Currently I manage using PEAP to authenticate users seeking access to the network through the wireless APs, using a Cisco Secure ACS 4.2, as the external RADIUS server. But I cannot authorize access to the network, so all users with proper credentials can access to the network without authorization. The idea would be that only authorized users can access the network and not all users currently in the ACS. The AP configuration is: ! aaa new-model ! aaa group server radius rad_eap server 172.22.30.252 auth-port 1645 acct-port 1646 ! aaa authentication login group rad_eap eap_methods aaa authentication login auth-admin-access group tac_admin Authorization exec default group aaa tac_admin Authorization exec aaa group eap_methods rad_eap aaa group eap_methods rad_eap network Authorization aaa accounting exec auth-admin-access start-stop group tac_admin aaa accounting auth-admin commands 15 start-stop-access group tac_admin aaa accounting network start-stop group eap_methods rad_eap ! dot11 ssid PEAP authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa accounting eap_methods guest-mode Infrastructure-ssid optional information-element ssidl advertisement wps ! radius-server attribute 32 include-in-access-req format% h radius-server attribute 31 mac format ietf radius-server host 172.22.30.252 auth-port 1645 acct-port 1646 key Secret Authorization radius-server default Framed-Protocol ppp radius-server vsa send accounting radius-server vsa send authentication ! Within the definition of "SSID" there is no command for authorization, only one for authentication and another for accounting and these two options work properly. I would not mind changing the method or any other option, I just need a model or method that allows me to authenticate, authorize and account for network access to users through the AP. I count the following: • AP: Cisco Airnet 1242 IOS: • Cisco Secure Access Control Sever 4.2 that uses an external base of Windows Active Directory.
The way you have setup wireless is perfect. Understanding the process, RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization so the moment you connect with your credentials is count as a pert of authentication and all other settings like ssid count under authorization. There is not command to configure authorization with radius in wireless. There is something called SSID---WLAN restrction using ACS where we use NAR even that also comes in access-accept.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...