Autonomous AP with LEAP Security

Tags

AP as local Authenticator, Autonomous AP CLI, LEAP

In this post we will expand our previous configuration ( Pls read AP as Local Radius post before this) to support following scenario. We will configure AAP2 to use AAP as authentication server & define 3 different SSID as shown in the diagram. Still will use LEAP (Lightweight Extensible Authentication Protocol) as security mechanism

In this example only AAP1 should configured as local radius server & AAP2 should configured for RADIUS & pointing to AAP1 IP. Below basic configuration is common to AAP1 & AAP2 except hostname & BVI IP address.

hostname AAP2
interface BVI1
 ip address 10.10.110.101 255.255.255.0
ip default-gateway 10.10.110.3
!
interface Dot11Radio1.12
 encapsulation dot1Q 12
 bridge-group 12
interface Dot11Radio1.13
 encapsulation dot1Q 13
 bridge-group 13
interface Dot11Radio1.14
 encapsulation dot1Q 14
 bridge-group 14
interface Dot11Radio1.110
 encapsulation dot1Q 110 native
 bridge-group 1
!
interface GigabitEthernet0.12
 encapsulation dot1Q 12
 bridge-group 12
interface GigabitEthernet0.13
 encapsulation dot1Q 13
 bridge-group 13
interface GigabitEthernet0.14
 encapsulation dot1Q 14
 bridge-group 14
interface GigabitEthernet0.110
 encapsulation dot1Q 110 native
 bridge-group 1
!
dot11 ssid data
   vlan 12
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   mbssid guest-mode
dot11 ssid voice
   vlan 13
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   mbssid guest-mode
dot11 ssid guest
   vlan 14
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   mbssid guest-mode
!
interface Dot11Radio1
 mbssid
 encryption vlan 12 mode ciphers aes-ccm
 encryption vlan 13 mode ciphers aes-ccm
 encryption vlan 14 mode ciphers aes-ccm
 ssid data
 ssid voice
 ssid guest
 no shut

Now in AAP2, you have to configure RADIUS as below. Note that you will pointing to AAP1 IP as radius server with shared key as “cisco”.

aaa new-model
radius-server host 10.10.110.100 auth-port 1812 acct-port 1813 key cisco
radius-server attribute 32 include-in-access-req format %h
!
aaa group server radius rad_eap
 server 10.10.110.100 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local

In AAP1 you have to add AAP2 as NAS to allow it to query AAP1 for user authentication. I have created 3 user group under local radius where I can assign shared setting for each group. If you do not want AAP1 (local radius server AP) to associate clients you can remove “nas 10.10.110.100 ” line in the config

radius-server local
  nas 10.10.110.100 key cisco
  nas 10.10.110.101 key cisco
 group data-users
    vlan 12
    ssid data
  group voice-users
    vlan 13
    ssid voice
  group guest-users
    vlan 14
    ssid guest
  user duser1 password duser1 group data-users
  user duser2 password duser2 group data-users
  user vuser1 password vuser1 group voice-users 
  user vuser2 password vuser2 group voice-users
  user guser1 password guser1 group guest-users 
  user guser2 password guser2 group guest-users

Finally If you go to your Any Connect client you can associate to any of these SSID. See below.

AAP2#sh dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [data] : 
MAC Address    IP address      Device        Name            Parent         State     
0022.fa94.6858 10.10.12.51     ccx-client    AAP2            self           EAP-Assoc

SSID [guest] : 
MAC Address    IP address      Device        Name            Parent         State     
04f7.e4ea.5b66 10.10.14.53     unknown       -               self           EAP-Assoc

AAP1#sh dot11 ass
802.11 Client Stations on Dot11Radio1: 
SSID [voice] : 
MAC Address    IP address      Device        Name            Parent         State     
6420.0ce0.2375 10.10.13.13     unknown       -               self           EAP-Assoc

Next post we will see how we can use other EAP methods to authenticate clients.

1. Autonomous AP with WEP Security
2. Autonomous AP with WPA-PSK Security
3. Autonomous AP as Local Radius Server
4 Autonomous AP with EAP-FAST Security
5 Autonomous AP with EAP-TLS Security
6.
7.
8.
9. Autonomous AP – QoS

1 thought on “Autonomous AP with LEAP Security”

Muhammd Aqil said:

October 3, 2018 at 8:25 pm

Cisco IOS Software, C3600 Software (AP3G2-K9W7-M), Version 15.3(3)JBB6,

Sir I need your Help regarding the free radius server
and Cisco Aironet 3602i Access point.

I have already configure the FreeRasdius Server.
but Unfortunately my access point not authenticate with
above mention server, please guide us and reply me
how to configure FreeRasdius Server with Accesspoint.
Waiting for your kind reply in this regard.