, ,

In small wireless network (Autonomous) there may not be Radius server available for 802.1x authentication.In a situation like this you can configure one of your AAP as local authentication server. Then this AP can authenticate upto 50 clients using LEAP, EAP-FAST or MAC based authentication.

In this post we will configure AAP as local radius server to support LEAP authentication. I will create SSID called “data3 with vlan 14 – In this first we will configure this on GUI & later on derive the CLI commands. I will use WPA2 key management method.

First of all you need to configure the vlan on the AAP1. You can do this in ” SERVICES -> VLAN” section. AAP-Local-Radius-0

Next step is to configure an encryption method for this vlan. Since I am planning to use WPA2, I have to configure encryption as AES-CCMP.  You can do this in ” SECURITY – > Encryption Manager” section.AAP-Local-Radius-2

Then you can create SSID & configure Authentication key management method (WPA2). You have to go to “SECURITY -> SSID Manager” section for this. You have to use client Authentication settings as ” Network EAP” in order to support LEAP. Key management configured as WPA2.AAP-Local-Radius-3AAP-Local-Radius-4

Now you have to configure Radius server, in this case we will pointing this to AAP itself. You can do this from ” SECURITY -> Server Manager” section. Authentication & Accounting port configured as 1812 & 1813. AAP BVI IP is configured as server IP & shared secret as “cisco”AAP-Local-Radius-4

Make sure you select the configured radius server as Default Server priority for EAP authentication. See belowAAP-Local-Radius-5

Now you need to configure AAP as local radius server & specify the Authentication Protocol. In this example LEAP is sufficient, but configured others to familiar with CLI commands to enable those. Shared secret is used as “cisco”AAP-Local-Radius-6

Finally you can configure a local username & password for a client. I have configured one as “cisco/cisco”.AAP-Local-Radius-7

Now you can check this configuration with Anyconnect client.


Now we will look at CLI commands where we can achieve this. First of all you have to configure your basic AAP configurations as below.

hostname AAP1
interface Dot11Radio1.14
 encapsulation dot1Q 14
 bridge-group 14
interface Dot11Radio1.110
 encapsulation dot1Q 110 native
 bridge-group 1
interface GigabitEthernet0.14
 encapsulation dot1Q 14
 bridge-group 14
interface GigabitEthernet0.110
 encapsulation dot1Q 110 native
 bridge-group 1
interface BVI1
 ip address
 no ip route-cache
ip default-gateway

Next step is to configure the SSID & configure authentication key management method. For LEAP to work properly with windows client you have to specify “Open Authentication with EAP Methods”. For Cisco Anyconnect “Network EAP” should be sufficient.

Also you have to configure Encryption to be used under radio interface. Since we are using WPA2 encryption should be AES-CCMP.

dot11 ssid data3
   vlan 14
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   mbssid guest-mode
interface Dot11Radio1
 encryption vlan 14 mode ciphers aes-ccm
 ssid data3

Next you can configure RADIUS on AAP pointing to its own IP. “radius-server attribute 32 include-in-access-req format %h” will allow AP to send its system name in the NAS_ID attribute for authentication. Radius server group defined as “rad_eap” & it is called for login authentication.

aaa new-model
radius-server host auth-port 1812 acct-port 1813 key cisco
radius-server attribute 32 include-in-access-req format %h
aaa group server radius rad_eap
 server auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local

Finally you can configure AAP as local authenticator. You have to define all your local username/password for clients in this section. Also any other AAP use this AP as radius you have to specify other AAP IPs with secret key. In this example only single AP & one local user created for testing.

radius-server local
  nas key cisco
  user cisco password cisco

That’s pretty much it & you can test with your Any Connect client now. You should see client get associated & you can check the details via CLI using “show dot11 association” command.AAP-Local-Radius-8

So for the exam I have to remember this CLI commands. Once you breakdown whole config in to simple sections it is much easier than I initially thought. We will look another example with multiple AAP & multiple user groups in next example.

Related Posts

1. Autonomous AP with  WEP Security
2. Autonomous AP with  WPA-PSK Security
3. Autonomous AP with  LEAP Security
4. Autonomous AP with  PEAP Security
5  Autonomous AP with  EAP-FAST Security
6  Autonomous AP with  EAP-TLS Security
9. Autonomous AP – QoS