Cisco 802.11 Wireless Networking Quick Reference

When you configure 802.1X authentication methods, the process requires three steps:

Step 1.

You must configure the AP to access the Remote Authentication Dial-In User Service (RADIUS) server.

Step 2.

You must configure the RADIUS server to use 802.1X.

Step 3.

You must configure the AP to use 802.1X authentication.

The sections that follow show how to make these configurations.

Configuring the AP for RADIUS Connection

The AP must be configured to connect to the appropriate RADIUS server. Open the Server Manager tab on the AP (this is done by following Security > Server Manager). Figure 8-9 shows the resulting Server Manager page.

Figure 8-9. Configuring the RADIUS Server on the Server Manager Page

On this page, do the following:

Step 1.

Enter the IP address of the authentication server in the Server field.

Step 2.

Enter the shared secret password in the Shared Secret field.

Step 3.

Enter the ports in the Authentication Port and Accounting Port fields (optional).

Step 4.

Click Apply.

Step 5.

Under Default Server Priorities, set the Priority 1 field under EAP Authentication to the RADIUS server's address. Click Apply.

Alternately, you can make this configuration from the command-line interface if you use the following commands:

AP# configure terminal AP(config)# aaa group server radius rad_eap AP(config-sg-radius)# server 192.168.1.105 auth-port 1630 acct-port 1631 AP(config-sg-radius)# exit AP(config)# aaa new-model AP(config)# aaa authentication login eap_methods group rad_eap AP(config)# radius-server host 192.168.1.105 auth-port 1630 acct-port 1631 key w@lth3r99k AP(config)# end AP# copy running-config startup-config

Configuring the RADIUS Server

The second step in connecting to a RADIUS server is to configure the RADIUS server to use the AP as an AAA client. The example in this section uses Cisco Secure ACS as the RADIUS server. If you use a different RADIUS server, you should refer to the server's documentation.

Setting up the AP as an AAA client in Cisco Secure ACS is done on the Network Configuration page, as illustrated in Figure 8-10.

Figure 8-10. Configuring Cisco Secure ACS to Use the AP as a Client

On this page, enter the following information:

Step 1.

AP's name (AAA Client Hostname field)

Step 2.

IP address (AAA Client IP Address field)

Step 3.

Shared secret key (Key field)

Step 4.

Authentication method (Authenticate Using field)

You must also configure the RADIUS server to use the authentication method that you select for the AP. You can accomplish this in Cisco Secure ACS if you configure the Global Authentication Setup page (click System Configuration > Global Authentication Method). Again, if you use a different RADIUS server, check the manufacturer's documentation. Figure 8-11 shows the Global Authentication Setup page with the authentication server configured to use EAP-TLS.

Figure 8-11. Enabling EAP Authentication Methods on Cisco Secure ACS

Note

Enabling PEAP or EAP-TLS requires the installation of a server certificate on ACS.

Defining Authentication

After the RADIUS server and the AP know they can talk to each other to share authentication data, the final step is to configure the AP to actually use 802.1X authentication methods.

First, open the Security Encryption Manager on the AP (select Security > Encryption Manager), as illustrated in Figure 8-12.

Figure 8-12. Setting Up the AP to Use EAP

Next, do the following:

Step 1.

Under the Encryption Modes section, check the WEP Encryption button and select Mandatory from the drop-down menu.

Step 2.

Under the Encryption keys section, make sure the key size is set to 128 bit.

Step 3.

Click Apply.

You can also apply these settings from the CLI using the following commands:

AP# configure terminal AP(config)# interface dot11radio 0 AP(config-if)# encryption mode wep mandatory AP(config-if)# end AP# write memory

The next settings are made on the AP SSID Manager tab (Security > SSID Manager), as illustrated in Figure 8-13.

Figure 8-13. EAP Configuration Steps on the SSID Manager Page

Enter the following settings:

Step 1.

Enter the SSID under SSID Properties. (Refer back to Figure 8-9.)

Step 2.

Under Authentication Methods Accepted, check the box labeled Open Authentication, and then select with EAP from the drop-down box.

Step 3.

Check the box labeled Network EAP if you have Cisco client adapters. Refer back to Table 8-1 for more information on this setting.

Step 4.

Click Apply, as shown in Figure 8-14.

Figure 8-14. EAP Configuration Steps on the SSID Manager Page (Cont'd)

Alternately, you can make these settings from the CLI using the following commands:

AP# configure terminal AP(config)# interface dot11radio 0 AP(config-if)# ssid ssid qbranch AP(config-if-ssid)# authentication open eap eap_methods AP(config-if-ssid)# authentication network-eap eap_methods AP(config-if-ssid)# end AP# write memory

Категории