LAB: WGB with autonomous AP using local RADIUS

In this lab, I am going to connect WGB to autonomous AP that is using local  RADIUS with EAP-FAST.

Autonomous AP configurations: 

SSID: I am going to use the eap method called nour-method for the dot1x authentication

AIR-LAP1141N-A-K9(config)#dot11 ssid WGB
AIR-LAP1141N-A-K9(config-ssid)#authentication open eap nour-method
AIR-LAP1141N-A-K9(config-ssid)#authentication network-eap nour-method
AIR-LAP1141N-A-K9(config-ssid)#authentication key-management wpa
AIR-LAP1141N-A-K9(config-ssid)#infrastructure-ssid optional

Radio interface: the basic encryption and define the SSID

AIR-LAP1141N-A-K9(config)#int dot11Radio 0
AIR-LAP1141N-A-K9(config-if)#no shutdown
AIR-LAP1141N-A-K9(config-if)#encryption mode ciphers aes-ccm
AIR-LAP1141N-A-K9(config-if)#ssid WGB

RADIUS authentication:

AIR-LAP1141N-A-K9(config)#aaa new-model
AIR-LAP1141N-A-K9(config)#aaa authentication login nour-method group radius
AIR-LAP1141N-A-K9(config)#radius-server host 192.168.143.7 auth-port 1812 acct-port 1813 key cisco123

Local RADIUS:

AIR-LAP1141N-A-K9(config)#radius-server local
AIR-LAP1141N-A-K9(config-radsrv)#no authentication lea
AIR-LAP1141N-A-K9(config-radsrv)#no authentication leap
AIR-LAP1141N-A-K9(config-radsrv)#authentication eapfast
AIR-LAP1141N-A-K9(config-radsrv)#nas 192.168.143.7 key cisco123
AIR-LAP1141N-A-K9(config-radsrv)#user test password test

WGB AP configurations: 

SSID and define the dot1x method and credentials (as any client that needs to connect to dot1x ssid)

AIR-LAP1131AG-A-K9(config)#dot11 ssid WGB
AIR-LAP1131AG-A-K9(config-ssid)#authentication open eap nour-method
AIR-LAP1131AG-A-K9(config-ssid)#authentication network-eap nour-method
AIR-LAP1131AG-A-K9(config-ssid)#authentication key-management wpa
AIR-LAP1131AG-A-K9(config-ssid)#dot1x credentials WGB-credentials
AIR-LAP1131AG-A-K9(config-ssid)#dot1x eap profile WGB-eapfast
AIR-LAP1131AG-A-K9(config-ssid)#ex

 

Credentials:

AIR-LAP1131AG-A-K9(config)#dot1x credentials WGB-credentials
AIR-LAP1131AG-A-K9(config-dot1x-creden)#username test
AIR-LAP1131AG-A-K9(config-dot1x-creden)#password test
AIR-LAP1131AG-A-K9(config-dot1x-creden)#anonymous-id wgb
AIR-LAP1131AG-A-K9(config-dot1x-creden)#exit

Eap method profile:

AIR-LAP1131AG-A-K9(config)#eap profile WGB-eapfast
AIR-LAP1131AG-A-K9(config-eap-profile)#method fast

Radio interface:

AIR-LAP1131AG-A-K9(config)#int dot11Radio 0
AIR-LAP1131AG-A-K9(config-if)#no shutdown
AIR-LAP1131AG-A-K9(config-if)#ssid WGB
AIR-LAP1131AG-A-K9(config-if)#encryption mode ciphers aes-ccm
AIR-LAP1131AG-A-K9(config-if)#ssid WGB
AIR-LAP1131AG-A-K9(config-if)#station-role workgroup-bridge
AIR-LAP1131AG-A-K9(config-if)#infrastructure-client

Checking the connectivity 

 

AIR-LAP1141N-A-K9#show dot11 ass

802.11 Client Stations on Dot11Radio0:

SSID [WGB] :

MAC Address IP address Device Name Parent State
001d.a1ec.8790 192.168.143.8 WGB AIR-LAP1131AG-A self EAP-Assoc

AIR-LAP1141N-A-K9#ping 192.168.143.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.143.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

Optional: Adding security so the autonomous AP will allow only the WGB to connect to it and will guide the WGB to connect to that specific AP. The trick is by using the radio mac address for the configurations

–> From the WGB AP
AIR-LAP1131AG-A-K9#show int d0
Dot11Radio0 is up, line protocol is up
Hardware is 802.11G Radio, address is 001d.a1ec.8790 (bia 001d.e54c.41d0)

–> IOS AP
AIR-LAP1141N-A-K9#sh int d0
Dot11Radio0 is up, line protocol is up
Hardware is 802.11N 2.4GHz Radio, address is 081f.f3b3.7e40 (bia 081f.f3b3.7e40)

–> IOS AP
AIR-LAP1141N-A-K9(config)#dot11 association mac-list 700
AIR-LAP1141N-A-K9(config)#access-list 700 permit 001d.a1ec.8790 0000.0000.0000
AIR-LAP1141N-A-K9(config)#access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

–> WGB AP

AIR-LAP1131AG-A-K9(config)#int d0
AIR-LAP1131AG-A-K9(config-if)#parent 1 081f.f3b3.7e40

 

Cheers 🙂 !

This entry was posted in Autonomous, Cisco-Wireless and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s