06-08-2003 10:53 AM - edited 07-04-2021 08:45 AM
I'm trying to configure my 1200 Series AP with 11b and 11a radios to perform as a "local authenticator" for LEAP clients.
I've started by configuring the normal RADIUS server as the AP itself; and then configuring the local authenticator, with the AP itself as an allowed NAS.
I can't get it to work, and I'm not sure what I'm missing.
Below is the config. Any help is greatly appreciated.
**********************************************
ap1220-1#sh run
Building configuration...
Current configuration : 3951 bytes
!
! Last configuration change at 14:33:40 R Sun Jun 8 2003
! NVRAM config last updated at 14:38:21 R Sun Jun 8 2003 by admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1220-1
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.2.220 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
server 192.168.2.220 auth-port 1812 acct-port 1813
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
enable secret xxxxx
!
username xxx privilege 15 password xxxxxclock timezone R -5
clock summer-time R recurring
ip subnet-zero
ip domain name homenet
ip name-server 167.206.112.138
ip name-server 167.206.112.3
ip name-server 167.206.112.4
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool homenet
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 167.206.112.138 167.206.112.3 167.206.112.4
lease 0 8
!
ip ssh authentication-retries 5
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 541F07447BA16DC19D3A6F2CBFBC transmit-key
encryption mode wep optional
!
ssid b
authentication open
authentication network-eap eap_methods
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
power local 100
channel 2437
antenna receive right
antenna transmit right
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 3C3A6F2CBFBC5FA32C687A4251AE transmit-key
encryption mode wep optional
!
ssid a
authentication open
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.2.220 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.2.1
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
radius-server local
nas 192.168.2.220 key 7 051A17
group homenet
reauthentication time 300
!
user xxx nthash 7 xxxxx
3067F7C group homenet
!
radius-server host 192.168.2.220 auth-port 1812 acct-port 1813 key 7 131406
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
banner motd ^C
This system is private property, and any unauthorized use is strictly prohibited.
Violations shall be prosecuted vigorously to the fullest extent of the law.
Additionally, if your attempts at penetrating this system are detected (count on it),
know that the SysAdmin is going to locate you and put you down with his superior Mojo.
^C
!
line con 0
line vty 0 4
exec-timeout 15 0
line vty 5 15
exec-timeout 15 0
!
ntp clock-period 2860663
ntp server 132.236.56.250
end
**********************************************
06-08-2003 11:56 AM
OK, got it working. I cleared everything out, and reconfig'd from scratch, looks the same as before. Altho, I did stop trying to auth admin users against the local radius server, maybe that was it?
********************************************
hostname ap1220-1
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.2.220 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
enable secret xxxxx!
username xxxx privilege xxx password xxxx
clock timezone R -5
clock summer-time R recurring
ip subnet-zero
ip domain name homenet
ip name-server 167.206.112.138
ip name-server 167.206.112.3
ip name-server 167.206.112.4
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool homenet
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 167.206.112.138 167.206.112.3 167.206.112.4
lease 0 8
!
ip ssh authentication-retries 5
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 541F07447BA16DC19D3A6F2CBFBC transmit-key
encryption mode wep optional
!
ssid b
authentication open
authentication network-eap eap_methods
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
power local 100
channel 2437
antenna receive right
antenna transmit right
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 3C3A6F2CBFBC5FA32C687A4251AE transmit-key
encryption mode wep optional
!
ssid a
authentication open
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.2.220 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.2.1
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
radius-server local
nas 192.168.2.220 key 7 021715
group homenet
block count 5 time 300
reauthentication time 300
!
user admin nthash 7 1530295926097D050D616D773653475751017A7D00075C273B467F080271027370 group homenet
!
radius-server host 192.168.2.220 auth-port 1812 acct-port 1813 key 7 001502
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
banner motd ^C
This system is private property, and any unauthorized use is strictly prohibited.
Violations shall be prosecuted vigorously to the fullest extent of the law.
Additionally, if your attempts at penetrating this system are detected (count on it),
know that the SysAdmin is going to locate you and put you down with his superior Mojo.
^C
!
line con 0
line vty 0
exec-timeout 15 0
terminal-type mon
line vty 1 4
exec-timeout 15 0
line vty 5 15
exec-timeout 15 0
!
ntp clock-period 2860664
ntp server 132.236.56.250
end
****************************************************
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide