cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2184
Views
0
Helpful
7
Replies

Cisco AP: Logging onto wireless with LDAP credentials

j4ckripp3r
Level 1
Level 1

I have 2 cisco 1141 aironets access points.

I've fallowed this tutorial:

http://evilrouters.net/2008/11/19/configuring-freeradius-to-support-cisco-aaa-clients/

I have an ubuntu server running freeradius authenticating against an LDAP server.

Now I'm able to log into the AP via ssh with my LDAP credentials.

What I can't figure out is how do I setup the AP so when people connect to the AP's wireless they are prompted to use their LDAP credentials.

I've gone through a bunch of different articles online and I feel that I'm just confusing myself even more.

7 Replies 7

Stephen Rodriguez
Cisco Employee
Cisco Employee

Can you post the config of the AP?  I'd like to see where you are currently at.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thank you for the help.

Here is the config

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cldap2

!

enable secret 5

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

ip domain name something.net

!

!

dot11 syslog

dot11 vlan-name inside vlan 2

dot11 vlan-name test2 vlan 22

!

dot11 ssid WiFi

   vlan 22

   authentication open

   authentication key-management wpa optional

   mbssid guest-mode

   wpa-psk ascii 7

!

dot11 ssid inside

   vlan 2

   authentication open

   authentication shared

   mbssid guest-mode

!

!

crypto pki trustpoint TP-self-signed-1224361256

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1224361256

revocation-check none

rsakeypair TP-self-signed-1224361256

!

!

crypto pki certificate chain TP-self-signed-1224361256

certificate self-signed 01

 

  quit

!

!

ip ssh logging events

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption vlan 22 key 2 size 128bit 7 transmit-key

encryption vlan 22 mode ciphers aes-ccm tkip wep128

!

broadcast-key vlan 22 change 60

!

!

ssid WiFi

!

ssid inside

!

antenna gain 0

mbssid

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root access-point

infrastructure-client

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex full

speed auto

no keepalive

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 10.12.20.124 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.0.2

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

access-list 111 permit tcp any any neq telnet

snmp-server community

snmp-server location Solana Beach, California, USA

snmp-server contact

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server host 10.12.10.3

radius-server host 10.12.10.3 auth-port 1812 acct-port 1813 key 7

bridge 1 route ip

!

!

!

line con 0

access-class 111 in

line vty 0 4

access-class 111 in

!

sntp server 10.12.10.3

end

Ok, so pasting this into your AP should work

conf t

aaa group server radius rad_eap

server 10.12.10.3 auth-port 1812 acct-port 1813

exit

!

Dott11radio0

encryption vlan 2 mode ciphers aes-ccm

exit

!

dot11 ssid inside

vlan 2

no authentication shared

authentication open eap rad_eap

authentication key-management wpa version 2

exit

So I'll explain:

aaa group server radius rad_eap

server 10.12.10.3 auth-port 1812 acct-port 1813

This configures the AP to use a server group, and in the config this server group is referred to as 'rad_eap'.  If you need to add more servers for user authenticaion, you just need to go under the group and add more servers.

Dot11radio0

encryption vlan 2 mode ciphers aes-ccm

This tells the radio, that for vlan two, we are going to use the cipher suite of aes.  If your clients do not support WPA 2, change this to encryption vlan 2 mode ciphers tkip.

dot11 ssid inside

vlan 2

no authentication shared

authentication open eap rad_eap

authentication key-management wpa version 2

Now this is where we tell the SSID, how we are going to work with the client.  You shouldn't need authentication shared, for EAP.  Really shouldn't need it for a PSK either, most clients will work with just authentication open.

the authentication open line, tells the AP that we are using an open authentication, that we are expecting EAP requests from the client, and what server group it should send the AAA requests to.

Finally, we are telling the SSID that we only want clients that can do WPA 2.  If your clients do not support WPA 2, then change this line to be authentication key-management wpa

This should get you working with using EAP for your clients.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I made those changes and I had freeradius in debug mode. When I started authentication on ssid Mike I would get a login box for username/passwod but when authentication starts freeradius isn't getting any request but when I ssh into the AP I get a request.

Sorry, I forgot to mention I'm using the ssid Mike.

Thanks again for your help.

Here is my config after the changes:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cldap2

!

enable secret 5

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.12.10.3 auth-port 1812 acct-port 1813

!

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

ip domain name onerecovery.net

!

!

dot11 syslog

dot11 vlan-name inside vlan 2

dot11 vlan-name test2 vlan 22

!

dot11 ssid Mike

   vlan 22

   authentication open eap rad_eap

   authentication key-management wpa version 2

   mbssid guest-mode

!

!

crypto pki trustpoint TP-self-signed-1224361256

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1224361256

revocation-check none

rsakeypair TP-self-signed-1224361256

!

!

crypto pki certificate chain TP-self-signed-1224361256

certificate self-signed 01

  quit

username Cisco privilege 15 password

!

!

ip ssh logging events

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 22 mode ciphers aes-ccm

!

broadcast-key vlan 22 change 60

!

!

ssid Mike

!

antenna gain 0

mbssid

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root access-point

infrastructure-client

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex full

speed auto

no keepalive

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 10.12.20.124 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.0.2

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

access-list 111 permit tcp any any neq telnet

snmp-server community ORVjkPtki8q RO

snmp-server location Solana Beach, California, USA

snmp-server contact OneRecovery NOC -

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server host 10.12.10.3

radius-server host 10.12.10.3 auth-port 1812 acct-port 1813 key 7

bridge 1 route ip

!

!

!

line con 0

access-class 111 in

line vty 0 4

access-class 111 in

!

sntp server 10.12.10.3

end

gah!  silly cut and paste.  It missed one of the commands:

radius-server attribute 32 include-in-access-req format %i

This tells the AP to send it's IP address to be processed by the AAA.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I added:

radius-server attribute 32 include-in-access-req format %i

I'm still getting the same results. The freeradius server isn't getting any request from the AP when a user joins the ssid Mike.

Double checked that document you posted.  That only goes over the config for using freeRADIUS as an authenticator for device management login.

Take a look at the link below that coves configuring freeRADIUS for PEAP.

http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: