I'm digging into my trouble spots as the lab date gets closer. There are many configurations I've never implemented through the course of work I've done as a wireless engineer.. now it is time to get into unfamiliar territory, no matter how simple it is.
Section 4.09 - Implement AAA (WLC to Radius/LDAP)
To start this off - there have been many configurations I've done where I've pointed a WLC to a RADIUS server & given each a shared secret, but I've never setup an AP to be its own RADIUS server, or pointed an autonomous AP at a RADIUS server. I tackled these configurations this week.
Pointing an AP to itself for RADIUS authentication was pretty straight forward once I used the right IP address for the RADIUS server..
debug radius auth
debug radius local-server
These two commands are what made it clear that something was really wrong, and explained why the RADIUS auth was timing out.
*Mar 3 22:15:01.564: RADIUS: no sg in radius-timers: ctx 0x139F050 sg 0x0000
*Mar 3 22:15:01.564: RADIUS: Fail-over to (192.168.1.1:1645,1646) for id 1645/2
The AP's IP address was 192.168.1.2 - and I'd mistakenly entered 192.168.1.1 - should have been obvious, but I missed the error initially.
They key entries in the AP config were (in this order):
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp pool DHCP_POOL
network 192.168.1.0 255.255.255.0
aaa group server radius rad_eap
server 192.168.1.2 auth-port 1812 acct-port 1813
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 0 radiuskey
radius-server vsa send accounting
nas 192.168.1.2 key 0 radiuskey
user jsmith password 0 jsmithpassword group admins
aaa authentication login eap_methods group rad_eap
dot11 ssid WPA
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
References for the configuration were found on Cisco's site:
LEAP Authentication on a Local RADIUS Server
Configuring an Access Point as a Local Authenticator
How to configure different security options on a Cisco AP