Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 1602i + Authenticating users via RADIUS?

               Hello,

Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:

aaa new-model

!

!

aaa group server radius rad_eap

server 10.200.5.24

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

!

!

!

!

aaa session-id common

clock timezone EST -5 0

ip cef

ip domain name gst

!

!

!

dot11 syslog

dot11 vlan-name guest vlan 255

dot11 vlan-name user vlan 140

!

dot11 ssid phoenix_2

   vlan 140

   band-select

   authentication open eap eap_methods

   mbssid guest-mode

!

dot11 ssid walker_2

   vlan 255

   band-select

   authentication open

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7 0353035E535879191B

!

interface BVI1

ip address 10.200.5.70 255.255.255.0

!

ip default-gateway 10.200.5.1

ip forward-protocol nd

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip route 0.0.0.0 0.0.0.0 10.200.140.1

ip route 0.0.0.0 0.0.0.0 10.200.5.1

ip radius source-interface BVI1

!

access-list 111 permit tcp any any neq telnet

snmp-server community G!0bal RO

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863

radius-server vsa send accounting

The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

5 REPLIES
VIP Purple

Re: Cisco 1602i + Authenticating users via RADIUS?

Hi Scott,

Follow this config example & see if you can get it working. Hopefully you should be able to fix it by yourself

http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/

I can see multiple things are missing in your config (eg conflicting default routes, authenitcation key mgt missing on wlan, etc)

HTH

Rasika

**** Pls rate all  useful repsonses *****

New Member

Cisco 1602i + Authenticating users via RADIUS?

Thanks Rasika,

I will look this over and see what I can do.  Another question, about the default routes, I was unable to remove the 10.200.140.1 default route using the "no ip route..." command.  Is there something I'm missing?  The correct default route should be the 10.200.5.1.  When I entered the "no ip route.." command, it accepted it with no error but nothign happened.

VIP Purple

Re: Cisco 1602i + Authenticating users via RADIUS?

Hi Scott,

Try "erase startup-config" & then reboot  your AP. So it should come up with zero configuration & then you can do the required configuration.

See whether in this way you can get rid of this duplicate default routes

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Cisco 1602i + Authenticating users via RADIUS?

Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.

I haven't tried the "erase startup-config" command yet, I will try that next. 

Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

VIP Purple

Cisco 1602i + Authenticating users via RADIUS?

Hi Scott,

That's great to hear.

Regargding authentication open (as shown below), it says authentication shceme can be open with EAP authentication. "network-eap" require as certain clients (like anyconnect) with certain EAP methods (like LEAP)

A1142-1(config)#aaa authentication login EAP_MTD group RAD_GRP
!
A1142-1(config)#dot11 ssid TEST
A1142-1(config-ssid)#   authentication open eap EAP_MTD
A1142-1(config-ssid)#   authentication network-eap EAP_MTD
A1142-1(config-ssid)#   authentication key-management wpa version 2
!
A1142-1(config)#interface Dot11Radio1
A1142-1(config-if)# encryption vlan 143 mode ciphers aes-ccm

Pls do not forget to rate our responses if that helps you.

HTH

Rasika

967
Views
0
Helpful
5
Replies
CreatePlease login to create content