Cisco Aironet 1130AG Series - RADIUS

C

civic00typer

Gawd
Joined
Dec 5, 2003
Messages
517
I am currently setting up a number of wireless access points at a few medical sites I support and would like to use RADIUS authentication. However, I have not done my homework on RADIUS implementation and thought Hard Forum might be a good place to get started. Can the Cisco Aironet function as a RADIUS server (similar to tinyPEAP on the cheap linksys routers)? If not, can I setup a central RADIUS server at an offsite location and authenticate against this over the internet?
 
you can do both, just depends on you set them up. If the sites you are supporting have an windows 2003 server you could setup IAS/RADIUS on that and then clients can use their windows domain credentials to authenticate.
 
IAS requires Windows Server Enterprise, correct? What are my options for using the Aironet as a RADIUS server... I can't see to find anything in regard to configuration.
 
civic00typer said:
IAS requires Windows Server Enterprise, correct? What are my options for using the Aironet as a RADIUS server... I can't see to find anything in regard to configuration.
Click to expand...

You only need enterprise if you need more then 50 clients. A client is defined as an access server, not per user.
 
I have a Windows server offsite, can RADIUS traffic (what kind of traffic is RADIUS?) be routed over the internet?
 
If it has a public IP, that shouldn't be a problem, it just needs to be able to communicate with the radius server. I'm pretty sure you can specify port radius uses, but I think default is 1645 and 1646.
 
If the AP is behind a NAT firewall... does that really matter? The request originates from the AP behind the NAT to the RADIUS server (which is on a Public IP). The NAT router will remember which client made the request and forward the answer from the RADIUS server. That is my loose understanding... perhaps I am wrong?

Furthermore, if the Aironet can serve as a RADIUS server I don't need to consider using my Windows server for authentication. I just can find any documentation to confirm this functionality.
 
Yeah, that should work, I use an IAS server for radius authentication for a nortel vpn, works like a champ.

You also need to set up a remote access policy or give users remote access permission in their AD dial-in properties for it to work with an AD integrated IAS server.
 
You may find the following links helpful:

LEAP Authentication on local RADIUS server:
http://www.cisco.com/en/US/products...s_configuration_example09186a00801c0912.shtml

Configuring an Access Point as a local authenticator:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.3(4)JA:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/i1234sc.html
 
directly from the second link I posted above:

To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an access point to act as a local authentication server. The access point can authenticate up to 50 wireless client devices using LEAP, EAP-FAST, or MAC-based authentication. The access point performs up to 5 authentications per second.

You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with the main RADIUS servers. You can also specify a VLAN and a list of SSIDs that a client is allowed to use. [
 
You must log in or register to reply here.
Back
Top