Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AP as local authenticator + WPA2: howto?

Hi.

I wish configure my aironet 1131 to act as local authenticator for the clients associating to it (Linux and Windows XP); once the clients have successfully authenticated, the desire is the communication will be encrypted with wpa2.

I have downloaded the Cisco IOS software configuration guide for cisco access points, following the steps described in the chapters 8,9,10 and 12, however i have surely missed something since clients cant authenticate and from debug i have no informations (authentication works only for management user).

This is the relevant configuration of the AP:

aaa new-model

aaa authentication login default local

aaa authorization exec default local if-authenticated

!

dot11 ssid TEST

authentication open optional eap office

authentication network-eap office

authentication key-management wpa

infrastructure-ssid

!

dot11 network-map

eap profile office

method fast

!

username admin privilege 15 secret xxx

username test password xxx

!

interface Dot11Radio0

no ip address

no ip route-cache

encryption mode ciphers aes-ccm

ssid TEST

!

radius-server local

no authentication mac

eapfast authority id xxx

eapfast authority info xxx

eapfast server-key primary xxx

nas 192.168.0.250 key xxx

group office

vlan 1

ssid TEST

reauthentication time 600

radius-server host 192.168.0.250 auth-port 1812 acct-port 1646

radius-server host 192.168.0.250 auth-port 1645 acct-port 1813

There is something missing or wrong?

Thank you anticipately

11 REPLIES
Hall of Fame Super Silver

Re: AP as local authenticator + WPA2: howto?

You only have management users configured on the access point:

username admin privilege 15 secret xxx

username test password xxx

You need to setup users:

AP# configure terminal

AP(config)# radius-server local

AP(config-radsrv)# group office

AP(config-radsrv)# user testuser password testuser

AP(config-radsrv)# end

AP# wr mem

-Scott
*** Please rate helpful posts ***
Community Member

Re: AP as local authenticator + WPA2: howto?

My fault: typed username instead of user!

Anyway, still i cant connect: there is any useful debug that can help me to diagnose the problem?

On the clients, should i configure the ascii password or the nthash?

Hall of Fame Super Silver

Re: AP as local authenticator + WPA2: howto?

You need to use the password... post part of your new config so I can see it.

-Scott
*** Please rate helpful posts ***
Community Member

Re: AP as local authenticator + WPA2: howto?

Have you guys worked out a working config for this? If so - please post it :)

/KDam

Hall of Fame Super Silver

Re: AP as local authenticator + WPA2: howto?

Here is a config for WPA2 w/ EAP-FAST

Username is test

Password is test

Building configuration...

Current configuration : 2451 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret xxx

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.1.16 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

!

aaa session-id common

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

!

ip dhcp pool DHCP

network 192.168.1.0 255.255.255.0

lease 0 1

!

!

!

dot11 ssid TEST

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa version 2

!

power inline negotiation prestandard source

!

!

username Cisco password xxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid TEST

!

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

!

ssid TEST

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.1.16 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server local

no authentication leap

no authentication mac

eapfast server-key primary xxx

eapfast server-key secondary xxx

nas 192.168.1.16 key xxx

group EAP

eapfast pac expiry 100 grace 2

reauthentication time 3600

!

user test nthash xxx group EAP

!

radius-server host 192.168.1.16 auth-port 1812 acct-port 1813 key xxx

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

-Scott
*** Please rate helpful posts ***
Community Member

Re: AP as local authenticator + WPA2: howto?

My actual config looks quite different from the one posted by you, fella.

I have few points i wish to discuss:

1) AAA

This is the configuration i have right now:

aaa new-model

!

aaa group server radius rad_eap

server 192.168.0.250 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local if-authenticated

!

aaa session-id common

username admin privilege 15 secret 5

In this way, if i am right, we define a radius group called rad_eap, made by 1 host (the AP's ethernet address).

Then we define the ways to perform the authentication:

- login default local (for management)

- eap_methods group rad_eap (for clients).

How does it work in detail this statement?

I have defined then an eap profile:

!

eap profile casa

method fast

!

Is it any good?

In the end the final configuration i have looks like this:

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.0.250 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local if-authenticated

!

aaa session-id common

!

resource policy

!

!

dot11 ssid test

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa version 2

infrastructure-ssid

!

eap profile casa

method fast

!

!

