Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I configure a cisco 1131 AP to use WPA2 enterprise and authenticate to Active Directory

I have a Win2008 server set up as a radius server (192.168.32.71) and a stand alone AP (192.168.201.9) The AP is config is below:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$IdUV$UvE2IJTNzHX6mW6Mmh3At0

!

ip subnet-zero

ip domain name TKGCORP.local

ip name-server 192.168.32.71

!

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 192.168.201.9 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid ka_test

   vlan 201

   authentication open eap eap_methods1

   authentication network-eap eap_methods1

   guest-mode

!

power inline negotiation prestandard source

!

!

username Cisco password 7 112A1016141D

username tkgadmin privilege 15 password 7 022D167B06551D60

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 201 mode ciphers aes-ccm tkip

!

encryption key 1 size 128bit 7 673B0AA56FCB4E630D8E4856427E transmit-key

encryption mode wep mandatory

!

broadcast-key change 150

!

!

ssid ka_test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.201

encapsulation dot1Q 201

no ip route-cache

bridge-group 201

bridge-group 201 subscriber-loop-control

bridge-group 201 block-unknown-source

no bridge-group 201 source-learning

no bridge-group 201 unicast-flooding

bridge-group 201 spanning-disabled

!        

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption key 1 size 128bit 7 B711059074E30B1E1D4E3EC038BB transmit-key

encryption mode wep mandatory

!

broadcast-key change 150

!

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface FastEthernet0.201

encapsulation dot1Q 201

no ip route-cache

bridge-group 201

no bridge-group 201 source-learning

bridge-group 201 spanning-disabled

!

interface BVI1

ip address 192.168.201.9 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

  no authentication eapfast

  no authentication mac

  nas 192.168.201.9 key 7 010703174F

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 0835495D1D

radius-server host 192.168.201.9 auth-port 1812 acct-port 1813 key 7 0010161510

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

3 REPLIES

How do I configure a cisco 1131 AP to use WPA2 enterprise and au

take a look at the following configuration guide.  Don't worry that it says ACS, just follow the RADIUS pieces.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How do I configure a cisco 1131 AP to use WPA2 enterprise and au

Sorry for the late reply Steve. The link you provided was extremely helpful here is what my config  looks like now:

ersion 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$7vHS$YWCMbrlAgDUayKlOHhMlF1

!

ip subnet-zero

ip domain name TKGCORP.local

ip name-server 192.168.32.71

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.32.71 auth-port 1645 acct-port 1646

!        

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid wap_test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   guest-mode

   infrastructure-ssid optional

!

power inline negotiation prestandard source

!

!

username Cisco password 7 047802150C2E

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid wap_test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 192.168.201.9 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 071B245F5A

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!        

!

line con 0

line vty 0 4

!

end

I get a login screen but it will not let me connect, on my radius server I have it set to allow a group that my username is in. Here are some debugs from when I try to connect to the AP:

ap#debug aaa  authentication

AAA Authentication debugging is on

ap#

*Mar  2 01:11:53.284: AAA/BIND(00000006): Bind i/f 

*Mar  2 01:11:53.355: AAA/AUTHEN/PPP (00000006): Pick method list 'eap_methods'

*Mar  2 01:11:54.556: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed

*Mar  2 01:11:55.280: AAA/BIND(00000007): Bind i/f 

*Mar  2 01:11:55.404: AAA/AUTHEN/PPP (00000007): Pick method list 'eap_methods'

*Mar  2 01:11:56.349: AAA/BIND(00000008): Bind i/f 

*Mar  2 01:11:56.525: AAA/AUTHEN/PPP (00000008): Pick method list 'eap_methods'

*Mar  2 01:11:57.300: AAA/BIND(00000009): Bind i/f 

*Mar  2 01:11:58.070: AAA/BIND(0000000A): Bind i/f 

*Mar  2 01:11:58.812: AAA/BIND(0000000B): Bind i/f 

*Mar  2 01:12:15.470: AAA/AUTHEN/PPP (0000000B): Pick method list 'eap_methods'

*Mar  2 01:12:15.492: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed

ap#undebug all

All possible debugging has been turned off

How do I configure a cisco 1131 AP to use WPA2 enterprise and au

for the server NPS should be listening on 1812/1813 ( I believe it will still work with 1645/1646 if you allowed then in the setup).  What does the system log on the NPS server say?  There should be an NPS error as to why it rejected the user

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
6669
Views
0
Helpful
3
Replies