Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

User Authentication

The latest firmware, 12.0T1 supports user authentication for administrating the 350 AP. I have set up to authenticate against an ACS 26 server. I see that I passed authentication in the ACS logs but I cannot get passed the login screen at the AP. Is there any documentation on setting this up? The 350 Bridge Software Configuration Guide does not have user auth at all. The on-line help lists it as an option but no details on using it.

thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: User Authentication

Using RADIUS, You need to use cisco AV-Pair attribute for admin users with following syntex

aironet:admin-capability=write+ident+admin+firmware

Here is the procedure for the admin user you to define the Cisco AV pair Attributes .

a) On acs select the interface configuration and go to the advance option ,

selct "per-user Tacacs/ radius attribute " click on submit .

b)On ACS , Select network configuration ,

1) check if you have configuration >> Radio ( IOS /PIX available ) on the ACS

if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute

2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )

Enable [026/009/001] "cisco av-pair" option , again make sure that you enable

at user and group level click on submit

3) Add a user ( User setup >> ADD/EDIT ) to restrict administrator access control

1) enable and configure cisco 09\001 cisco av-pair using

aironet:admin-capability=write+ident+admin+firmware

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1073082

4 REPLIES
Cisco Employee

Re: User Authentication

Using RADIUS, You need to use cisco AV-Pair attribute for admin users with following syntex

aironet:admin-capability=write+ident+admin+firmware

Here is the procedure for the admin user you to define the Cisco AV pair Attributes .

a) On acs select the interface configuration and go to the advance option ,

selct "per-user Tacacs/ radius attribute " click on submit .

b)On ACS , Select network configuration ,

1) check if you have configuration >> Radio ( IOS /PIX available ) on the ACS

if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute

2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )

Enable [026/009/001] "cisco av-pair" option , again make sure that you enable

at user and group level click on submit

3) Add a user ( User setup >> ADD/EDIT ) to restrict administrator access control

1) enable and configure cisco 09\001 cisco av-pair using

aironet:admin-capability=write+ident+admin+firmware

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1073082

New Member

Re: User Authentication

can I accomplish the same results by appling the change to the group rather than the user?

New Member

Re: User Authentication

I applied it the group and this now works. If I pull out all the users out of the local user information table, will it impact my ability to use radius for authentication. I think the answer is no but want a second opinion before I remove the ID.

Thanks.

New Member

Re: User Authentication

I could not add a new "NAS Radius (IOS/PIX)" for my AP, it says "An overlapping IP range has been detected". This is becuse this AP is also configured for "NAS Radius (Cisco Aironet)", it is for my PEAP authentication.

So how do I go about it authenticating my AP administrators?

320
Views
0
Helpful
4
Replies