Configure RADIUS Server on WLC

Here is the new posts about RADIUS configuration on WLC , The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients.

RADIUS server can provide the central Authentication. In WLC, RADIUS server can handle two functions, namely Authentication & Accounting. And TACACS can handle all 3 methods (Authentication, Accounting and Authorization)

Here is the procedure to configure RADIUS in WLC:

Authentication

Step1: Via GUI

From the WLC GUI, click Security. From the menu on the left, click RADIUS > Authentication. The RADIUS Authentication servers page appears. Add  a new RADIUS Server, click New.

RADIUS New

In the RADIUS Authentication Servers > New page, enter the parameters specific to the RADIUS server.

*** Check the Management box , if you want to allow the RADIUS Server to authenticate users who login to the WLC.(I don’t want to authenticate the WLC users via RADIUS)

RADIUS Edit

Make sure that the shared secret configured on this page matches with the shared secret configured on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

Same procedure to add another redundant RADIUS server 🙂

Both Radius

Step2: Configure Authentication Via CLI

(WLAN1) >config radius ?
acct           Configures a RADIUS Accounting Server.
aggressive-failover Enables/Disables Aggressive Failover
auth           Configures a RADIUS Authentication Server.
backward       Configures RADIUS Vendor Id backward compatibility
callStationIdCase Configures Call Station Id case in RADIUS messages.
callStationIdType Configures Call Station Id information sent in radius messages
fallback-test  Configures server fallback test.
(WLAN1) >config radius auth ?
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an authentication server
keywrap        Configures RADIUS keywrap
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
management     Configures a RADIUS Server for management users.
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server
rfc3576        Enables or disables RFC-3576 support for an authentication server

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius auth add 1 192.xx.xx.14 1812 ascii cisco -> Secret
(WLAN1) >config radius auth retransmit-timeout 1 2  -> Default 2 sec
(WLAN1) >config radius auth network 1 {enable|disable}
(WLAN1) >config radius auth {enable|disable} 1 -> by default enable

If you are not authenticating management user via RADIUS then you must disable it:

(WLAN1) >config radius auth management 1 {enable|disable} -> Enable by default

Follow Same procedure to add  2nd Authentication server.

Accounting:

Step1: Via GUI

Configure RADIUS Accounting

Go to Security -> RADIUS -> Accounting

RADIUS Acct

Follow same step to add 2nd Accounting server.

Here is the screenshot of both the Accounting server in WLC:

RADIUS Both Acct

Step2: Via CLI

Here is the basic CLI configuration for a RADIUS Accounting on a WLC.

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius acct add 1 192.xx.xx.15 1813 ascii cisco ->secret (WLAN1) >config radius acct retransmit-timeout 1 5 -> default is 2s
(WLAN1) >config radius acct network 1 {enable|disable}
(WLAN1) >config radius acct {enable|disable} 1 -> by default enable

Do the same for 2nd accounting server via CLI.

So till now we added both the server for Authentication and accounting.

Now time to verify it.

(WLAN1) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    N     192.xx.xx.14       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
2    N     192.xx.xx.15       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More-- or (q)uit
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1      N     192.xx.xx.15       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
2      N     192.xx.xx.14       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
(WLA1) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.xx.xx.14
Msg Round Trip Time.............................. 47 (msec)
First Requests................................... 27328
Retry Requests................................... 123
Accept Responses................................. 2439
Reject Responses................................. 140
Challenge Responses.............................. 24736
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 147
Unknowntype Msgs................................. 0
Other Drops...................................... 1
Server Index..................................... 2
Server Address................................... 192.xx.xx.15
Msg Round Trip Time.............................. 29 (msec)
First Requests................................... 14345
--More-- or (q)uit
Retry Requests................................... 98
Accept Responses................................. 1264
Reject Responses................................. 52
Challenge Responses.............................. 13026
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 114
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Now we will add the WLC to Radius Server and don’t forget the shared secret because shared secret must match between WLC and RADIUS (ISE) server:

Login to ISE, go to Administration > Network Resources > Network Devices > add

 

Untitled

That’s it for today 🙂 Enjoyyyyy

Advertisements

5 Comments

  1. Hi, just wanted to let everyone know that I recently started offering a Free Edition of our IronWifi service, a hosted RADIUS/AAA service offering 802.1X authentication for use with WPA/WPA2-Enterprise encryption.

    The Free Edition features 5 user accounts, supports 1 AP, and includes: PEAP authentication for wireless and wired connections, web-based control panel, Android client, and activity logging.

    This is great for IT professionals wanting to experiment with 802.1X or to get enterprise security in homes and small offices.

    For more info visit our site:
    https://www.ironwifi.com

  2. Hello Sandeep,

    Excellent post. Thanks.

    I have question on Radius failover to local database Authentication. This works only when I use the call station-ID attribute as IP Address. When I change it to System MAC, management user authentication failover to local database does not work. Please let me know what I am missing.

    BTW, just to keep up the cricket Spirit, I play for GICC (Geneva International Cricket Club) in Switzerland.

    Thanks,
    Vignesh

  3. Pingback: WLC Admin Access by Radius Server | Towards CCIE Wireless

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s