Tuesday, July 13, 2010

Misc 39

Now we'll expand our topology to include a RADIUS server as shown:

We'll set up the port on the switch to be in ACCESS VLAN 10:
in f0/10
sw m a
sw a v 10

This RADIUS server would be where we authenticate our clients. I would expect you to know how to set up a RADIUS server for login authentication. The RADIUS server, like all other management devices, are in the MANAGEMENT VLAN (10). We'll hop back on the switch to set up some basics authentication options before we start with PEAP.

Let's first add the RADIUS server to the radius-server list. To do this, make sure "aaa new-model" is enabled:
aaa new-model
radius-server host auth 1812 acct 1813 key 0 cisco

Be sure to add a corresponding client entry for the AP in the radius server. Now, we'll turn on some options, but before that, we'll create some backup user accounts:
user cisco pass cisco

Now, I'll demonstrate the basic use of RADIUS to do usermode authentication. To do this, we simply specify the authentication as follows:
aaa authentication login default group radius local

The word "default" refers to the default list, while "group radius" and "local" are the authentication methods added into the default list. By default, usermode login uses the default list, so logging off and on would result in a new login prompt. If logging in with a user in the RADIUS server fails, be sure to check that your RADIUS has PAP (or cleartext authentication) allowed. If it fails completely, you can still log in through the backup account you created because the "local" method is specified in the default list.

Now if it all goes well, we'll begin with PEAP authentication. Such an authentication method requires a few components. PEAP is also known as MS-CHAPv2, so let's create an EAP profile that uses PEAP:
eap profile PEAP
method mschapv2

Now, another thing we need is to create a dot1x credentials. It requires a trustpoint (which would be LOCAL), so lets create a trustpoint:
crypto pki trustpoint LOCAL
enroll self
crypto pki enroll LOCAL

Next, we'll create the credentials:
dot1x credentials CREDENTIALS
anonymous-id cisco
pki-trustpoint LOCAL

Finally we'll need a named AAA list (like default, but named) to specify the RADIUS server:
aaa authentication login RADIUSLIST group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius

If you're using the configuration from the previous article, we'll need to enable cipher TKIP encryption from the wireless interface before we can add WPA2-Enterprise to the SSID. To do this, we'll type:
in d0
encryption vlan 20 mode cipher tkip

Now we can add WPA2-Enterprise as the authentication method as shown:
authentication open eap RADIUSLIST
authentication key-management wpa version 2
dot1x credentials CREDENTIALS
dot1x eap profile PEAP

This is the most basic configuration for WPA2-Enterprise. The clients should now be able to connect flawlessly. Congratulations!

No comments :

Post a Comment