wds ap radius and enable secret

davidfield · ‎11-06-2013

Hello All

Can anyone assist? I have converted our APs to WDS. The original configs had a username and privilege 15 password and a higher level enable secret. Before the changes when telneting in I obtained the elevated # prompt to config . After the WDS config where I applied aaa-new model, when I remote in I have to type in the secret password to gain # access. I understand the Radius config is the cause but not sure how to get back to a single sign on to the # prompt.

Can anyone able to advise?

AP1_WDSHost#sh run

Building configuration...

Current configuration : 2864 bytes

!

! Last configuration change at 00:13:17 UTC Mon Mar 1 1993

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP1_WDSHost

!

logging rate-limit console 9

enable secret 5 $1$3rSL$AqddK0YdVjiZpbgRL0JSAvz/

!

aaa new-model

!

aaa group server radius rad_eap

server 192.168.100.51 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius Infrastructure

server 192.168.100.51 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_Infrastructure group Infrastructure

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip cef

!

dot11 syslog

!

dot11 ssid Colgrims

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 1234567890

!

crypto pki token default removal timeout 0

!

username Cisco password 7 02250D480809

!

bridge irb

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers aes-ccm tkip

!

ssid Colgrims

!

antenna gain 0

station-role root

world-mode dot11d country-code GB indoor

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

no keepalive

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface BVI1

ip address 192.168.100.51 255.255.255.0

!

ip default-gateway 192.168.100.1

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

no authentication eapfast

no authentication mac

nas 192.168.100.51 key 7 120D041A025B1C54

user infra nthash 7 135035465C5C257F0E017D6A1676455730515cccdsssa595741320D000F7106

user infra2 nthash 7 135035465C5C257F0E017D6A1676455730515cccdsssa595741320D000F7106

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.100.51 auth-port 1812 acct-port 1813 key 7 1311161F1B5C147A

radius-server vsa send accounting

!

bridge 1 route ip

!

wlccp ap username infra password 7 111D180807421B5C

wlccp authentication-server infrastructure method_Infrastructure

wlccp wds priority 254 interface BVI1

!

line con 0

line vty 0 4

transport input all

!

end

AP1_WDSHost#$

AP1_WDSHost#

Regards
Dave

Sent from Cisco Technical Support iPad App

davidfield · ‎11-14-2013

I found that the issue was only witht the WDS clients and not the master. I added the following to the client config and this removed the need to enter the Enable Secret password for Priv access

aaa authorization exec default local

Hope this helps someone

blenka · ‎11-17-2013

This device will act as a WDS client AP.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080c1e2aa.shtml