11-06-2013 12:58 PM - edited 03-10-2019 09:04 PM
Hello All
Can anyone assist? I have converted our APs to WDS. The original configs had a username and privilege 15 password and a higher level enable secret. Before the changes when telneting in I obtained the elevated # prompt to config . After the WDS config where I applied aaa-new model, when I remote in I have to type in the secret password to gain # access. I understand the Radius config is the cause but not sure how to get back to a single sign on to the # prompt.
Can anyone able to advise?
AP1_WDSHost#sh run
Building configuration...
Current configuration : 2864 bytes
!
! Last configuration change at 00:13:17 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1_WDSHost
!
!
logging rate-limit console 9
enable secret 5 $1$3rSL$AqddK0YdVjiZpbgRL0JSAvz/
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.100.51 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius Infrastructure
server 192.168.100.51 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_Infrastructure group Infrastructure
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
ip cef
!
!
!
dot11 syslog
!
dot11 ssid Colgrims
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 1234567890
!
!
crypto pki token default removal timeout 0
!
!
username Cisco password 7 02250D480809
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm tkip
!
ssid Colgrims
!
antenna gain 0
station-role root
world-mode dot11d country-code GB indoor
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 192.168.100.51 255.255.255.0
!
ip default-gateway 192.168.100.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.100.51 key 7 120D041A025B1C54
user infra nthash 7 135035465C5C257F0E017D6A1676455730515cccdsssa595741320D000F7106
user infra2 nthash 7 135035465C5C257F0E017D6A1676455730515cccdsssa595741320D000F7106
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.100.51 auth-port 1812 acct-port 1813 key 7 1311161F1B5C147A
radius-server vsa send accounting
!
bridge 1 route ip
!
!
wlccp ap username infra password 7 111D180807421B5C
wlccp authentication-server infrastructure method_Infrastructure
wlccp wds priority 254 interface BVI1
!
line con 0
line vty 0 4
transport input all
!
end
AP1_WDSHost#$
AP1_WDSHost#
Regards
Dave
Sent from Cisco Technical Support iPad App
11-14-2013 05:06 AM
I found that the issue was only witht the WDS clients and not the master. I added the following to the client config and this removed the need to enter the Enable Secret password for Priv access
aaa authorization exec default local
Hope this helps someone
11-17-2013 07:12 AM
This device will act as a WDS client AP.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080c1e2aa.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide