Autonomous AP: local authenticator and 802.1X

Unanswered Question
Mar 3rd, 2010

I have to configure an Autonomous AP 1141 with these requirements:

- AP must act as a local authenticator, no radius server is available

- each user trying to connect to the wireless network must be prompted for personal credentials: if the credentials are correct, the user is granted network access (in other words, i've to setup 802.1X)

This is the configuration i've prepared, but so far i am not prompted for any username/password. Does anybody can enlight me?

aaa new-model
!
!
!
aaa authentication login default group radius
aaa authentication login console none
aaa authentication login vty local
aaa authorization exec default local
!
!
dot11 syslog
!
dot11 ssid WiFi-1
   vlan 225
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
!
dot11 ssid WiFi-2
   vlan 224
   authentication open
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
!
power inline negotiation injector override
eap profile EAP
method fast
!
!
!
username Cisco password 7 106D000A0618
username admin privilege 15 secret 5 ############################
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 225 mode ciphers aes-ccm
!
encryption vlan 224 mode ciphers aes-ccm
!
ssid WiFi-1
!
ssid WiFi-2
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.224
encapsulation dot1Q 224
no ip route-cache
bridge-group 224
bridge-group 224 subscriber-loop-control
bridge-group 224 block-unknown-source
no bridge-group 224 source-learning
no bridge-group 224 unicast-flooding
bridge-group 224 spanning-disabled
!
interface Dot11Radio0.225
encapsulation dot1Q 225
no ip route-cache
bridge-group 225
bridge-group 225 subscriber-loop-control
bridge-group 225 block-unknown-source
no bridge-group 225 source-learning
no bridge-group 225 unicast-flooding
bridge-group 225 spanning-disabled
!
interface Dot11Radio0.229
encapsulation dot1Q 229 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.224
encapsulation dot1Q 224
no ip route-cache
bridge-group 224
no bridge-group 224 source-learning
bridge-group 224 spanning-disabled
!
interface GigabitEthernet0.225
encapsulation dot1Q 225
no ip route-cache
bridge-group 225
no bridge-group 225 source-learning
bridge-group 225 spanning-disabled
!
interface GigabitEthernet0.229
description ** MANAGEMENT **
encapsulation dot1Q 229 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.2.29.71 255.255.255.0
no ip route-cache
!
ip default-gateway 10.2.29.1
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
  nas 10.2.29.71 key 7 06040334494C0601
  group 1
    vlan 225
    ssid WiFi-1
  !
  group 2
    vlan 224
    ssid WiFi-2
  !
 
  user test nthash 7 040B2824597818165149503145525B260C790570616D72445E4150230E000D0003 group 1
  user guest nthash 7 0353782E545E071D192A492432375C2A267308010A126071412346565500787C05 group 2
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.2.29.71 auth-port 1812 acct-port 1813 key 7 121B09021709031C
radius-server vsa send accounting
bridge 1 route ip

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
DejanMilicevic Wed, 03/03/2010 - 06:00

Some sunshine to enlight you.

Just after your post I wrote about similar problem. So this is not answer, just small request to submit your solution if you sucessed.

Attachment: 

Actions

This Discussion

 

 

Trending Topics - Security & Network