cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
759
Views
0
Helpful
1
Replies

Configuring a 1200 Series AP as a "Local Authenticator"

ED CARMODY
Enthusiast
Enthusiast

I'm trying to configure my 1200 Series AP with 11b and 11a radios to perform as a "local authenticator" for LEAP clients.

I've started by configuring the normal RADIUS server as the AP itself; and then configuring the local authenticator, with the AP itself as an allowed NAS.

I can't get it to work, and I'm not sure what I'm missing.

Below is the config. Any help is greatly appreciated.

**********************************************

ap1220-1#sh run

Building configuration...

Current configuration : 3951 bytes

!

! Last configuration change at 14:33:40 R Sun Jun 8 2003

! NVRAM config last updated at 14:38:21 R Sun Jun 8 2003 by admin

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap1220-1

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.2.220 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server 192.168.2.220 auth-port 1812 acct-port 1813

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

enable secret xxxxx

!

username xxx privilege 15 password xxxxxclock timezone R -5

clock summer-time R recurring

ip subnet-zero

ip domain name homenet

ip name-server 167.206.112.138

ip name-server 167.206.112.3

ip name-server 167.206.112.4

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool homenet

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 167.206.112.138 167.206.112.3 167.206.112.4

lease 0 8

!

ip ssh authentication-retries 5

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 541F07447BA16DC19D3A6F2CBFBC transmit-key

encryption mode wep optional

!

ssid b

authentication open

authentication network-eap eap_methods

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

power local 100

channel 2437

antenna receive right

antenna transmit right

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 3C3A6F2CBFBC5FA32C687A4251AE transmit-key

encryption mode wep optional

!

ssid a

authentication open

!

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

rts threshold 2312

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.2.220 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.2.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI1

radius-server local

nas 192.168.2.220 key 7 051A17

group homenet

reauthentication time 300

!

user xxx nthash 7 xxxxx

3067F7C group homenet

!

radius-server host 192.168.2.220 auth-port 1812 acct-port 1813 key 7 131406

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

banner motd ^C

This system is private property, and any unauthorized use is strictly prohibited.

Violations shall be prosecuted vigorously to the fullest extent of the law.

Additionally, if your attempts at penetrating this system are detected (count on it),

know that the SysAdmin is going to locate you and put you down with his superior Mojo.

^C

!

line con 0

line vty 0 4

exec-timeout 15 0

line vty 5 15

exec-timeout 15 0

!

ntp clock-period 2860663

ntp server 132.236.56.250

end

**********************************************

1 Reply 1

ED CARMODY
Enthusiast
Enthusiast

OK, got it working. I cleared everything out, and reconfig'd from scratch, looks the same as before. Altho, I did stop trying to auth admin users against the local radius server, maybe that was it?

********************************************

hostname ap1220-1

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.2.220 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

enable secret xxxxx!

username xxxx privilege xxx password xxxx

clock timezone R -5

clock summer-time R recurring

ip subnet-zero

ip domain name homenet

ip name-server 167.206.112.138

ip name-server 167.206.112.3

ip name-server 167.206.112.4

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool homenet

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 167.206.112.138 167.206.112.3 167.206.112.4

lease 0 8

!

ip ssh authentication-retries 5

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 541F07447BA16DC19D3A6F2CBFBC transmit-key

encryption mode wep optional

!

ssid b

authentication open

authentication network-eap eap_methods

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

power local 100

channel 2437

antenna receive right

antenna transmit right

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 3C3A6F2CBFBC5FA32C687A4251AE transmit-key

encryption mode wep optional

!

ssid a

authentication open

!

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

rts threshold 2312

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.2.220 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.2.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI1

radius-server local

nas 192.168.2.220 key 7 021715

group homenet

block count 5 time 300

reauthentication time 300

!

user admin nthash 7 1530295926097D050D616D773653475751017A7D00075C273B467F080271027370 group homenet

!

radius-server host 192.168.2.220 auth-port 1812 acct-port 1813 key 7 001502

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

banner motd ^C

This system is private property, and any unauthorized use is strictly prohibited.

Violations shall be prosecuted vigorously to the fullest extent of the law.

Additionally, if your attempts at penetrating this system are detected (count on it),

know that the SysAdmin is going to locate you and put you down with his superior Mojo.

^C

!

line con 0

line vty 0

exec-timeout 15 0

terminal-type mon

line vty 1 4

exec-timeout 15 0

line vty 5 15

exec-timeout 15 0

!

ntp clock-period 2860664

ntp server 132.236.56.250

end

****************************************************

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers