1140 access point integrate with radius

Unanswered Question
May 12th, 2010

Dear Sir,

     I have 1140 Access point with WLC, so i can integrate with windwos 2003  Radius Server.  I am facing problem to integrate with radius.

Any  body can help in this issue.

Is thier any certificate i need to installed  on radius server ?

Is thier any certificate i need to create on  Access point, how i can create please give solution.

waiting for  your reply,

regards

configuration  details:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$8CA4$g0npz27lw2zwNEjEfiS.1.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.1.10.126 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap2
server 10.1.10.126 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct2
server 10.1.10.126 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods2 group rad_eap2
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods2 start-stop group rad_acct2
!
aaa session-id common
ip domain name nupco.com
ip name-server 10.1.10.232
ip name-server 10.1.10.233
ip name-server 212.76.68.200
!
!
dot11 syslog
dot11 vlan-name Guest vlan 31
dot11 vlan-name LAN vlan 7
!
dot11 ssid NUPCO-GUEST
   vlan 31
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 10175B4955464A5A54507A
!
dot11 ssid NUPCO-LAN
   vlan 7
   authentication open
   authentication network-eap eap_methods2
   accounting acct_methods2
   mbssid guest-mode
   information-element ssidl advertisement
!
!
!
username Cisco password 7 032752180500
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 7 mode wep mandatory
!
ssid NUPCO-LAN
!
antenna gain 0
mbssid
speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
bridge-group 7 subscriber-loop-control
bridge-group 7 block-unknown-source
no bridge-group 7 source-learning
no bridge-group 7 unicast-flooding
bridge-group 7 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 31 mode ciphers aes-ccm
!
ssid NUPCO-GUEST
!
antenna gain 0
no dfs band block
mbssid
speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.31
encapsulation dot1Q 31
no ip route-cache
bridge-group 31
bridge-group 31 subscriber-loop-control
bridge-group 31 block-unknown-source
no bridge-group 31 source-learning
no bridge-group 31 unicast-flooding
bridge-group 31 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
no bridge-group 7 source-learning
bridge-group 7 spanning-disabled
!
interface GigabitEthernet0.31
encapsulation dot1Q 31
no ip route-cache
bridge-group 31
no bridge-group 31 source-learning
bridge-group 31 spanning-disabled
!
interface BVI1
ip address 10.1.2.192 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.2.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server view dot11view ieee802dot11 included
snmp-server community public view dot11view RO
snmp-server location ICT_Area
snmp-server contact [email protected]
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.1.10.126 auth-port 1645 acct-port 1646 key 7 1511021F07257A767B676074
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dancampb Wed, 05/12/2010 - 06:03

I'll assume since you are using a MS Radius server you are going to try to do PEAP or EAP-TLS since I believe these are the only EAP types that server supports.  Assuming that, yes you will have to have certificates installed on the server but not on the AP.  Depending on which EAP type you choose and how you configure the supplicant you may need certificates on the clients too.

On the AP side you are currently setup to only do LEAP authentication for NUPCO-LAN.  You need to change "authentication open" to "authentication open eap eap_methods2" if you want to support any other types of EAP.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode