Solved: Re: Cisco 9115 AP web key or radius server

heyjunsun · ‎01-15-2024

hello I am setting up the Cisco AP 9115.

https://www.youtube.com/watch?v=kW9nJ3MEZX0&t=30s

After seeing this, I succeeded in creating SSID

Now there are two concerns for me.

1. How do I set the web key method when I log in the SSID?

2. The following is an example of how to set up radius server authentication is the config I understood.

example

"aaa new-model"

"radius server 111.111.111.111 "

"address ipv4 111.111.111.111 auth-port 1812 acct-port 1813"

"key 0 1231231331313132"

"aaa group server radius hello_test"

"server name 123.123.11.12"

"aaa authentication login test_methods group hello_test"

"wlan DBLIFE_18104 1 DBLIFE_18104"

JPavonM · ‎01-16-2024

WEP is an unsecure authentication method, but if you needed it becuase you have pretty legacy devices in your network, this is how to do it on the CLI:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/newconfigmodel/b_catalyst-9800-configuration-model/m_configuring-wlan-security.html#task_63147420F58D40E0A928C020F91DB551.

In the GUI:

View solution in original post

JPavonM · ‎01-15-2024

I think you have a misconception with regards of the authentication method you want to use in your SSID.

For RADIUS authentication through 802.1X you need to setup the WLC as a client on a RADIUS server (ISE: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html; or NPS: https://howiwifi.com/2020/07/21/cisco-9800-802-1x-eap-user-authentication-with-windows-radius-nps/) and create the policies there to allow the connection of client by using any EAP type (PEAP, TLS).

For RADIUS authentication using a web key (aka Captive Portal) you don't need to setup your SSID using 802.1X but only a PSK (your previous method) or keeping it Open (risky in terms of performance). In this case, you have the option to setup the Captive Portal on the WLC (Local Web: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers/m-local-web-authentication-configuration.html) or an external service (Central Web: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html) by using, again, ciscco ISE or other cloud services.

heyjunsun · ‎01-15-2024

hello JPavonM

thank you reply

I got the word wrong

The authentication method I wanted to say is wepkey.

My situation is that I want to connect through WEPKEY authentication to see if the connection is normal after making SSID.

After that, I would like to change to the Radius server authentication method and check it again.

example command "wap-psk ascii 7 12312312313D"

So may I know how to set up the WEPKEY scheme?

Also, you told me to assign radius server to WLC, but my question is, do I make radius server authentication like the config I gave you as an example? Is my next action complete with radius server authentication as long as I allocate WLC?

JPavonM · ‎01-16-2024

WEP is an unsecure authentication method, but if you needed it becuase you have pretty legacy devices in your network, this is how to do it on the CLI:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/newconfigmodel/b_catalyst-9800-configuration-model/m_configuring-wlan-security.html#task_63147420F58D40E0A928C020F91DB551.

In the GUI:

heyjunsun · ‎01-16-2024

thank you

After WEP authentication, I will ask you again about radius server authentication.

Rich R · ‎01-27-2024

According to https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html WEP is deprecated on all the APs since the Wave 2 AC models, including 9115 so I don't think WEP is supported at all on these APs (and I've never tried).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390