Cisco – Configure radius server via GUI in Cisco WLC

ciscoradiusvlanwlc

My boss asked me to create a lobby administration for user authentication in a certain Virtual LAN. So I googled for it, and I found out that RADIUS server will work for this. And I've reached this step of configuring the RADIUS Authentication, and I'm stuck:

enter image description here

So I found out that I need to configure (activate?) the RADIUS server first in order to be able to do this. I googled again. There are two options I can understand:

I create my own RADIUS server using FreeRadius.
Configure it on Cisco 5500 Series Wireless Controller. I'm not sure about this but my colleague told me that Cisco has provided RADIUS server for its users.

So I prefer the second option. The problem now is that I don't know how to configure the RADIUS server (to get the IP address and so on). I googled again, and all I found is the tutorial to do it using Command Line Interface (telnet, windows). Because I'm new at this stuff, my boss asked me to use only GUI. But I clicked everywhere in the web-browser interface I found nothing to get it.

So am I doing this wrong? Or Cisco doesn't support RADIUS server at all (so I have to choose the first option)?

Best Answer

WLCs are NOT Radius Servers, you need an external Radius server and then point the WLCs to it

The page you are on right now is to configure credentials to actually be able to query the external radius server: IP Address & Ports, Shared Secret, and other connectivity options.

Cisco Radius servers are called ACS (secure Access Control System) and to TACACS as well

Related Solutions

Switch – Regarding Dot1X dynamic VLAN assignment

Alex, hеllo there!

Ive builded test environmet for you, so i am using freeradius 2.1.12+dfsg-1.2 (on debian), and switch hp 2650. Ive just repeated your config, and have no problems with this. My test procurve ip 10.0.10.29, test freeradius ip 192.168.2.60.

procurve config:

Running configuration:

; J4899A Configuration Editor; Created on release #H.10.83

hostname "ProCurve Switch 2650"
interface 1
   no lacp
exit
interface 2
   no lacp
exit
interface 3
   no lacp
exit
interface 4
   no lacp
exit
interface 5
   no lacp
exit
interface 6
   no lacp
exit
interface 7
   no lacp
exit
interface 8
   no lacp
exit
interface 9
   no lacp
exit
interface 10
   no lacp
exit
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 11-50
   ip address dhcp-bootp
   no untagged 1-10
   exit
vlan 100
   name "success"
   untagged 1-10
   exit
vlan 200
   name "fail"
   exit
aaa authentication port-access eap-radius
radius-server host 192.168.2.60 key test
aaa port-access authenticator 1-10
aaa port-access authenticator 1 unauth-vid 200
aaa port-access authenticator 2 unauth-vid 200
aaa port-access authenticator 3 unauth-vid 200
aaa port-access authenticator 4 unauth-vid 200
aaa port-access authenticator 5 unauth-vid 200
aaa port-access authenticator 6 unauth-vid 200
aaa port-access authenticator 7 unauth-vid 200
aaa port-access authenticator 8 unauth-vid 200
aaa port-access authenticator 9 unauth-vid 200
aaa port-access authenticator 10 unauth-vid 200
aaa port-access authenticator active

/etc/freeradius/users:

<...>
testuser User-Password := test
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = "100"
<...>

/etc/freeradius/radiusd.conf:

<...>
client switch {
        ipaddr          = 10.0.10.29
        secret          = test
        require_message_authenticator = no
        nastype     = other
}
<...>

And i`ve used this manual, to enable 8021x in windows:

http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7

But, I`ve disabled usage of logged user creds.

So, if user creds are correct, i have this message in /var/log/freeradius/radius.log

tail -f /var/log/freeradius/radius.log
Fri Sep  5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep  5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)

and on my switch ive got:

ProCurve Switch 2650(eth-1)# sh vlans ports 1

 Status and Counters - VLAN Information - for ports 1

  802.1Q VLAN ID Name         Status       Voice
  -------------- ------------ ------------ -----
  100            success      Port-based   No

If creds are incorrect:

Fri Sep  5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep  5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)


ProCurve Switch 2650(eth-1)# sh vlans ports 1

 Status and Counters - VLAN Information - for ports 1

  802.1Q VLAN ID Name         Status       Voice
  -------------- ------------ ------------ -----
  200            fail         Port-based   No

maybe you havent enabled 8021x in windows? I hope this helps to you man.

Cisco – EAP packets generated for plain MAC-based authentication

what I mainly want to know from someone who has already gone through all this is: Is a "MAC authentication" that still generates EAP packets a valid approach?

Here's a freeradius-users thread which answers most of these questions.

The crux is:

Using EAP for MAC auth makes no real sense.
But it isn't bad either if it's at least correctly implemented.
Users on the freeradius list didn't think Cisco's SG series implements 802.1x EAP MAB correctly, since the EAP Service-Type is missing. As Nick Lowe mentioned, if the EAP Service-Type is missing, it becomes awkward, hackish and potentially unreliable to discriminate between the type of service being used by a client.

Best Answer

Related Solutions

Switch – Regarding Dot1X dynamic VLAN assignment

Cisco – EAP packets generated for plain MAC-based authentication

Related Topic