Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
4
Replies

is 1200AP AAA server or client in ACS 3.1?

mbouchar
Level 1
Level 1

‎11-18-2002 08:44 PM - edited ‎07-04-2021 08:21 AM

I would like to setup a 1200AP in ACS to authenticate users using LEAP. After reading some technical documentation and examples of configuring LEAP authentication I am confused as to whether the AP should be setup as a AAA server or a AAA client in ACS? I would assume a client as it is the only option for Radius(Aironet) but not sure. Could someone clarify please.

I have 12.00T installed on the AP and would also like to authenticate the administrative login to the AP using the ACS server. Is there a setting to enable this on the AP? I have the athentication server check box enabled for "User Authentication" and is still does not work. Any help appreciated.

Thanks

Labels:
0 Helpful
4 Replies 4

tepatel
Cisco Employee
Cisco Employee

‎11-18-2002 09:55 PM

AP (IP address of the AP) in the ACS (AAA server) should be configured as "AAA client".

Here is the best url which has step-by-step config for the LEAP for AP and ACS too.

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrsec_an.htm

0 Helpful

tepatel
Cisco Employee
Cisco Employee

‎11-21-2002 03:52 PM

For admin user authentication against ACS radius, you need to have following attribute in the cisco av-pair list

aironet:admin-capability=write+ident+admin+firmware

Once you have that as suthorization attribute, it will work.

0 Helpful

ndoshi
Cisco Employee
Cisco Employee

‎11-22-2002 12:00 AM

make sure you are running 12.0 on AP 350 .

For the admin user you need to define the Cisco AV pair Attributes .

Following procedure will help you

a) On acs select the interface configuration and go to the advance option ,

selct "per-user Tacacs/ radius attribute " click on submit .

b)On ACS , Select network configuration ,

1)

check if you have configuration >> Radio ( IOS /PIX available ) on the ACS

if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute

2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )

Enable [026/009/001] "cisco av-pair" option , again make sure that you enable

at user and group level

click on submit

3) Add a user ( User setup >> ADD/EDIT )

to restrict administrator access control

1) enable and configure cisco 09\001 cisco av-pair

2) example

aironet:admin-capability=write+ident+admin+firmware

0 Helpful

mbouchar
Level 1
Level 1
In response to ndoshi

‎11-22-2002 07:47 AM

It looks like I cannot have a Radius(Aironet) and Radius(IOS/PIX) AAA client for the same IP address. Is it possible to have RADIUS authentication for wireless clients as well as user authentication for Access Point management? If so what is the trick?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card