Configuring RADIUS on 5760

Tags

In this post we will see how to configure RADIUS server & then use it for changing previously created “LTUWireless” WLAN authentication from “Open” to “802.1x”. Since we used CLI method for similar config in 3850, in this case we will use the GUI method & then derive the equivalent CLI config at the end.

We will use the same topology used for the previous post.As you remember these are the 3 basic steps of configuring RADIUS on a IOS device.

1. Define RADIUS server or servers.
2. Define a RADIUS group or groups (listing number of RADIUS server within that).
3. Define a method list that points to one of the group defined.

If you go to 5760 GUI (Configuration -> Wireless -> Security -> AAA) section you should be able to configure those 3 thing.

Here is the server detail I have entered.Next we will configure the RADIUS server group. You have to go to Server Groups -> RADIUS section under AAA. Here is the default-settings.

Here is once you configured RADIUS server group.

Then you can configure a method-list to be used with defined RADIUS server group. In here you have to enable 802.1x sys-auth under general section. Here is the default settings looks like.Here is the settings once I configured.Now if you look at the configuration in CLI & compare it with the prior configuration you can derive the config differences.

5760-1#sh archive config differences nvram:startup-config system:running-config
!Contextual Config Diffs:
+aaa new-model
+aaa group server radius RAD-GRP
 +server name ISE-DEV
 +deadtime 1
 +mac-delimiter colon
+aaa authentication dot1x LTU-DOT1X group RAD-GRP local
+aaa accounting dot1x LTU-DOT1X start-stop group RAD-GRP
+aaa server radius dynamic-author
 +client 10.129.0.5 server-key Cisco123
 +auth-type any
+aaa session-id common
+dot1x system-auth-control
+radius server ISE-DEV
 +address ipv4 10.129.0.5 auth-port 1812 acct-port 1813
 +key Cisco123
-no aaa new-model
line vty 0 4
 -no login
line vty 5 15
 -no login

As shown below when we were configuring 3850 with 802.1x WLAN, we have already configured ISE Default Device (so you do not require to add 5760 separately)

Also we had a simple policy just to permit access rule for 802.1x wireless connection requests. Also we created user on ISE (user1/Cisco123) for testing. If you need more detail on how we configured that please see WLAN configs with 3850 – Part 2 post.

Now we changed the SSID authentication from Open to dot1x. You can do this via GUI in Configure -> Wireless -> WLAN -> Security section. Here is the settings with “Open Authentication”.Now will change it to dot1x & use the RADIUS server configured. Since I am planning to use this to test 7925G as well, I have configured it as dot1x+CCKM.

Here are the CLI config differences caused by the above WLAN modifications. You can see with + all the additions & – sing with all the lines removed from the previosly saved configuration.

5760-1#sh archive config differences nvram:startup-config system:running-config
wlan LTUWireless 21 LTUWireless
 +accounting-list LTU-DOT1X
 +security wpa akm cckm
 +security dot1x authentication-list LTU-DOT1X
 +session-timeout 1800

wlan LTUWireless 21 LTUWireless
 -no security wpa
 -no security wpa akm dot1x
 -no security wpa wpa2
 -no security wpa wpa2 ciphers aes

Now, we can try with Anyconnect client. As you can see client is successfully connected using PEAP authentication.You can view the client detail on the WLC as well. You can see 7925G phone also associated to this with EAP-FAST.

5760-1#show wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3502-2                          21   UP                 11a      
a088.b435.c2f0 L3502-2                          21   UP                 11n(5)   

5760-1#show wireless client mac-address 2c54.2dea.f4ea detail 
Client MAC Address : 2c54.2dea.f4ea
Client Username : user1
AP MAC Address : 2c3f.382b.5260
AP Name: L3502-2
AP slot : 1
Client State : Associated
Wireless LAN Id : 21
Wireless LAN Name: LTUWireless
BSSID : 2c3f.382b.526f
Connected For : 81 secs 
Protocol : 802.11a
Channel : 161
Client IIF-ID : 0x42e80000000016
ASIC : 1
IPv4 Address : 10.142.39.229
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Client CCX version : 4
Client E2E version : No E2E support
Re-authentication Timeout : 1720 (1801)
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : 0
WMM Support : Disabled
Power Save : OFF
Current Rate : 54.0
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : L2AUTHCOMPLETE
Client Entry Create Time : 441535 seconds
Policy Type : WPA2
Authentication Key Management : CCKM
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : EAP-FAST
Interface : WLN-STF-1
VLAN : 1420
Quarantine VLAN : 0
Access VLAN : 1420
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 3
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 15213
  Number of Bytes Sent : 16522
  Number of Packets Received : 139
  Number of Packets Sent : 111
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 1
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 3
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -48 dBm
  Signal to Noise Ratio : 43 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-2(slot1)
    antenna0: 49 seconds ago -43 dBm
    antenna1: 49 seconds ago -42 dBm
  L3502-2(slot0)
    antenna0: 111 seconds ago -44 dBm
    antenna1: 111 seconds ago -42 dBm

Next post we will see how to configure AVC on this WLAN & get visibility of the traffic on this WLAN.

1. Getting Started with 3850
2. Getting Started with 5760
3. WLAN configs with 3850 – Part 1
4. WLAN configs with 3850 – Part 2
5. 3850(MA) with 5760(MC)
6. 5760 in CA & CUWN
7. 5760 AVC Configuration

3 thoughts on “Configuring RADIUS on 5760”

sam said:

November 27, 2015 at 10:22 am

it was indeed a great article, appreciate your work.

i have a question regarding dot1x integration. if i have 12 MAs and 1 MC, Do i have to integrate all the MAs with NPS(Network policy server) or do we only integrate MC?

- nayarasi said:
  
  November 27, 2015 at 10:25 am
  
  Yes all MA require to communicate with NPS. MC is purely for RRM & facilitate mobility in certain cases
  
  I would keep a standard template config for 3850 MAs
  
  HTH
  Rasika
  
quisher said:

October 25, 2016 at 9:16 pm

Hi Rasika,

can you help me how do i create net username and password for 5700 series of WLC for guest user.

Regards,
quisher