!

username admin privilege 15 secret 5

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid test

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 192.168.0.250 255.255.255.0

no ip route-cache

!

ip radius source-interface BVI1

radius-server local

no authentication leap

no authentication mac

eapfast authority id AD9C4268375964D6B4D253DE48E59B0B

eapfast authority info ad9c4268375964d6b4d253de48e59b0b

eapfast server-key primary 7 BA5158332243965583FAC0EFF926B5BD53

nas 192.168.0.250 key 7 101E0B1C171C42060105242F74

group office

ssid test

reauthentication time 600

!

user test nthash 7 11593A27414B5F545C7A7E027F6A62003555375B530E090F0A035D21404F0C0B00 group office

!

radius-server host 192.168.0.250 auth-port 1812 acct-port 1813

bridge 1 route ip

!

There is something else missing?

Hall of Fame Super Silver

Re: AP as local authenticator + WPA2: howto?

The AAA configuration is fine... you are using it fro management of the ap so that is okay.

eap profile casa

method fast

You can get rid of.... didn't make any difference when I tried it.

Does the client get a prompt to accept a PAC file or not? I had to play around with configuration on the client side to get this to work. If you can, just use the configuration I posted on a test ap and see if you can get a client to associate.

If you can post the full configuration and tell me what code you are running, I can try it out on an ap I have to see if I can get it to work.

-Scott
*** Please rate helpful posts ***
Community Member

Re: AP as local authenticator + WPA2: howto?

I guess the AP config is now fine, fella.

Removed the 2 mentioned lines about eap, and now i have a user/pwd test/test.

I post the config just for a last check by you

!

!aaa new-model

!

aaa group server radius rad_eap

server 192.168.0.250 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local if-authenticated

!

aaa session-id common

!

resource policy

!

!

!

dot11 ssid test

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa version 2

guest-mode

infrastructure-ssid

!

!

username admin privilege 15 secret 5

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid test

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 192.168.0.250 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.0.254

ip radius source-interface BVI1

radius-server local

no authentication leap

no authentication mac

eapfast authority id xxx

eapfast authority info xxx

eapfast server-key primary xxx

nas 192.168.0.250 key xxx

group office

ssid test

reauthentication time 600

!

user test nthash xxx group office

!

radius-server host 192.168.0.250 auth-port 1812 acct-port 1813 key xxx

bridge 1 route ip

!

The clients (where i think the problem resides):

- Windows XP: -> Connection settings -> properties -> wireless network: authentication WPA2 and cryptography AES .

In the following window (authentication) i can choice either smartcard or PEAP: i use Protected EAP. 802.1X is flagged and i cant change this setting. I have disabled also the logging with the same user and password used to login to the pc.

In the end, all i have is a window screen asking for user and password: i put here user test and pwd test, but cant gain access. The ap shows %DOT11-7-AUTH_FAILED: Station 0013.0240.68bf Authentication failed

NIC is an intel A/B/G: maybe it needs a patch to work with wpa2?

- Linux (Redhat), NIC is an AR242x 802.11abg Wireless PCI Express Adapter

Started the wpa supplicant daemon, then configured in this way:

ath0 IEEE 802.11g ESSID:"wi-fi" Nickname:"test"

Mode:Managed Frequency:2.462 GHz Access Point: Not-Associated.

However i have no messages on AP about this pc: it looks like it isn't even trying to authenticate

It would be great at least authenticate windows xp clients, then i can work out on linux. At least i know the ap is well configured

Hall of Fame Super Silver

Re: AP as local authenticator + WPA2: howto?

Windows XP doesn't support EAP-FAST, unless you use a 3rd party utility like Cisco ADU (if you have their card), IBM's Access Connections or Intel Proset Wireless utility. PEAP requires an ACS or radius server to authenticate users.

The only thing you can do is WPA2/PSK which doesn't require a certificate, radius server or a PAC file.

-Scott
*** Please rate helpful posts ***
Community Member

Re: AP as local authenticator + WPA2: howto?

Some XP hosts have an intel adapter, 3945, so i might use the configured solution.

A linux host is equipped with an aironet pci abg adapter: no adu for it, however since it works under windows. Other linux pc's have atheros chipset card: so, i can only use wpa2/psk?

Beside this, the only solution would be building a radius server, in the end?

This is not possible unfortunately in this context, so i think i have to arrange the config to support wpa2/psk.

What would be the final config, in this case?

What changes are required?

Hall of Fame Super Silver

Re: AP as local authenticator + WPA2: howto?

Yes... WPA2/PSK would be your only choice as of now. If you had a WLC, that could support local EAP security, but it might be cheaper for you to go with a Windows IAS or FreeRadius.

-Scott
*** Please rate helpful posts ***
440
Views
0
Helpful
11
Replies
CreatePlease to create content