In small wireless network (Autonomous) there may not be Radius server available for 802.1x authentication.In a situation like this you can configure one of your AAP as local authentication server. Then this AP can authenticate upto 50 clients using LEAP, EAP-FAST or MAC based authentication.
In this post we will configure AAP as local radius server to support LEAP authentication. I will create SSID called “data3 with vlan 14 – 10.10.14.0/24). In this first we will configure this on GUI & later on derive the CLI commands. I will use WPA2 key management method.
Next step is to configure an encryption method for this vlan. Since I am planning to use WPA2, I have to configure encryption as AES-CCMP. You can do this in ” SECURITY – > Encryption Manager” section.
Then you can create SSID & configure Authentication key management method (WPA2). You have to go to “SECURITY -> SSID Manager” section for this. You have to use client Authentication settings as ” Network EAP” in order to support LEAP. Key management configured as WPA2.
Now you have to configure Radius server, in this case we will pointing this to AAP itself. You can do this from ” SECURITY -> Server Manager” section. Authentication & Accounting port configured as 1812 & 1813. AAP BVI IP is configured as server IP & shared secret as “cisco”
Now you need to configure AAP as local radius server & specify the Authentication Protocol. In this example LEAP is sufficient, but configured others to familiar with CLI commands to enable those. Shared secret is used as “cisco”
Now you can check this configuration with Anyconnect client.
Now we will look at CLI commands where we can achieve this. First of all you have to configure your basic AAP configurations as below.
hostname AAP1 ! interface Dot11Radio1.14 encapsulation dot1Q 14 bridge-group 14 ! interface Dot11Radio1.110 encapsulation dot1Q 110 native bridge-group 1 ! interface GigabitEthernet0.14 encapsulation dot1Q 14 bridge-group 14 ! interface GigabitEthernet0.110 encapsulation dot1Q 110 native bridge-group 1 ! interface BVI1 ip address 10.10.110.100 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.110.3
Next step is to configure the SSID & configure authentication key management method. For LEAP to work properly with windows client you have to specify “Open Authentication with EAP Methods”. For Cisco Anyconnect “Network EAP” should be sufficient.
Also you have to configure Encryption to be used under radio interface. Since we are using WPA2 encryption should be AES-CCMP.
dot11 ssid data3 vlan 14 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 mbssid guest-mode ! interface Dot11Radio1 mbssid encryption vlan 14 mode ciphers aes-ccm ssid data3
Next you can configure RADIUS on AAP pointing to its own IP. “radius-server attribute 32 include-in-access-req format %h” will allow AP to send its system name in the NAS_ID attribute for authentication. Radius server group defined as “rad_eap” & it is called for login authentication.
aaa new-model radius-server host 10.10.110.100 auth-port 1812 acct-port 1813 key cisco radius-server attribute 32 include-in-access-req format %h ! aaa group server radius rad_eap server 10.10.110.100 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa authorization exec default local
Finally you can configure AAP as local authenticator. You have to define all your local username/password for clients in this section. Also any other AAP use this AP as radius you have to specify other AAP IPs with secret key. In this example only single AP & one local user created for testing.
radius-server local nas 10.10.110.100 key cisco user cisco password cisco
So for the exam I have to remember this CLI commands. Once you breakdown whole config in to simple sections it is much easier than I initially thought. We will look another example with multiple AAP & multiple user groups in next example.
1. Autonomous AP with WEP Security
2. Autonomous AP with WPA-PSK Security
3. Autonomous AP with LEAP Security
4. Autonomous AP with PEAP Security
5 Autonomous AP with EAP-FAST Security
6 Autonomous AP with EAP-TLS Security
9. Autonomous AP – QoS