We'll set up the port on the switch to be in ACCESS VLAN 10:
in f0/10
sw m a
sw a v 10This RADIUS server would be where we authenticate our clients. I would expect you to know how to set up a RADIUS server for login authentication. The RADIUS server, like all other management devices, are in the MANAGEMENT VLAN (10). We'll hop back on the switch to set up some basics authentication options before we start with PEAP.
Let's first add the RADIUS server to the radius-server list. To do this, make sure "aaa new-model" is enabled:
aaa new-model
radius-server host 10.10.10.5 auth 1812 acct 1813 key 0 ciscoBe sure to add a corresponding client entry for the AP in the radius server. Now, we'll turn on some options, but before that, we'll create some backup user accounts:
user cisco pass ciscoNow, I'll demonstrate the basic use of RADIUS to do usermode authentication. To do this, we simply specify the authentication as follows:
aaa authentication login default group radius localThe word "default" refers to the default list, while "group radius" and "local" are the authentication methods added into the default list. By default, usermode login uses the default list, so logging off and on would result in a new login prompt. If logging in with a user in the RADIUS server fails, be sure to check that your RADIUS has PAP (or cleartext authentication) allowed. If it fails completely, you can still log in through the backup account you created because the "local" method is specified in the default list.
Now if it all goes well, we'll begin with PEAP authentication. Such an authentication method requires a few components. PEAP is also known as MS-CHAPv2, so let's create an EAP profile that uses PEAP:
eap profile PEAP
method mschapv2Now, another thing we need is to create a dot1x credentials. It requires a trustpoint (which would be LOCAL), so lets create a trustpoint:
crypto pki trustpoint LOCAL
enroll self
crypto pki enroll LOCALNext, we'll create the credentials:
dot1x credentials CREDENTIALS
anonymous-id cisco
pki-trustpoint LOCALFinally we'll need a named AAA list (like default, but named) to specify the RADIUS server:
aaa authentication login RADIUSLIST group radius
aaa authentication dot1x default group radius
aaa authorization network default group radiusIf you're using the configuration from the previous article, we'll need to enable cipher TKIP encryption from the wireless interface before we can add WPA2-Enterprise to the SSID. To do this, we'll type:
in d0
encryption vlan 20 mode cipher tkipNow we can add WPA2-Enterprise as the authentication method as shown:
authentication open eap RADIUSLIST
authentication key-management wpa version 2
dot1x credentials CREDENTIALS
dot1x eap profile PEAPThis is the most basic configuration for WPA2-Enterprise. The clients should now be able to connect flawlessly. Congratulations!
No comments :
Post a Comment