In this post we will expand our previous configuration ( Pls read AP as Local Radius post before this) to support following scenario. We will configure AAP2 to use AAP as authentication server & define 3 different SSID as shown in the diagram. Still will use LEAP (Lightweight Extensible Authentication Protocol) as security mechanism
In this example only AAP1 should configured as local radius server & AAP2 should configured for RADIUS & pointing to AAP1 IP. Below basic configuration is common to AAP1 & AAP2 except hostname & BVI IP address.
hostname AAP2 interface BVI1 ip address 10.10.110.101 255.255.255.0 ip default-gateway 10.10.110.3 ! interface Dot11Radio1.12 encapsulation dot1Q 12 bridge-group 12 interface Dot11Radio1.13 encapsulation dot1Q 13 bridge-group 13 interface Dot11Radio1.14 encapsulation dot1Q 14 bridge-group 14 interface Dot11Radio1.110 encapsulation dot1Q 110 native bridge-group 1 ! interface GigabitEthernet0.12 encapsulation dot1Q 12 bridge-group 12 interface GigabitEthernet0.13 encapsulation dot1Q 13 bridge-group 13 interface GigabitEthernet0.14 encapsulation dot1Q 14 bridge-group 14 interface GigabitEthernet0.110 encapsulation dot1Q 110 native bridge-group 1 ! dot11 ssid data vlan 12 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 mbssid guest-mode dot11 ssid voice vlan 13 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 mbssid guest-mode dot11 ssid guest vlan 14 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 mbssid guest-mode ! interface Dot11Radio1 mbssid encryption vlan 12 mode ciphers aes-ccm encryption vlan 13 mode ciphers aes-ccm encryption vlan 14 mode ciphers aes-ccm ssid data ssid voice ssid guest no shut
Now in AAP2, you have to configure RADIUS as below. Note that you will pointing to AAP1 IP as radius server with shared key as “cisco”.
aaa new-model radius-server host 10.10.110.100 auth-port 1812 acct-port 1813 key cisco radius-server attribute 32 include-in-access-req format %h ! aaa group server radius rad_eap server 10.10.110.100 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa authorization exec default local
In AAP1 you have to add AAP2 as NAS to allow it to query AAP1 for user authentication. I have created 3 user group under local radius where I can assign shared setting for each group. If you do not want AAP1 (local radius server AP) to associate clients you can remove “nas 10.10.110.100 ” line in the config
radius-server local nas 10.10.110.100 key cisco nas 10.10.110.101 key cisco group data-users vlan 12 ssid data group voice-users vlan 13 ssid voice group guest-users vlan 14 ssid guest user duser1 password duser1 group data-users user duser2 password duser2 group data-users user vuser1 password vuser1 group voice-users user vuser2 password vuser2 group voice-users user guser1 password guser1 group guest-users user guser2 password guser2 group guest-users
Finally If you go to your Any Connect client you can associate to any of these SSID. See below.
AAP2#sh dot11 associations 802.11 Client Stations on Dot11Radio1: SSID [data] : MAC Address IP address Device Name Parent State 0022.fa94.6858 10.10.12.51 ccx-client AAP2 self EAP-Assoc SSID [guest] : MAC Address IP address Device Name Parent State 04f7.e4ea.5b66 10.10.14.53 unknown - self EAP-Assoc AAP1#sh dot11 ass 802.11 Client Stations on Dot11Radio1: SSID [voice] : MAC Address IP address Device Name Parent State 6420.0ce0.2375 10.10.13.13 unknown - self EAP-Assoc
Next post we will see how we can use other EAP methods to authenticate clients.
1. Autonomous AP with WEP Security
2. Autonomous AP with WPA-PSK Security
3. Autonomous AP as Local Radius Server
4 Autonomous AP with EAP-FAST Security
5 Autonomous AP with EAP-TLS Security
9. Autonomous AP – QoS