Tuesday, December 8, 2009

AP as Local Authenticator (RADIUS)


I'm digging into my trouble spots as the lab date gets closer.  There are many configurations I've never implemented through the course of work I've done as a wireless engineer.. now it is time to get into unfamiliar territory, no matter how simple it is.


Section 4.09 - Implement AAA (WLC to Radius/LDAP)
To start this off - there have been many configurations I've done where I've pointed a WLC to a RADIUS server & given each a shared secret, but I've never setup an AP to be its own RADIUS server, or pointed an autonomous AP at a RADIUS server.  I tackled these configurations this week.


Pointing an AP to itself for RADIUS authentication was pretty straight forward once I used the right IP address for the RADIUS server.. 

debug radius auth
debug radius local-server

These two commands are what made it clear that something was really wrong, and explained why the RADIUS auth was timing out.


*Mar  3 22:15:01.564: RADIUS: no sg in radius-timers: ctx 0x139F050 sg 0x0000
*Mar  3 22:15:01.564: RADIUS: Fail-over to (192.168.1.1:1645,1646) for id 1645/2


The AP's IP address was 192.168.1.2 - and I'd mistakenly entered 192.168.1.1 - should have been obvious, but I missed the error initially.

They key entries in the AP config were (in this order):

ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp pool DHCP_POOL
   network 192.168.1.0 255.255.255.0

aaa new-model
aaa group server radius rad_eap
 server 192.168.1.2 auth-port 1812 acct-port 1813

radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 0 radiuskey
radius-server vsa send accounting

radius-server local
  nas 192.168.1.2 key 0 radiuskey
  group admins
    ssid WPA
  user jsmith password 0 jsmithpassword group admins


aaa new-model
aaa authentication login eap_methods group rad_eap

dot11 ssid WPA
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   guest-mode
   infrastructure-ssid optional


References for the configuration were found on Cisco's site:
 LEAP Authentication on a Local RADIUS Server 

Configuring an Access Point as a Local Authenticator
How to configure different security options on a Cisco AP


No comments:

Post a Comment