WLC Admin Access by Radius Server

In this post we will learn how to provide or control WLC management users access via external radius server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as Radius server (Check this post: Configure RADIUS server on WLC
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign roles or Authorization profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as Radius server

Go to WLC GUI, click Security > AAA > RADIUS > Authentication. Enter the parameters specific to the RADIUS server. If we need to put accounting server info then enters the info as well.

*** Don’t forget to Check Management box.

WLC-Admin-RAdius1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select RADIUS check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign roles or Authorization profiles to Users

Here we will Create Authorization profile and assign the Service-Type Attribute to users to get access.

Admin Users: Administrative
Read-Only User: NAS Prompt
Lobby Users: Callback Administrative

WLC-Admin-RAdius5

WLC-Admin-RAdius6

WLC-Admin-RAdius7

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

WLC-Admin-RAdius8

Assign the Priority order for management access

If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:

First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.

Means WLC always takes precedence when compared to the RADIUS server.

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

WLC-Admin-RAdius9

*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.

Verification

To verify each account, we must login with different users and check it.

If we login with user (sandeeprw) then we will have full administrative access to the WLC.

Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:

WLC-Admin-RAdius10

Verification Logs from ACS about users attempts:

WLC-Admin-RAdius11

That’s all 🙂

Advertisements

Autonomous AP with Local RADIUS server – LEAP

Usually we use a external RADIUS server(ACS or ISE) for authentication in big enterprise but in small office it’s not feasible solution because of cost.

In this kind of situation, a standalone/autonomous AP can act as a RADIUS server. User are authenticate against the Local database configured in AP.

Autonomous AP can authenticate using LEAP, EAP-FAST and MAC based authentication.

In this post we will see, how to configure LEAP and local RADIUS server on AP.

To configure LOCAL RADIUS server on AP:

  1. IOS on AP must have at least 12.2(11)JA or higher version
  2. Remember LEAP is not strong method for authentication

Via CLI:

Switch config for AP connection:

int fa 0/15
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 100, 101

Step1: Configure the SSID and map to a VLAN

Config t
 Dot11 ssid data1
 Vlan 101
 Authentication open eap local_eap
 Authentication network-eap local_eap
 Authentication key-management wpa version 1
 Guest-mode
 end

Step2: Configure the radio and Ethernet interface

Config t
 Interface dot11Radio0
 ssid data1
 exit
 !
 Interface dot11Radio0.100
 encapsulation dot1Q 100
 !
 Interface dot11Radio0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit
 !
 int fa 0.100
 encapsulation dot1Q 100
 !
 int fa0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit

Step3: Assign encryption to SSIDs with VLAN

Int dot11Radio0
 Encryption vlan 101 mode  ciphers tkip

Step4: Configure AP for management

Int BVI1
 Ip address 10.35.100.250 255.255.255.0
 !
 Ip default-gateway 10.35.100.254

Step5: Define a AAA group, AAA login method and configure RADIUS server with its own IP address

aaa new-model ->This command reinitializes the authentication, authorization and accounting functions.
aaa group server radius radius_leap
server 10.35.100.250 auth-port 1812 acct-port 1813  ->A server group for RADIUS is created called "rad_leap" that uses the server at 10.35.100.250 on ports 1812 and 1813.
aaa authentication login local_eap group radius_leap -> Authentication [user validation] is to be done for users in a group called "local_eap" who use server group "radius_leap".
aaa authentication exec default local

Step6: Configure local AP as authenticator

radius-server host 10.35.100.250 auth-port 1812 acct-port 1813 key leap12345 

Step7: Configure local users to authenticate as NAS entries.

Radius server local
 Nas 10.35.100.250 key leap12345
 User Sandeep password test12345
 User Sandeep1 password rscciew123

Step8: Verification with screenshot

leap_autonomous

 

ap#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data1] :
 MAC Address    IP address      Device        Name            Parent         State
 bd7b.a1d1.c289 10.35.101.252    ccx-client    ap              self           EAP-Assoc
ap#sh dot11 associations ac7b.a1d1.c289
 Address           : bd7b.a1d1.c289     Name             : ap
 IP Address        : 10.35.101.252       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : data1
 VLAN              : 81
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPA                Encryption       : TKIP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -37  dBm           Connected for    : 213 seconds
 Signal to Noise   : 58  dB            Activity Timeout : 50 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 910                Packets Output   : 175
 Bytes Input       : 130156             Bytes Output     : 69771
 Duplicates Rcvd   : 0                  Data Retries     : 35
 Decrypt Failed    : 0                  RTS Retries      : 12
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never

WLC Authentication by ISE Server

In this post we will see how to configure a Wireless LAN Controller (WLC) and Cisco ISE Server (Cisco Identity Service Engine) so that the AAA server can authenticate management users on the controller. We will also see that how different management users can receive different privileges using Vendor-specific Attributes (VSAs) returned from the Cisco ISE RADIUS server.

