dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1845
share rss forum feed

krock83

join:2010-03-02

Wireless 881 user Authentication via Radius

Hello...

So far on this guy I have figured out how to get it to work using local database for the users to authenticate against, but our goal is to authenticate against a radius server that we have in place for existing Juniper AP's.

I have looked at some documentation out there and I cant seem to find what Im looking for. What I need to find out is an example of how to setup a radius server so that the wireless user can authenticate against.

If anyone has done such config and can help I would appreciate it

Thanks


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
it really depends what you are trying to accomplish. Radius is generally used with LDAP/AD where users are set up to be in a specific vlan when they sign in. At its simplest form you should be able to set up a list of users on Radius (i.e. local users) and have 881w authenticate against it.

might want to look at aaa radius authentication on cisco. It would be something like »www.cisco.com/en/US/docs/wireles ··· acs.html

krock83

join:2010-03-02
reply to krock83
Thanks Da Geek Kid,

Below is what I got so far. I have followed the documentation on the document you have provided. The only thing is that I cant see the network being broadcasted anywhere

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 881W_AP
!
logging rate-limit console 9
enable secret 5 $$GFCVYUIHTRTYGVBF+__)()(&
!
aaa new-model
!
!
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid Test1
   vlan 1
   accounting accounting-list-for-Test1
!
!
!
username test password 7 0000000000000
username admin privilege 15 secret 5 $1$()!@#$SFGKKghgDFGH
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers tkip 
 !
 ssid Test1
 !
 antenna gain 0
 station-role root
!         
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!         
interface BVI1
 ip address 172.30.252.15 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.30.252.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 172.25.0.223 auth-port 1841 acct-port 1618 timeout 5 retransmit 3 key 7 0000000000000582255
bridge 1 route ip
!
!
!
line con 0
 no activation-character
line vty 0 4
 exec-timeout 60 0
!
end
 
881W_AP# 
 
881W_AP# sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       172.30.252.15   YES manual up                    up      
Dot11Radio0                unassigned      YES NVRAM  up                    up      
Dot11Radio0.1              unassigned      YES unset  up                    up      
GigabitEthernet0           unassigned      YES NVRAM  up                    up      
GigabitEthernet0.1         unassigned      YES unset  up                    up      
881W_AP#
 

If I add the followinf few commands I will get it to broadcast but, the local wireless users will be authenticating against the local database that is on the AP, not the RAdius Server

dot11 ssid My SSID Name
 Vlan 1
 authentication open
 authentication key-management wpa
 wpa-psk ascii 0 MyWirelessNetworkPassword
 guest-mode
 exit
 

Am I missing something easy here?

krock83

join:2010-03-02
reply to krock83
I got it to broadcast by adding

dot11 ssid My SSID Name  
Vlan 1  
authentication open  
authentication key-management wpa  
 

Now when I try to get connected I get this on the console screen of the AP

*Oct 22 05:49:31.811: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   001f.e1cf.6164 Associated KEY_MGMT[WPA]
*Oct 22 05:49:46.851: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.e1cf.6164 Reason: Sending station has left the BSS 
 

I will runn wire shark on the radius server to see if its trying to establish communication. I can ping the server from the AP but it looks like it is not authenticating against it.


Da Geek Kid

join:2003-10-11
::1
kudos:1
reply to krock83
your config is missing the aaa for radius...
it is recommended to use aes instead of tkip.

krock83

join:2010-03-02
reply to krock83
According to the documentation I was suppose to add this only

 
AP(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1
AP(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2
AP(config)# dot11 ssid batman
AP(config-ssid)# accounting accounting-method-list
 

krock83

join:2010-03-02
reply to krock83
I thought that the aaa authentication accounting commands are for tacacs type of use for logging into devices?


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
tacacs and radius for dot1x as well...

look @ the link I posted earlier, here's the section: »www.cisco.com/en/US/docs/wireles ··· p1035086

krock83

join:2010-03-02
reply to krock83
I dont think this will work. I have tried every combination that is in that document and still no success.


