Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
1
Replies

Configuring a 1230 AP as a "Local Radius Authenticator"

rnolden
Level 1
Level 1

‎07-04-2003 01:43 PM - edited ‎07-04-2021 08:50 AM

Configuring a 1230 AP as a "Local Radius Authenticator"

CCO-URL: Configuring an Access Point as a Local Authenticator

http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html

this is the minimal config, i think:

AP# configure terminal

AP(config)# radius-server local

AP(config-radsrv)# nas 1.1.1.1 key 111

AP(config-radsrv)# group clerks

AP(config-radsrv-group)# vlan 2

AP(config-radsrv-group)# ssid batman

AP(config-radsrv-group)# reauthentication time 1800

AP(config-radsrv-group)# lockout count 2 time 600

AP(config-radsrv-group)# exit

AP(config-radsrv)# user jsmith password twain74 group clerks

AP(config-radsrv)# end

whereas 1.1.1.1 is the IP of the AP himself ?

is there a must for additional config commands like this:

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111

aaa group server radius rad_eap

server 1.1.1.1 auth-port 1812 acct-port 1813

aaa group server radius rad_admin

server 1.1.1.1 auth-port 1812 acct-port 1813

all attempts didn't work

"station <MAC> authentication failed"

is there anything else nessecary ???

Labels:
0 Helpful
1 Reply 1

bmcmurdo
Cisco Employee
Cisco Employee

‎07-05-2003 10:09 AM

You seem to be missing the following commands;

authentication network-eap eap_methods

authentication key-management cckm optional

The following commands are useful for diagnosis;

• Show radius local statistics

• show interface dot11Radio 0 aaa client

• Debug dot11 aaa dot1x state

• Debug dot11 mgmt interface

Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.

* With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.

* ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.

Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);

· This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.

· This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)

· Replace usernames/passwords with your own usernames/passwords

· Replace ip-addresseswith the APs IP address

· I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).

conf t

host loc-auth-ap-name

enable secret cisco

no ip domain-lookup

line vty 0 4

password cisco

exec-timeout 0 0

login

!

int bvi 1

ip address 10.11.12.13 255.255.255.0

!

Interface dot11 0

no ssid tsunami

encryption mode ciphers ckip-cmic

ssid test-loc-auth

authentication network-eap eap_methods

authentication key-management cckm optional

!

ip dhcp excluded-address 10.11.12.13

ip dhcp pool temp

network 10.11.12.0 255.255.255.0

!

interface BVI1

ip address 10.11.12.13 255.255.255.0

no ip route-cache

!

aaa new-model

aaa group server radius rad_eap

! add a real AAA server (with auth-port 1645) before

! the following statement if you are configuring a

! fallback authentication service instead of a

! standalone service

!

server 10.11.12.13 auth-port 1812 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

!

! add a real AAA server (with auth-port 1645) before

! the following statement if you are configuring a

! fallback authentication service instead of a

! standalone service

!

radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret

!

radius-server deadtime 10

dot11 holdoff-time 1

!

ip radius source-interface BVI1

!

radius-server local

nas 10.11.12.13 key 0 l0cal-key-secret

user testuser password 0 testuser-key-secret

!

exit

exit

wri

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card