Parameters:

ISE Server: 172.99.xx.1
WLC: 172.99.80.1 (TestWLC1)
Shared Secret: CISCO123456789
Read/Write User: sandeeprw, Password: Testwlc1rw
Read/Only User: sandeepro, Password: Testwlc1ro

Now we need to configure WLC and ISE so that:

  • Any user who login to the WLC with the username as sandeeprw is given full administrative access to the WLC.
  • Any user who login to the WLC with the username as sandeepro is given read-only access to the WLC.

Step1:  Cisco WLC Configuration

  1. Login to WLC GUI, click Security > AAA > RADIUS > Authentication > New. The RADIUS Authentication server page appears. Click on New to add a server and then enter all the detail.
  2. Check the Management radio button in order to allow the RADIUS Server to authenticate users who login to the WLC.

wlc-ise1

 

Note: Make sure that the shared secret configured on this WLC will also be the same shared secret on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

  1. Verify whether the WLC is configured to be managed by Cisco ISE. In order to do this, click Security > AAA > RADIUS>Authentication from the WLC GUI.

wlc-ise2

 

  1. We can see that the Management check box is enabled for RADIUS server 172.99.xx.1. This illustrates that ISE is allowed to authenticate the management users on the WLC.

Step2: Cisco ISE configuration

1)      Add the WLC as an AAA client to the RADIUS server.
2)      Create User Identity Groups for users.
3)      Configure a user with read-write access and assign to specific User Identity Group.
4)      Configure a user with read-only access and assign to specific User Identity Group.
5)      Create Authorization profile and assign Diff. RADIUS IETF attributes for these users.
6)      Create Authentication / Authorization policy for these internal users.

 

Add the WLC as an AAA Client to the RADIUS Server

Login to ISE the click on Administration > Network Devices > Add then enter the details of WLC and don’t forget to enter same shared secret as we did in WLC.

wlc-ise3

And clicks save.

Create User Identity Groups for users.

To create user identity groups, click on Administration > Identity Management > Groups > User identity Groups > Add then enter the Name and description.

wlc-ise4

Configure a user with read-write access and assign to specific User Identity Group.

RW: username-sandeeprw, password: Testwlc1rw

Click on Administration > Identity Management > Identities > User > Add then enter the details and assign this user to WLC-AdminRW group, save it.

wlc-ise5

Configure a user with read-only access and assign to specific User Identity Group.

RO: username- sandeepro, password: Testwlc123ro

Click on Administration > Identity Management > Identities > User > Add then enter the details and assign this user to WLC-AdminRO group, save it.

wlc-ise6

wlc-ise7

Create Authorization Profile and assign diff. Radius attributes for these users.

To authenticate a user via RADIUS server, for controller login and management, we must add the user to the RADIUS database with the IETF RADIUS attribute Service-Type set to the appropriate value according to the user’s privileges.

  • In order to set read-write privileges for the user, set the Service-Type Attribute to Administrative.
  • In order to set read-only privileges for the user, set the Service-Type Attribute to NAS-Prompt.

Login to ISE GUI then go to Policy > Policy Elements > Results

wlc-ise8

wlc-ise9

Create Authentication / Authorization policy for these internal users

To create Authentication policy: Login to ISE, click on Policy > Authentication.

wlc-ise10

Here is the full policy name:

AuthWLCAdmin: If {DEVICE:Device Type equals All Device Types#Wireless LAN Controller}
 {Allows Protocol: Default Network Access}
 Default: use Internal user

Authorization Policy:

wlc-ise11

Save to apply changes.

