cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
722
Views
0
Helpful
1
Replies

Change LEAP authentication to PEAP

jkay18041
Level 3
Level 3

I have 2 3502 APs one is the radius server the other connects to it. I am trying to change my SSID on VLAN 1 from LEAP authentication to PEAP. I have been unable to find instructions that work with my APs on this. I was hoping if I posted my configs someone could point me in the right direction.

 

Thank you for the help!

 

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Upstairs
!
!
logging rate-limit console 9
no logging console
enable secret 5 
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
--More-- dot11 syslog
!
dot11 ssid Corp
vlan 1
authentication open eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
!
dot11 ssid J&B2
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 
!
!
!
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
--More-- !
!
crypto pki certificate chain TP-self-signed-293893157
certificate self-signed 01
30827301E17 0D303230 33303130 33303433
385A 21E0E596 DEC99A8A 96BB762F D302B6B2 05C35245
FBBE0914 59059D6B F550D4FD 145DCC74 23671FF4 34DF82D1 4CD4DA82 9E115D57
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 1680147E 8C84DB9D CF7A520B 8BB8BF08 084DCE46 FD6E0530 1D060355
1D0E0416 04147E8C 84DB9DCF 7A520B8B B8BF0808 4DCE46FD 6E05300D 06092A86
4886F70D 01010505 00038181 004E8880 09F829AF D095912A 54211B75 1B957262
5E700E9F 01A8A707 2D99B958 A48431B4 524C57A9 7FF43F18 35747C25 D934656A
F4B8
quit
--More-- username ADMIN privilege 15 password 7 
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 2 mode ciphers aes-ccm
!
ssid Corp
!
ssid J&B2
!
antenna gain 0
mbssid
station-role root
!
--More-- interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
--More-- antenna gain 0
peakdetect
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
--More-- no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface BVI1
description LAN Interface
mac-address a44c.1184.7425
ip address 10.10.1.252 255.255.255.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 10.10.1.253
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
--More-- ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
snmp-server community fast_stats RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
bridge 1 route ip
!
--More-- !
wlccp ap username 

 

Radius Server AP

 

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Downstairs
!
!
logging rate-limit console 9
no logging console
enable secret 5 
!
aaa new-model
!
!
aaa group server radius rad_eap
server name 10.10.1.251
!
--More-- aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
server name 10.10.1.251
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server name 10.10.1.251
!
aaa group server radius Clients
server name 10.10.1.251
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication login method_Clients group Clients
--More-- aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid Corp
vlan 1
authentication open eap eap_methods1
authentication network-eap eap_methods1
authentication key-management wpa version 2
mbssid guest-mode
!
--More-- dot11 ssid J&B2
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 
!
!
!
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393338 39323737 37301E17 0D303230 33303130 32353534
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
--More-- 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3239 33383932
37373730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
99CC9559 A
quit
username ADMIN privilege 15 password 7 
!
!
bridge irb
!
!
!
interface Dot11Radio0
--More-- no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid Corp
!
ssid J&B2
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
--More-- bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
peakdetect
dfs band 3 block
channel dfs
station-role root
bridge-group 1
--More-- bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
--More-- bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface BVI1
description LAN Interface
mac-address a44c.1184.72
ip address 10.10.1.251 255.255.255.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 10.10.1.253
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
!
snmp-server community 
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
--More-- snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
radius-server local
no authentication eapfast
no authentication mac
nas 10.10.1.251 key 7 
group Group
!
group vlan_1
!
--More-- user jgroup Group
user 
!
radius-server attribute 32 include-in-access-req format %h
!
radius server 10.10.1.251
address ipv4 10.10.1.251 auth-port 1812 acct-port 1813
key 7 1
!
bridge 1 route ip
!
!
wlccp ap username 
wlccp ap wds ip address 10.10.1.251
wlccp authentication-server infrastructure eap_methods
wlccp authentication-server client eap method_Clients
wlccp authentication-server client leap method_Clients
wlccp wds priority 255 interface BVI1
!

1 Reply 1

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi,

As per my knowledge...local Radius on Cisco Standalone AP only  gives the options  EAP, LEAP, and EAP-FAST. Hence you need to integrate an external Radius for PEAP authentication.

 

Regards

Dont forget to rate helpful posts

Review Cisco Networking for a $25 gift card