AP's admin authentcation by ACS RADIUS

yong1794 · ‎01-25-2006

I like to AP's admin authentication by RADIUS. The authentication is ok by console connection. but telnet or http authentication is fail cause limiting level_15_access. Is there any misconfiguration? Check this out please.Thaks

*****************************

ap#show run

Building configuration...

Current configuration : 2845 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

ip subnet-zero

!

aaa new-model

!

aaa group server radius rad_admin

server *.*.*.* auth-port 1645 acct-port 1646

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server tacacs+ tac_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default cache rad_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default cache rad_admin group rad_admin

aaa authorization network default group radius

aaa accounting network acct_methods start-stop group rad_acct

aaa cache profile admin_cache

all

!

aaa session-id common

power inline negotiation prestandard source

!

username Cisco password xxxx

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address x.x.x.x 255.255.255.192

no ip route-cache

!

ip http server

ip http authentication aaa

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 091D1C5A4D

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

line con 0

transport preferred all

transport output all

line vty 0 4

authorization commands 15 radius

transport preferred all

transport input all

transport output all

line vty 5 15

authorization commands 15 radius

transport preferred all

transport input all

transport output all

!

end

Richard Bradfield · ‎01-30-2006

just try this first

aaa authentication login vty group rad_admin

aaa authentication login http group rad_admin

line vty 0 4

login authentication vty

ip http authentication aaa login-authentication http

srue · ‎02-02-2006

i was having the same problem. (except i use MS IAS for radius). i pasted in your command list, now instead of getting a weird ppp negotiate error, i get user authorization failed. but i looked in the IAS logs, and i'm actually getting authenticated, it's just not making it back to my ap..

any advice?