Tuesday, December 8, 2009

AP as Local Authenticator (RADIUS)

I'm digging into my trouble spots as the lab date gets closer.  There are many configurations I've never implemented through the course of work I've done as a wireless engineer.. now it is time to get into unfamiliar territory, no matter how simple it is.

Section 4.09 - Implement AAA (WLC to Radius/LDAP)
To start this off - there have been many configurations I've done where I've pointed a WLC to a RADIUS server & given each a shared secret, but I've never setup an AP to be its own RADIUS server, or pointed an autonomous AP at a RADIUS server.  I tackled these configurations this week.

Pointing an AP to itself for RADIUS authentication was pretty straight forward once I used the right IP address for the RADIUS server.. 

debug radius auth
debug radius local-server

These two commands are what made it clear that something was really wrong, and explained why the RADIUS auth was timing out.

*Mar  3 22:15:01.564: RADIUS: no sg in radius-timers: ctx 0x139F050 sg 0x0000
*Mar  3 22:15:01.564: RADIUS: Fail-over to (,1646) for id 1645/2

The AP's IP address was - and I'd mistakenly entered - should have been obvious, but I missed the error initially.

They key entries in the AP config were (in this order):

ip dhcp excluded-address
ip dhcp pool DHCP_POOL

aaa new-model
aaa group server radius rad_eap
 server auth-port 1812 acct-port 1813

radius-server host auth-port 1812 acct-port 1813 key 0 radiuskey
radius-server vsa send accounting

radius-server local
  nas key 0 radiuskey
  group admins
    ssid WPA
  user jsmith password 0 jsmithpassword group admins

aaa new-model
aaa authentication login eap_methods group rad_eap

dot11 ssid WPA
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   infrastructure-ssid optional

References for the configuration were found on Cisco's site:
 LEAP Authentication on a Local RADIUS Server 

Configuring an Access Point as a Local Authenticator
How to configure different security options on a Cisco AP

No comments:

Post a Comment