Autonomous AP with Local RADIUS server – EAP FAST

In this post we will see, how to configure a standalone AP to act as AUTHENTCATOR SERVER (RADIUS).

Standalone AP can be configured as local RADIUS server to provide the AAA service.

This kind of solution can be used in small scale deployment or which can not afford to buy ACS or ISE and It can also provide as a backup RADIUS server in case of primary fails.

Normally Autonomous AP can use three types authentication:

*** EAP-TLS is not supported on Autonomous AP.

First we will configure for EAP-FAST 🙂

I will create one SSID”data1” and map to specific VLAN”101”.

Remembering points:

  1. The local RADIUS server uses UDP ports 1812 and 1813.
  2. Keep the config as simple as possible.
  3. In this type of scenario, AP is using as Authenticator and Authenticator server (Both).
  4. AP can authenticate max 50 client’s devices.
  5. AP performs up to 5 authentications per second.
  6. When AP acts as Local authenticator, performance may decrease for associated clients.

Steps to Configure:

  1. Configure the local AP as NAS (Network Access Server).
  2. Create user groups
  3. Create users to authorize to authenticate.
  4. Enter the local authenticator as radius server.

We can configure by two ways: GUI and CLI

Via CLI:

Switch config for AP connection:

int fa 0/15
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 100, 101

Step1: Configure the SSID and map to a VLAN

Config t
 Dot11 ssid data1 
 Vlan 101
 Authentication open eap local_eap
 Authentication network-eap local_eap
 Authentication key-management wpa version 2
 Guest-mode
 end

Step2: Configure the radio and Ethernet interface

Config t
 Interface dot11Radio0
 ssid data1
 exit
Interface dot11Radio0.100
 encapsulation dot1Q 100
Interface dot11Radio0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit
int fa 0.100
 encapsulation dot1Q 1080
Interface fa0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit

Step3: Assign encryption to SSIDs with VLAN

Int dot11Radio0
 Encryption vlan 101 mode  ciphers aes-ccm

Step4: Configure AP for management

Int BVI1
 Ip address 10.35.100.15 255.255.255.0
 !
 Ip default-gateway 10.35.100.254

Step5: Define a AAA group, AAA login method and configure RADIUS server with its own IP address

aaa new-model
 aaa group server radius radius_fast
 server 10.35.100.15 auth-port 1812 acct-port 1813
 aaa authentication login local_eap group radius_fast

Step6: Configure local AP as authenticator

radius-server host 10.35.100.15 auth-port 1812 acct-port 1813 key fast12345 

Step7: Configure local users to authenticate as NAS entries.

Radius server local
 Nas 10.35.100.15 key fast12345
 User Sandeep password test12345
 User sandeep1 password rscciew12345

Step8: Configure EAP-FAST Settings (authority ID, Info, server key…Etc.).

Authority ID

All EAP-FAST authenticators are identified by an authority identity (AID). The local authenticator sends its AID to an authenticating client, and the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new PAC.

AP002(config)#radius-server local
AP002(config-radsrv)#eapfast authority id ?
 Hex-data  32 hexadecimal digits
AP002(config-radsrv)#eapfast authority id 98765432198765432198765432198765

Authority Info:

AP002(config-radsrv)#eapfast authority info ?
 LINE ASCII string (32 char)
AP002(config-radsrv)#eapfast authority info cisco

Server Key

The local authenticator uses server keys to encrypt PACs that it generates and to decrypt PACs when authenticating clients. The server maintains two keys, primary key and secondary key, and uses the primary key to encrypt PACs. By default, the server uses a default value as the primary key but does not use a secondary key unless we configure one.
When the local authenticator receives a client PAC, it attempts to decrypt the PAC with the primary key. If decryption fails with the primary, the authenticator attempts to decrypt the PAC with the secondary key if one is configured. If decryption fails, the authenticator rejects the PAC as invalid.

AP002(config-radsrv)#eapfast server-key ?
 primary primary key
 secondary secondary key
AP002(config-radsrv)#eapfast server-key primary ?
 0 Specifies an UNENCRYPTED password will follow
 7 Specifies an HIDDEN password will follow
 Hex-data 32 hexadecimal digits
 auto-generate auto generate the key
AP002(config-radsrv)#eapfast server-key primary auto-generate

AP002(config-radsrv)#eapfast server-key secondary ?
 0 Specifies an UNENCRYPTED password will follow
 7 Specifies an HIDDEN password will follow
 Hex-data 32 hexadecimal digits
AP002(config-radsrv)#eapfast server-key secondary 98765432198765432198765432198765
AP002(config-radsrv)#

PAC Generation for specific Username

The local authenticator automatically generates PACs for EAP-FAST clients that request them. However, we might need to generate a PAC manually for some client devices. When we enter the command, the local authenticator generates a PAC file and writes it to the network location that we specify. The user imports the PAC file into the client profile.
Use this command to generate a PAC manually:

AP002#radius local-server pac-generate ?
 WORD username, for which PAC to be issued
AP002#radius local-server pac-generate sandeep1 ?
 WORD filename to save generated PAC(ex: tftp://172.1.1.1/test/user.pac)
AP002#radius local-server pac-generate sandeep1 tftp://10.35.100.100/sandeep1.pac password rscciew12345 expiry 10
 Generating PAC for the user: sandeep1
!!
AP002#

Step9: Verification

AP002#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data1] :
 MAC Address    IP address      Device        Name            Parent         State
 bd7b.a1d1.c289 10.35.101.152    ccx-client    AP002           self           EAP-Assoc
 AP002#sh dot11 associations  ac7b.a1d1.c289
 Address           : bd7b.a1d1.c289     Name             : AP002
 IP Address        : 10.35.101.152       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : data1
 VLAN              : 81
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -33  dBm           Connected for    : 31 seconds
 Signal to Noise   : 59  dB            Activity Timeout : 50 seconds
 Power-save        : On                 Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 640                Packets Output   : 353
 Bytes Input       : 61156              Bytes Output     : 35666
 Duplicates Rcvd   : 0                  Data Retries     : 27
 Decrypt Failed    : 0                  RTS Retries      : 73
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 AP002#

 Screenshot:

 

leap_autonomous

Thats all for today 🙂

———x———————————————-

Step8 can also be configured in this way :

radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info cisco
 eapfast server-key primary 12345678901234567890123456789012
 eapfast server-key secondary 12345678901234567890123456789012
 nas 10.35.100.15 key  fast12345
 user Sandeep password test12345
 user sandeep1 password rscciew12345
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s