Configuring Authentication in AAP

Tags

In Autonomous AP configurations, authentications type configured under SSID section.Below shows the configuration options available for authentication.

AAP1(config-ssid)#authentication ?
  client          EAP client information
  key-management  key management
  network-eap     leap method
  open            open method
  shared          shared method

1. Authentication Open:
Set authentication open for this SSID. There are optional configuration setting available as shown below. If you select “mac-address” option, AP forces all client devices to perform MAC-address authentication before they allow to network.

AAP1(config-ssid)#authentication open ?
  eap          eap method
  mac-address  mac-address authentication method
  optional     optional eap method

If you select “eap” option with a list-name, AP forces all client devices to perform EAP authentication before they allow to network.

You can use “optional” keyword to allow client devices using either Open or EAP authentication to associate & become authenticated.

2. Authentication Shared:
Set the authentication type for the SSID to shared key.It is not an recommended setting due to security flaw of this method. Here are the configuration option comes with this. Like in the Open method here you can specify either MAC or EAP authentication to be used with Shared method.

AAP1(config-ssid)#authentication shared ?
  eap          eap method
  mac-address  mac-address authentication method
  <cr>

3. Authentication Key-management:
This sets the authentication type for the SSID to WPA, CCKM or both. If you use optional keyword (eg : “authentication key-management wpa cckm optional”), client devices other than WPA & CCKM clients can use this SSID.

AAP1(config-ssid)#authentication key-management ?
  cckm  allow CCKM clients
  wpa   allow WPA clients

This is the most important setting as this settings may depend on authentication method you configure. Here are few of them

a). To enable CCKM for an SSID, you must also enable Network-EAP authentication. When Network-EAP & CCKM enabled, client devices using LEAP, EAP-FAST, PEAP(MSCHAP/GTC), EAP-TLS can authenticate using the SSID.

b). To enable WPA for an SSID, you must also enable Open authentication or Network-EAP or both.

c). When you enable both WPA & CCKM for an SSID, you must enter WPA first & CCKM second.

d). Before you can enable CCKM or WPA, you must set the encryption mode for the SSID’s VLAN to one of the cipher suite option. If you want to enable both CCKM & WPA, cipher suite to include TKIP.

Here is an example how to configure a SSID for few of these authentication method. You have to external RADIUS server configured with AAP details for its client authentication. You can simply do that add AAP as AAA client to the ACS with the configured shared key as shown in the below.

Also ensure required authentication types are allowed in your ACS which are going to be supported.(Access Policies-> Access Services -> Default Network Access -> Authorization)

In AAP side you have to configure SSID, Sub-interfaces & RADIUS server details as shown below. In this example WPA key management configured (both WPAv1 & WPAv2 supported in this way) with encryption method as CCKM or TKIP.(Specific configuration to SSID is shown)

dot11 ssid MRN-CCIEW
   vlan 15
   authentication open eap EAP_METHOD_1
   authentication key-management wpa 
   mbssid guest-mode

interface Dot11Radio1
 encryption vlan 15 mode ciphers aes-ccm tkip
 ssid MRN-CCIEW

interface Dot11Radio1.15
 encapsulation dot1Q 15
 bridge-group 15
interface GigabitEthernet0.15
 encapsulation dot1Q 15
 bridge-group 15

aaa new-model
aaa group server radius RAD_GROUP
 server 192.168.100.2 auth-port 1812 acct-port 1813
aaa authentication login EAP_METHOD_1 group RAD_GROUP
radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 key 0 mrn-cciew

You can test different type of authentication using Anyconnect Client. Here is the successful connection of few types I have tested.

EAP-FAST Connection (with WPA2 & AES)

LEAP Authentication (with WPA2 & AES)

PEAP connection (with WPA2 & AES)

I tried to get it working these with WPA, but I cannot see how I can set WPA with TKIP. WPA Enterprise AES option seems not working under my configuration. I tried EAP-FAST, LEAP, PEAP like below & no luck with client association.