Cisco AP – radius authentication

This post shows how to configure Cisco AP (Aironet 1230 series) to authenticate wireless client with external Radius server. It also contains information how to configure radius server (freeradius) for that option.

Radius server configuration

I assume that you already have a clean installation of freeradius. If not, then refer to http://wiki.freeradius.org/guide/Basic-configuration-HOWTO. In the following example I installed the freeradius on Debian linux. Configuration:

  1. edit /etc/freeradius/clients.conf and add the following entry
    client 192.168.0.0/24 {
       secret =  testing123
       nastype = cisco
       shortname = ap
    }
    

    Basically the entry defines allowed Radius client(s) for you network. My AP (NAS / Radius client) has 192.168.0.105 IP address so it is allowed to communicate with Radius server. The client (AP) must use testing123 password in order to authenticate with Radius server.

  2. edit /etc/freeradius/users and add the following entry
    testing Cleartext-Password := "password"
    

    The entry defines the username and password (testing/password) used by you wireless client.

  3. edit /etc/freeradius/eap.conf and make sure that you have the following entries:

       eap {
       (...)
              default_eap_type = peap
       (...)
               peap {
                       #  The tunneled EAP session needs a default
                       #  EAP type which is separate from the one for
                       #  the non-tunneled EAP module.  Inside of the
                       #  PEAP tunnel, we recommend using MS-CHAPv2,
                       #  as that is the default type supported by
                       #  Windows clients.
                       default_eap_type = mschapv2
    

    We will use EAP-PEAP protocol.

  4. start radius server with debug mode (X option):
    root@debian1:/etc/freeradius/modules# freeradius -X
    
  5. before you continue test your radius server locally with radtest utlity. Open console and run the following command.
    root@debian1:/etc/freeradius# radtest testing password 127.0.0.1 10 testing123
    Sending Access-Request of id 7 to 127.0.0.1 port 1812
    	User-Name = "testing"
    	User-Password = "password"
    	NAS-IP-Address = 127.0.1.1
    	NAS-Port = 10
    	Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=7, length=20
    root@debian1:/etc/freeradius# 
    

    Note – default radius server configuration allows connection from localhost with testing123 shared key (refer to /etc/freeradius/clients.conf file).

Configure Cisco AP

For my test I used IOS Version 12.3(8). Configuration:

ap#conf t
ap(config)#interface BVI 1
ap(config-if)#ip address 192.168.0.105 255.255.255.0
ap(config-if)#exit

ap(config)#aaa new-model
ap(config)#radius-server host 192.168.0.102 auth-port 1812 acct-port 1813 key testing123 // define the radius server
ap(config)#aaa authentication login eap_methods group radius local

ap(config)#dot11 ssid WLAN_EAP
ap(config-ssid)#guest-mode // broadcast beacone
ap(config-ssid)#authentication open eap eap_methods // use eap for authentication
ap(config-ssid)#authentication network-eap eap_methods  // use eap for authentication
ap(config-ssid)#authentication key-management wpa // use WPA features (with EAP)
ap(config-ssid)#exit

ap(config)#interface dot11Radio 0
ap(config-if)#channel 6
ap(config-if)#ssid WLAN_EAP
ap(config-if)#encryption mode ciphers aes-ccm // enable AES encryption (used by WPA)
ap(config-if)#no shutdown
ap(config-if)#

Some explanation:

  1. The command aaa authentication login eap_methods group radius local means:
    • the command defines authentication list (the preferred authentication options): use radius first; if no radius-servers is available then use local (AP) username database
    • authentication login – define authentication list (for example for wireless clients)
    • eap_methods – list name
    • group is a keyword. After this keyword you can put another keyword radius which means “use all defined radius-servers”. After group keyword you can also put a specific server-radius group name
  2. You define eap authentication “twice” (authentication open eap… and authentication network-eap).
    Cisco documentation gives many reasons to make such configuration – in general it gives you better compatibility with various clients. For example (from Cisco documentation):
    Network EAP is used for LEAP authentication only. If radio clients are configured to authenticate using EAP-FAST, Open Authentication with EAP should also be configured.

Configure Windows client

  1. Go to Networking and Sharing Center
  2. Click Setup a new connection or network
  3. Select Manually connect to a wireless network
  4. In the new dialog type the following options:
    • Network name: WLAN_EAP
    • Security type: WPA2-Enterprise
    • Encryption type: AES
  5. Click Next. A new dialog will appear – select Change connection settings
  6. A new dialog will appear:
    Radius - Windows dialog 1
  7. Click Settings. A new dialog will appear:
    • uncheck option Validate server certificate
    • Click Configure and uncheck option Automatically use my Windows login name and password (and domain if any). (This configuration causes that we will be forced to put manually username/password during connection)
  8. Accept all options and close the dialogs

Test your connection

Try to connect to your WLAN_EAP network. Windows will ask you for credentials: type testing/password.

Configure certificate

When you configured Windows client you unchecked the option Validate server certificate. If you want to use the option (actually it’s recommended) then you must install the Radius server certificate on Windows machine. Note that if you check that option then you must select the appropriate certificate from the list.

  1. the certificate is located: /etc/freeradius/certs/server.pem. Copy this file to Windows client.
  2. Run certmgr.msc command on Windows
  3. Select Trusted Root Certification Authorities folder and from the top menu select Actions -> All tasks -> Import

Now the certificate is installed so you can uncheck Validate server certificate option and select the installed certificate from the list. Note – to open the appropriate dialog right click on the WLAN_EAP connection and click Properties (you can find the list of wireless connections in Windows tray).

Summary

In the above example we used the following features:

  1. 802.1x with EAP [PEAP]
  2. Radius server
  3. WPA 2 Enterprise – it means that authentication is leveraged by Radius (and not WPA shared key)
  4. WPA 2 Enterprise uses AES encryption (and not TKIP encryption)

Let’t take a look on another example of configuration. In this model we will use:

  1. 802.1x with EAP [PEAP]
  2. Radius server
  3. WEP encryption

Radius server is configured in the same way. Windows client is configured slightly different:

  1. Go to Networking and Sharing Center
  2. Click Setup a new connection or network
  3. Select Manually connect to a wireless network
  4. In the new dialog type the following options:
    • Network name: WLAN_EAP
    • Security type: 802.1X
    • Encryption type: WEP

    The other settings are the same.

Reconfigure your AP:

ap(config)#
ap(config)#dot11 ssid WLAN_EAP
ap(config-ssid)#no authentication key-management wpa

ap(config-ssid)#interface Dot11Radio 0
ap(config-if)#encryption mode ciphers wep128
ap(config-if)

That’s it – you can now test your connection.

Debug Radius server

We run the Radius server with “-X” option (debug). The following snippet shows log from successfully authentication:


[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 42 to 192.168.0.105 port 1645
	MS-MPPE-Recv-Key = 0x57e5755e0eee0cc50b3832adea356a50ba32594ba040ceff63fe18f2fd920c7c
	MS-MPPE-Send-Key = 0x1551f8e03337527bb14da41b21d33b51d577be860b1384823c75095bc63e30b8
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "testing"

Leave a Reply

Your email address will not be published. Required fields are marked *