In this post we will look at how to configure a WLC for a external RADIUS server. RADIUS server can handle two functions, namely Authentication & Accounting. In addition to these two functions, TACACS can handle Authorization (which complete 3 components of AAA).
You can configure a RADIUS server on a WLC for Authentication under “Security -> RADIUS -> Authentication ” section as shown below.
You can see the added servers on to WLC as below (the above capture is specific configurations done to a particular RADIUS server configured on WLC)
Here is the CLI command required to define a RADIUS server with highlighted setting. You can refer 7.0.116.0 configuration guide (Page 6-12,13,14,15) for comprehensive list of CLI command for this. Below shows the important configurable options.
(WLC3) >config radius ? acct Configures a RADIUS Accounting Server. aggressive-failover Enables/Disables Aggressive Failover auth Configures a RADIUS Authentication Server. backward Configures RADIUS Vendor Id backward compatibility callStationIdCase Configures Call Station Id case in RADIUS messages. callStationIdType Configures Call Station Id information sent in radius messages fallback-test Configures server fallback test (WLC3) >config radius auth ? add Configures a RADIUS Authentication Server. delete Deletes a RADIUS Server. disable Disables a RADIUS Server. enable Enables a RADIUS Server. ipsec Enables or disables IPSEC support for an authentication server keywrap Configures RADIUS keywrap mac-delimiter Configures MAC delimiter for caller-station-ID and calling-station-ID management Configures a RADIUS Server for management users. network Configures a default RADIUS server for network users. retransmit-timeout Changes the default retransmission timeout for the server rfc3576 Enables or disables RFC-3576 support for an authentication server (WLC3) >config radius acct ? add Configures a RADIUS Authentication Server. delete Deletes a RADIUS Server. disable Disables a RADIUS Server. enable Enables a RADIUS Server. ipsec Enables or disables IPSEC support for an accounting server mac-delimiter Configures MAC delimiter for caller-station-ID and calling-station-ID network Configures a default RADIUS server for network users. retransmit-timeout Changes the default retransmission timeout for the server
Here is the basic CLI configuration for a RADIUS authentication on a WLC. “1” is the server index ID given & you can configure upto 17 RADIUS server in a WLC.
(WLC3) >config radius callStationIdType ipaddr (WLC3) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen} (WLC3) >config radius auth add 1 192.168.100.2 1812 ascii cisco ->shard secret in ASCII format (WLC3) >config radius auth retransmit-timeout 1 5 -> default is 2s (WLC3) >config radius auth network 1 {enable|disable} (WLC3) >config radius auth management 1 {enable|disable} (WLC3) >config radius auth {enable|disable} 1 -> by default enable
Here is the basic CLI configuration for a RADIUS Accounting on a WLC.
(WLC3) >config radius callStationIdType ipaddr (WLC3) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen} (WLC3) >config radius acct add 1 192.168.100.2 1813 ascii cisco ->shard secret in ASCII format (WLC3) >config radius acct retransmit-timeout 1 5 -> default is 2s (WLC3) >config radius acct network 1 {enable|disable} (WLC3) >config radius acct {enable|disable} 1 -> by default enable
Here is the Accounting configuration settings if you see it via GUI derived from the above CLI commands.
Following CLI commands can be used to verify your configurations.
(WLC3) >show radius summary Vendor Id Backward Compatibility................. Disabled Call Station Id Case............................. lower Call Station Id Type............................. IP Address Aggressive Failover.............................. Enabled Keywrap.......................................... Disabled Fallback Test: Test Mode.................................... Off Probe User Name.............................. cisco-probe Interval (in seconds)........................ 300 MAC Delimiter for Authentication Messages........ colon MAC Delimiter for Accounting Messages............ colon Authentication Servers Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr --- ---- ---------------- ------ -------- ---- ------- ------------------------------------------------ 1 NM 192.168.100.2 1812 Enabled 5 Disabled Disabled - none/unknown/group-0/0 none/none Accounting Servers Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr --- ---- ---------------- ------ -------- ---- ------- ------------------------------------------------ 1 N 192.168.100.2 1813 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/none (WLC3) >show radius auth statistics Authentication Servers: Server Index..................................... 1 Server Address................................... 192.168.100.2 Msg Round Trip Time.............................. 4 (msec) First Requests................................... 53327 Retry Requests................................... 60 Accept Responses................................. 4923 Reject Responses................................. 2610 Challenge Responses.............................. 45788 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 70 Unknowntype Msgs................................. 0 Other Drops...................................... 6 (WLC3) >show radius acct statistics Global Accounting Info: Accounting Interim update sent count........... 0 Accounting Info per Servers: Accounting Server Index........................ 1 Server Address............................... 192.168.100.2 Msg Round Trip Time.......................... 3 (msec) First Requests............................... 34194 Retry Requests............................... 243 Accounting Responses......................... 34150 Malformed Msgs............................... 0 Bad Authenticator Msgs....................... 0 Pending Requests............................. 0 Timeout Requests............................. 287 Unknowntype Msgs............................. 0 Other Drops.................................. 9
You have to remember you need to configure ACS with same shared key & WLC IP for this task to complete. Here is the ACS 5.2 screen capture related to this ( In Network Resources -> Network Device Groups -> Network Devices and AAA Clients section)
In next post we will see the TACACS configuration on a WLC.
thx you for your good post
i got a one Question..
What situation count up the “Other Drops” ?!
thx
Hi Rasika,
Could you please let me know what means INTERIM UPDATE in the:
SSID — > SECURITY —> AAA SERVERS —RADIUS SERVER ACCOUNTING
thanks
Abraham
Hello Rasika,
Thank you for this post.
What is the difference between the 2 parameters “network user” and “management” when adding the AAA server to the WLC ?
thanks,
Alexis
Network user mean normal wireless end user.
Management user required if you using this AAA server to authenticate users who logs onto WLC to manage it
HTH
Rasika
Hi Rasika
Do you have a guide on how to setup the Windows RADIUS server that will work with Cisco WLC based on this article?
Best
Jim
Nayarasi, what are the cli commands to add the auth and acct to specfic WLANS?
Hi Rober,
Did you try below command syntax (WLAN to be disable first)
(5508-3) >config wlan radius_server ?
acct Configures a RADIUS Accounting Server.
auth Configures a RADIUS Authentication Server.
overwrite-interface Configures RADIUS dynamic interface.
realm wlan radius auth realm
HTH
Rasika
Thank you. This is what I am looking for.
What is the meaning of N and NM under Type? Thanks.
Hi Nayarasi, that’s fine, I found it. N – network user, M – Management