cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
552
Views
0
Helpful
3
Replies

Local Radius (WDS) & ACS (LEAP Clients)

rodavidson
Level 1
Level 1

I'm attempting to setup a 1200 AP with 12.2(13)JA1 to locally authenticate WDS, but to have LEAP clients authenticate back to the ACS Server. I first get client auth working to the ACS server, then add the WDS config. At this point WDS registers correctly, but clients can no longer authenticate.

Is this a invalid design or a bug?

aaa new-model

!

aaa group server radius rad_eap

server 10.1.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius wlse_infra_rad

server 10.1.0.30 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login method_wlse_infra_rad group wlse_infra_rad

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit <WEP KEY> transmit-key

encryption mode wep mandatory

!

ssid tsunami

authentication open

authentication network-eap eap_methods

!

radius-server local

nas 10.1.0.30 key <SHARED KEY>

user wlse_user nthash <WLSE USER PSWD>

!

radius-server host 10.1.0.3 auth-port 1645 acct-port 1646 key <SHARED KEY>

radius-server host 10.1.0.30 auth-port 1812 acct-port 1813 key <SHARED KEY>

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

wlccp authentication-server infrastructure method_wlse_infra_rad

wlccp wds priority 255 interface BVI1

wlccp wnm ip address 10.1.0.11

wlccp ap username wlse_user password <WLSE USER PSWD>

3 Replies 3

rodavidson
Level 1
Level 1

FYI, the IP Address of this AP is 10.1.0.30 and I did cut out a number of lines from the sample config I used.

First let me state that I have only configured WDS once on 2 AP's for testing. So I am no expert.

But it seemed like I had to configure the WDS server groups. One for infrastructure authentication for the AP's. Then a second WDS server group for client authentication. I'm not sure if this is the required configuration, but that's the only way I got both clients and AP's to authenticate.

Let me know if it works.

GOT IT!!

aaa new-model

!

aaa group server radius rad_eap

server 10.1.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius wlccp_rad_infra

server 10.1.0.30 auth-port 1812 acct-port 1813

!

aaa group server radius wlccp_rad_leap

server 10.1.0.3 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login wlccp_infra group wlccp_rad_infra

aaa authentication login wlccp_leap_client group wlccp_rad_leap

aaa authorization exec default local

aaa session-id common

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit transmit-key

encryption mode wep mandatory

!

ssid tsunami

authentication open

authentication network-eap eap_methods

!

radius-server local

nas 10.1.0.30 key

user wlse_user nthash

!

radius-server host 10.1.0.3 auth-port 1645 acct-port 1646 key

radius-server host 10.1.0.30 auth-port 1812 acct-port 1813 key

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

wlccp authentication-server infrastructure wlccp_infra

wlccp authentication-server client leap wlccp_leap_client

wlccp wds priority 255 interface BVI1

wlccp wnm ip address 10.1.0.11

wlccp ap username wlse_user password

Review Cisco Networking for a $25 gift card