In this post we will see how to configure RADIUS server & then use it for changing previously created “LTUWireless” WLAN authentication from “Open” to “802.1x”. Since we used CLI method for similar config in 3850, in this case we will use the GUI method & then derive the equivalent CLI config at the end.
1. Define RADIUS server or servers.
2. Define a RADIUS group or groups (listing number of RADIUS server within that).
3. Define a method list that points to one of the group defined.
If you go to 5760 GUI (Configuration -> Wireless -> Security -> AAA) section you should be able to configure those 3 thing.
Then you can configure a method-list to be used with defined RADIUS server group. In here you have to enable 802.1x sys-auth under general section. Here is the default settings looks like.Here is the settings once I configured.Now if you look at the configuration in CLI & compare it with the prior configuration you can derive the config differences.
5760-1#sh archive config differences nvram:startup-config system:running-config !Contextual Config Diffs: +aaa new-model +aaa group server radius RAD-GRP +server name ISE-DEV +deadtime 1 +mac-delimiter colon +aaa authentication dot1x LTU-DOT1X group RAD-GRP local +aaa accounting dot1x LTU-DOT1X start-stop group RAD-GRP +aaa server radius dynamic-author +client 10.129.0.5 server-key Cisco123 +auth-type any +aaa session-id common +dot1x system-auth-control +radius server ISE-DEV +address ipv4 10.129.0.5 auth-port 1812 acct-port 1813 +key Cisco123 -no aaa new-model line vty 0 4 -no login line vty 5 15 -no login
As shown below when we were configuring 3850 with 802.1x WLAN, we have already configured ISE Default Device (so you do not require to add 5760 separately)
Also we had a simple policy just to permit access rule for 802.1x wireless connection requests. Also we created user on ISE (user1/Cisco123) for testing. If you need more detail on how we configured that please see WLAN configs with 3850 – Part 2 post.
Now we changed the SSID authentication from Open to dot1x. You can do this via GUI in Configure -> Wireless -> WLAN -> Security section. Here is the settings with “Open Authentication”.Now will change it to dot1x & use the RADIUS server configured. Since I am planning to use this to test 7925G as well, I have configured it as dot1x+CCKM.
Here are the CLI config differences caused by the above WLAN modifications. You can see with + all the additions & – sing with all the lines removed from the previosly saved configuration.
5760-1#sh archive config differences nvram:startup-config system:running-config wlan LTUWireless 21 LTUWireless +accounting-list LTU-DOT1X +security wpa akm cckm +security dot1x authentication-list LTU-DOT1X +session-timeout 1800 wlan LTUWireless 21 LTUWireless -no security wpa -no security wpa akm dot1x -no security wpa wpa2 -no security wpa wpa2 ciphers aes
Now, we can try with Anyconnect client. As you can see client is successfully connected using PEAP authentication.You can view the client detail on the WLC as well. You can see 7925G phone also associated to this with EAP-FAST.
5760-1#show wireless client summary Number of Local Clients : 2 MAC Address AP Name WLAN State Protocol -------------------------------------------------------------------------------- 2c54.2dea.f4ea L3502-2 21 UP 11a a088.b435.c2f0 L3502-2 21 UP 11n(5) 5760-1#show wireless client mac-address 2c54.2dea.f4ea detail Client MAC Address : 2c54.2dea.f4ea Client Username : user1 AP MAC Address : 2c3f.382b.5260 AP Name: L3502-2 AP slot : 1 Client State : Associated Wireless LAN Id : 21 Wireless LAN Name: LTUWireless BSSID : 2c3f.382b.526f Connected For : 81 secs Protocol : 802.11a Channel : 161 Client IIF-ID : 0x42e80000000016 ASIC : 1 IPv4 Address : 10.142.39.229 IPv6 Address : Unknown Association Id : 2 Authentication Algorithm : Open System Status Code : 0 Client CCX version : 4 Client E2E version : No E2E support Re-authentication Timeout : 1720 (1801) Input Policy Name : unknown Input Policy State : None Output Policy Name : unknown Output Policy State : None 802.1P Priority Tag : 0 WMM Support : Disabled Power Save : OFF Current Rate : 54.0 Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0 Mobility State : Local Mobility Move Count : 0 Security Policy Completed : Yes Policy Manager State : RUN Policy Manager Rule Created : Yes NPU Fast Fast Notified : Yes Last Policy Manager State : L2AUTHCOMPLETE Client Entry Create Time : 441535 seconds Policy Type : WPA2 Authentication Key Management : CCKM Encryption Cipher : CCMP (AES) Management Frame Protection : No Protected Management Frame - 802.11w : No EAP Type : EAP-FAST Interface : WLN-STF-1 VLAN : 1420 Quarantine VLAN : 0 Access VLAN : 1420 WFD capable : No Manged WFD capable : No Cross Connection capable : No Support Concurrent Operation : No Client Capabilities CF Pollable : Not implemented CF Poll Request : Not implemented Short Preamble : Implemented PBCC : Not implemented Channel Agility : Not implemented Listen Interval : 3 Fast BSS Transition : Not implemented Fast BSS Transition Details : Client Statistics: Number of Bytes Received : 15213 Number of Bytes Sent : 16522 Number of Packets Received : 139 Number of Packets Sent : 111 Number of EAP Id Request Msg Timeouts : 0 Number of EAP Request Msg Timeouts : 0 Number of EAP Key Msg Timeouts : 0 Number of Data Retries : 1 Number of RTS Retries : 0 Number of Duplicate Received Packets : 3 Number of Decrypt Failed Packets : 0 Number of Mic Failured Packets : 0 Number of Mic Missing Packets : 0 Number of Policy Errors : 0 Radio Signal Strength Indicator : -48 dBm Signal to Noise Ratio : 43 dB Assisted-Roaming Prediction List: Nearby AP Statistics: L3502-2(slot1) antenna0: 49 seconds ago -43 dBm antenna1: 49 seconds ago -42 dBm L3502-2(slot0) antenna0: 111 seconds ago -44 dBm antenna1: 111 seconds ago -42 dBm
Next post we will see how to configure AVC on this WLAN & get visibility of the traffic on this WLAN.
1. Getting Started with 3850
2. Getting Started with 5760
3. WLAN configs with 3850 – Part 1
4. WLAN configs with 3850 – Part 2
5. 3850(MA) with 5760(MC)
6. 5760 in CA & CUWN
7. 5760 AVC Configuration