Cisco Aironet 1130AG Series - RADIUS

Joined
Dec 5, 2003
Messages
517
I am currently setting up a number of wireless access points at a few medical sites I support and would like to use RADIUS authentication. However, I have not done my homework on RADIUS implementation and thought Hard Forum might be a good place to get started. Can the Cisco Aironet function as a RADIUS server (similar to tinyPEAP on the cheap linksys routers)? If not, can I setup a central RADIUS server at an offsite location and authenticate against this over the internet?
 
Joined
Feb 19, 2004
Messages
3,861
you can do both, just depends on you set them up. If the sites you are supporting have an windows 2003 server you could setup IAS/RADIUS on that and then clients can use their windows domain credentials to authenticate.
 
Joined
Dec 5, 2003
Messages
517
IAS requires Windows Server Enterprise, correct? What are my options for using the Aironet as a RADIUS server... I can't see to find anything in regard to configuration.
 

ND40oz

[H]F Junkie
Joined
Jul 31, 2005
Messages
12,609
IAS requires Windows Server Enterprise, correct? What are my options for using the Aironet as a RADIUS server... I can't see to find anything in regard to configuration.

You only need enterprise if you need more then 50 clients. A client is defined as an access server, not per user.
 
Joined
Dec 5, 2003
Messages
517
I have a Windows server offsite, can RADIUS traffic (what kind of traffic is RADIUS?) be routed over the internet?
 

ND40oz

[H]F Junkie
Joined
Jul 31, 2005
Messages
12,609
If it has a public IP, that shouldn't be a problem, it just needs to be able to communicate with the radius server. I'm pretty sure you can specify port radius uses, but I think default is 1645 and 1646.
 
Joined
Dec 5, 2003
Messages
517
If the AP is behind a NAT firewall... does that really matter? The request originates from the AP behind the NAT to the RADIUS server (which is on a Public IP). The NAT router will remember which client made the request and forward the answer from the RADIUS server. That is my loose understanding... perhaps I am wrong?

Furthermore, if the Aironet can serve as a RADIUS server I don't need to consider using my Windows server for authentication. I just can find any documentation to confirm this functionality.
 

ND40oz

[H]F Junkie
Joined
Jul 31, 2005
Messages
12,609
Yeah, that should work, I use an IAS server for radius authentication for a nortel vpn, works like a champ.

You also need to set up a remote access policy or give users remote access permission in their AD dial-in properties for it to work with an AD integrated IAS server.
 
Joined
Feb 19, 2004
Messages
3,861
You may find the following links helpful:

LEAP Authentication on local RADIUS server:
http://www.cisco.com/en/US/products...s_configuration_example09186a00801c0912.shtml

Configuring an Access Point as a local authenticator:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.3(4)JA:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/i1234sc.html
 
Joined
Feb 19, 2004
Messages
3,861
directly from the second link I posted above:

To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an access point to act as a local authentication server. The access point can authenticate up to 50 wireless client devices using LEAP, EAP-FAST, or MAC-based authentication. The access point performs up to 5 authentications per second.

You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with the main RADIUS servers. You can also specify a VLAN and a list of SSIDs that a client is allowed to use. [
 
Top