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
I mite have misunderstood you. Are you planning on using Juniper AP's instead of the Cisco? If that's the case are you trying to make the router the Wireless LAN Controller, because that will not work. Juniper/Cisco APs only work with their own proprietary WLCs. Although Aruba has been known to work with both of them, but not all the features would be available.

krock83

join:2010-03-02
reply to krock83
NO,

We are switching from Juniper/Trapeze AP's, that is why we got this 881W to test out and see how it will preform. The only snag that I am getting into is that we have to use the radius server for the ed users to authenticate against when connecting to Wireless.

krock83

join:2010-03-02
reply to krock83
So I was able to connect to Wireless by leaving some of the commands out that encrypot the data.

this works using radius, but the data is not encrypted

dot11 ssid 881W_Test
   vlan 1
   authentication open 
   accounting 881W_Test-Accounting_Method
   guest-mode
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !        
 ssid 881W_Test
 !
 antenna gain 0
 station-role root
 

but when I add this command to the ssid

authentication key-management wpa
 

and this command to the interface dot11radio0

encryption vlan 1 mode ciphers tkip
 

I lose connection. Why would it be that it is working without encryption but loses connectivity when adding encryption?


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
Ok. not sure about the exact situation but here's a sample config for an eap config using aes

aaa group server radius rad_eap
server 192.168.1.113 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
dot11 ssid test123
vlan 22
authentication open eap eap_methods
authentication network-eap eap_methods
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 22 mode ciphers aes-ccm
!
ssid test123

krock83

join:2010-03-02
reply to krock83
see I tried something similar to that earlier and it would lock me out of the AP. Then I would have to erase and start over.

What a pain in the rear. it works without the encryption but not with the encryption


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
lol... aaa noob issue... pretty simple really

you would need to be logged in as a admin to modify things. you would also need enable secret as well... That should fix you rite up.

aaa modification requires a valid user with proper authorizations to do so. Enable secret grants you the right to modify as you please unless the radius says no....

krock83

join:2010-03-02
reply to krock83
yes but do I really need that? I allready have tacacs configured on the AP for my logging purposes.


Da Geek Kid

join:2003-10-11
::1
kudos:1
tacacs can be used for device management, and radius for network access all under aaa.

aryoba
Premium,MVM
join:2002-08-22
kudos:6
reply to krock83
said by krock83:

So I was able to connect to Wireless by leaving some of the commands out that encrypt the data.

this works using radius, but the data is not encrypted

dot11 ssid 881W_Test
   vlan 1
   authentication open 
   accounting 881W_Test-Accounting_Method
   guest-mode
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !        
 ssid 881W_Test
 !
 antenna gain 0
 station-role root
 

but when I add this command to the ssid

authentication key-management wpa
 

and this command to the interface dot11radio0

encryption vlan 1 mode ciphers tkip
 

I lose connection. Why would it be that it is working without encryption but loses connectivity when adding encryption?

I'm guessing you use VLAN 1 for also management. Did you try to dedicate different VLAN (i.e. VLAN 2 or 3) for wireless users separate from the management VLAN?

krock83

join:2010-03-02
reply to krock83
@ aryoba

Yes, I have tried it with a diffrent vlan this morning (vlan 4) but still no luck

krock83

join:2010-03-02

2 edits
reply to krock83
got if figured out

aaa group server radius test
 server-private 172.18.25.1 auth-port 1645 acct-port 1646 key 7 120E0C1FB41552GJNHGA
!
aaa authentication login eap_test group test
aaa authorization exec default local 
!
aaa session-id common
!
dot11 ssid 881W_Test
   vlan 4
   authentication open eap eap_test 
   authentication key-management wpa optional
   guest-mode
 
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 4 mode ciphers aes-ccm tkip wep128 
 !
 broadcast-key vlan 4 change 30
 !
 !
 ssid 881W_Test
 !
 antenna gain 0
 station-role root
 

Thanks for all the help