!#########################################
! Basic config template for Cisco IOS Access Points
! 4/20/2004 - BDM - I've tested it with 1120's but should work with 1200's
!#########################################
!
!
!###############################
! Remove some junk from the default config that we don't want/need
!##################################
no ip dhcp excluded-address 10.0.0.1 10.0.0.10
no ip dhcp pool local-default-pool
no aaa group server radius rad_mac
no aaa group server radius rad_acct
no aaa group server radius rad_admin
no aaa group server tacacs+ tac_admin
no aaa group server radius rad_pmip
no aaa group server radius dummy
no aaa authentication login mac_methods local
no aaa authorization ipmobile default group rad_pmip
no ip http server
no ip http help-path
!
!
!###########################
! AAA config for EAP authentication and some radius accounting
!#############################
aaa new-model
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
aaa group server radius rad_eap
server <ipaddress> auth-port 1812 acct-port 1813
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
! ##### Require wep128 encryption
encryption mode ciphers wep128
! ##### rotate broadcast wep key every 10 minutes
broadcast-key change 600
! ##### Create an SSID named "wifi"
! ##### Require EAP authentication
! ##### broadcast the SSID
ssid wifi
authentication open eap eap_methods
guest-mode
! ###### set the data rates support and/or required by the AP
! ###### These are the rates recommended by Cisco for best throughput
! ###### for supporting both 802.11.b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
!
rts threshold 2312
station-role root
no cdp enable
! ###### Tell the AP to honor the Session-Timeout returned by the Radius server
dot1x reauth-period server
!
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disable
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
! interface BVI1 ip address <ip address> <subnetmask>
! ip tacacs source-interface BVI1 ip radius source-interface BVI1 radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <key> radius-server attribute 32 include-in-access-req format %h radius-server authorization permit missing Service-Type radius-server vsa send accounting bridge 1 route ip
On Apr 23, 2004, at 1:15 PM, Clayton Dukes wrote:
I can see from searching the mailing list that this has been asked many
times, but what I can't seem to locate are config examples or a good howto
on setting everything up.
I have the radius server set up -- and it appears to work on, but I am not
sure what I am lacking/doing wrong on the AP.
I have followed the instructions from the following URL:
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
It's a very good guide -- although outdated, I was still able to get the
radius and client side configured.
What I see now are no requests from the AP to the radius server when I boot
up the laptop. The laptop is not able to get to the AP either.
I also have LDAP auth turned on, when I telnet to the AP the LDAP piece
communicates fine with the radius server so I know the comms are ok.
Does anyone have an example 1100AP config that I can use?
Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
