Tags

In this post we will look at how to configure a WLC for a external RADIUS  server. RADIUS server can handle two functions, namely Authentication & Accounting. In addition to these two functions, TACACS can handle Authorization (which complete 3 components of AAA).

You can configure a RADIUS server on a WLC for Authentication under “Security -> RADIUS -> Authentication ” section as shown below.WLC-RAD-TAC-01

You can see the added servers on to WLC as below (the above capture is specific configurations done to a particular RADIUS server configured on WLC)

WLC-RAD-TAC-02

Here is the CLI command required to define a RADIUS server with highlighted setting. You can refer 7.0.116.0 configuration guide (Page 6-12,13,14,15) for comprehensive list of CLI command for this. Below shows the important configurable options.

(WLC3) >config radius ?              
acct           Configures a RADIUS Accounting Server.
aggressive-failover Enables/Disables Aggressive Failover
auth           Configures a RADIUS Authentication Server.
backward       Configures RADIUS Vendor Id backward compatibility
callStationIdCase Configures Call Station Id case in RADIUS messages.
callStationIdType Configures Call Station Id information sent in radius messages
fallback-test  Configures server fallback test

(WLC3) >config radius auth ?           
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an authentication server
keywrap        Configures RADIUS keywrap
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
management     Configures a RADIUS Server for management users.
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server
rfc3576        Enables or disables RFC-3576 support for an authentication server

(WLC3) >config radius acct ?
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an accounting server
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server

Here is the basic CLI configuration for a RADIUS  authentication on a WLC. “1” is the server index ID given & you can configure upto 17 RADIUS server in a WLC.

(WLC3) >config radius callStationIdType ipaddr
(WLC3) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen}
(WLC3) >config radius auth add 1 192.168.100.2 1812 ascii cisco  ->shard secret in ASCII format
(WLC3) >config radius auth retransmit-timeout 1 5 -> default is 2s
(WLC3) >config radius auth network 1 {enable|disable}
(WLC3) >config radius auth management 1 {enable|disable}
(WLC3) >config radius auth {enable|disable} 1 -> by default enable

Here is the basic CLI configuration for a RADIUS Accounting on a WLC.

(WLC3) >config radius callStationIdType ipaddr
(WLC3) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen}
(WLC3) >config radius acct add 1 192.168.100.2 1813 ascii cisco ->shard secret in ASCII format
(WLC3) >config radius acct retransmit-timeout 1 5 -> default is 2s
(WLC3) >config radius acct network 1 {enable|disable}
(WLC3) >config radius acct {enable|disable} 1 -> by default enable

Here is the Accounting configuration settings if you see it via GUI derived from the above CLI commands.

WLC-RAD-TAC-03

Following CLI commands can be used to verify your configurations.

(WLC3) >show radius summary 
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Off
    Probe User Name.............................. cisco-probe
    Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ colon
MAC Delimiter for Accounting Messages............ colon

Authentication Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    NM    192.168.100.2     1812    Enabled   5     Disabled  Disabled - none/unknown/group-0/0 none/none

Accounting Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
     N     192.168.100.2     1813    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none

(WLC3) >show radius auth statistics 
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.168.100.2
Msg Round Trip Time.............................. 4 (msec)
First Requests................................... 53327
Retry Requests................................... 60
Accept Responses................................. 4923
Reject Responses................................. 2610
Challenge Responses.............................. 45788
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 70
Unknowntype Msgs................................. 0
Other Drops...................................... 6

(WLC3) >show radius acct statistics 
Global Accounting Info:
  Accounting Interim update sent count........... 0
                                                   Accounting Info per Servers:
  Accounting Server Index........................ 1
    Server Address............................... 192.168.100.2
    Msg Round Trip Time.......................... 3 (msec)
    First Requests............................... 34194
    Retry Requests............................... 243
    Accounting Responses......................... 34150
    Malformed Msgs............................... 0
    Bad Authenticator Msgs....................... 0
    Pending Requests............................. 0
    Timeout Requests............................. 287
    Unknowntype Msgs............................. 0
    Other Drops.................................. 9

You have to remember you need to configure ACS with same shared key & WLC IP for this task to complete. Here is the ACS 5.2 screen capture related to this ( In Network Resources -> Network Device Groups -> Network Devices and AAA Clients section)

WLC-RAD-TAC-04

In next post we will see the TACACS configuration on a WLC.