Step3: Verification

Now it’s time for testing
First with username: sandeeprw (read write access)

wlc-ise12

username: sandeepro (read only access)

wlc-ise13

Then I tried to create a WLAN with read-only access, the output was “Authorization Failed No sufficient privileges

wlc-ise14

Hence Proved 🙂

Configure RADIUS Server on WLC

Here is the new posts about RADIUS configuration on WLC , The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients.

RADIUS server can provide the central Authentication. In WLC, RADIUS server can handle two functions, namely Authentication & Accounting. And TACACS can handle all 3 methods (Authentication, Accounting and Authorization)

Here is the procedure to configure RADIUS in WLC:

Authentication

Step1: Via GUI

From the WLC GUI, click Security. From the menu on the left, click RADIUS > Authentication. The RADIUS Authentication servers page appears. Add  a new RADIUS Server, click New.

RADIUS New

In the RADIUS Authentication Servers > New page, enter the parameters specific to the RADIUS server.

*** Check the Management box , if you want to allow the RADIUS Server to authenticate users who login to the WLC.(I don’t want to authenticate the WLC users via RADIUS)

RADIUS Edit

Make sure that the shared secret configured on this page matches with the shared secret configured on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

Same procedure to add another redundant RADIUS server 🙂

Both Radius

Step2: Configure Authentication Via CLI

(WLAN1) >config radius ?
acct           Configures a RADIUS Accounting Server.
aggressive-failover Enables/Disables Aggressive Failover
auth           Configures a RADIUS Authentication Server.
backward       Configures RADIUS Vendor Id backward compatibility
callStationIdCase Configures Call Station Id case in RADIUS messages.
callStationIdType Configures Call Station Id information sent in radius messages
fallback-test  Configures server fallback test.
(WLAN1) >config radius auth ?
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an authentication server
keywrap        Configures RADIUS keywrap
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
management     Configures a RADIUS Server for management users.
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server
rfc3576        Enables or disables RFC-3576 support for an authentication server

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius auth add 1 192.xx.xx.14 1812 ascii cisco -> Secret
(WLAN1) >config radius auth retransmit-timeout 1 2  -> Default 2 sec
(WLAN1) >config radius auth network 1 {enable|disable}
(WLAN1) >config radius auth {enable|disable} 1 -> by default enable

If you are not authenticating management user via RADIUS then you must disable it:

(WLAN1) >config radius auth management 1 {enable|disable} -> Enable by default

Follow Same procedure to add  2nd Authentication server.

Accounting:

Step1: Via GUI

Configure RADIUS Accounting

Go to Security -> RADIUS -> Accounting

RADIUS Acct

Follow same step to add 2nd Accounting server.

Here is the screenshot of both the Accounting server in WLC:

RADIUS Both Acct

Step2: Via CLI

Here is the basic CLI configuration for a RADIUS Accounting on a WLC.

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius acct add 1 192.xx.xx.15 1813 ascii cisco ->secret (WLAN1) >config radius acct retransmit-timeout 1 5 -> default is 2s
(WLAN1) >config radius acct network 1 {enable|disable}
(WLAN1) >config radius acct {enable|disable} 1 -> by default enable

Do the same for 2nd accounting server via CLI.

So till now we added both the server for Authentication and accounting.

Now time to verify it.

(WLAN1) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    N     192.xx.xx.14       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
2    N     192.xx.xx.15       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More-- or (q)uit
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1      N     192.xx.xx.15       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
2      N     192.xx.xx.14       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
(WLA1) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.xx.xx.14
Msg Round Trip Time.............................. 47 (msec)
First Requests................................... 27328
Retry Requests................................... 123
Accept Responses................................. 2439
Reject Responses................................. 140
Challenge Responses.............................. 24736
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 147
Unknowntype Msgs................................. 0
Other Drops...................................... 1
Server Index..................................... 2
Server Address................................... 192.xx.xx.15
Msg Round Trip Time.............................. 29 (msec)
First Requests................................... 14345
--More-- or (q)uit
Retry Requests................................... 98
Accept Responses................................. 1264
Reject Responses................................. 52
Challenge Responses.............................. 13026
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 114
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Now we will add the WLC to Radius Server and don’t forget the shared secret because shared secret must match between WLC and RADIUS (ISE) server:

Login to ISE, go to Administration > Network Resources > Network Devices > add

 

Untitled

That’s it for today 🙂 Enjoyyyyy