192.168.50.5 auth-port 1812 acct-port 1813 key 12345678

After setting, when tried to connect with the network, it is not OK. When it prompted the user and password, I keyed in jsmith and 12345678 but all the times cannot pass.

There are error messages appear in the config file editor as below for your reference :

*Mar 1 10:25:59.745: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5

*Mar 1 10:26:09.438: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.50.5:1812,1813 is not responding.

*Mar 1 10:26:09.438: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.50.5:1812,1813 is being marked alive.

*Mar 1 10:26:18.526: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:26:49.585: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:26:51.106: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5

*Mar 1 10:27:09.920: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:27:25.235: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6

*Mar 1 10:27:25.236: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6

*Mar 1 10:27:25.237: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6

*Mar 1 10:27:25.239: %SYS-5-CONFIG_I: Configured from http by Cisco on 192.168.50.6

*Mar 1 10:27:40.974: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:28:12.020: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:28:18.704: %DOT11-4-MAXRETRIES: Packet to client 68a3.c487.43be reached max retries, removing the client

*Mar 1 10:28:21.587: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5

*Mar 1 10:28:39.698: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.50.5:1812,1813 is not responding.

*Mar 1 10:28:39.698: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.50.5:1812,1813 is being marked alive.

*Mar 1 10:28:39.699: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:28:53.694: %RADSRV-4-NAS_KEYMIS: NAS shared key mismatch with 192.168.50.5

*Mar 1 10:29:12.499: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:29:43.563: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

*Mar 1 10:30:14.623: %DOT11-7-AUTH_FAILED: Station 68a3.c487.43be Authentication failed

May I know what wrong and anything you can help? Thanks!

Best regard,

tangsuan

Stephen Rodriguez · ‎03-11-2012

there is a key mismatch between the mad config and the server config. You may have but an inadvertent space if you cut and pasted the local radius config. Reset the keys manually and try again

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Tang-Suan Tan · ‎03-11-2012

Hi Stephen :

Thanks for your answer!

1. Can you more specify what is the meaning of mad config and where can I find in the GUI or command line to change the key? I think the server config is the GUI of server config at the left hand side of AP website -- correct me if I am wrong.

2. In Windows 7, there is Security Type of WPA2-Personal and WPA2-Enterprise, for authentication purpose, I think we always select WPA2-Enterprise. For Cisco AP1040 to work under WPA2-Enterprise, what should we set in the Cisco AP?

3. In certain case I know that, when set the Authentication like EAP, the wireless preshare key for WPA2 has to be empty. Like this way, is it alright and the wireless security actually transferred from wireless security to authentication by only fill in the user name and password, am I right?

4. I know in Windows Radius Authentication, there is user data base like active directory. Where and how to set the user data base in this AP1040 if we want to use this AP1040 act as Local Radius Server? Is it a way and please advise.

Many thanks in advance on answering my questions.

Best regards,

tangsuan

Tang-Suan Tan · ‎03-17-2012

Hi all :

I am still struggling to configure my AP1040 as local authentication server but it always come out below errors :

1. Invalid Packets from NAS

2. Unknown EAP type.

Attach please see my config file for the AP. Please help me to resolve this problem. Many thanks!