Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
1
Replies

Autonomous AP for EAP

JPavonM
VIP
VIP

‎06-27-2012 07:11 AM - edited ‎07-03-2021 10:21 PM

We've got an ACS 5.1 virtual appliance for device administration  tasks and now we want to authenticate wireless domain users, but only by  it's username/password, without trusting any CA certificates from the  AD (is it required an ACS certificate too?).

Maybe there are some steps I have missed but I cant' locate where is the problem:

This is the configuration of the AP that I have but, is it correct?

aaa group server radius rad_eap

server a.b.c.d auth-port 1812 acct-port 1646

server a.b.c.d auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default group rad_eap local

!

dot11 vlan-name WPA vlan 199

dot11 ssid LABREDES_CERT

   vlan 199

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

   mbssid guest-mode dtim-period 75

!

interface Dot11Radio0

  encryption vlan 199 mode ciphers tkip

....

We  have spent some days and nothing seems to work but nothing appears in  the ACS log, there are no messages in the log, and a debug (radius, aaa authentication) in the AP only  shows (AAA/BIND(0000014E): Bind i/f  )

Any help would be appreciated

Labels:
0 Helpful
1 Reply 1

stefan.angerer
Level 1
Level 1

‎06-27-2012 07:32 AM

Hi

you need to globally configure your radius servers too!

e.g.: radius-server host a.b.c.d auth 1812 acc 1646 secret

also you need to change your SSID config

dot11 ssid LABREDES_CERT

    authentication key-management wpa

Regarding the certificate: you can use PEAP with MSCHAPv2, and leave the selfsigned certificate on the ACS (so you simply disable certificate validation on your clients), but I would definitely not recommend this.

hope that helps!

Stefan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card