In this post we will look at how to configure a WLC for a external RADIUS server. RADIUS server can handle two functions, namely Authentication & Accounting. In addition to these two functions, TACACS can handle Authorization (which complete 3 components of AAA).
You can configure a RADIUS server on a WLC for Authentication under “Security -> RADIUS -> Authentication ” section as shown below.
You can see the added servers on to WLC as below (the above capture is specific configurations done to a particular RADIUS server configured on WLC)
Here is the CLI command required to define a RADIUS server with highlighted setting. You can refer 7.0.116.0 configuration guide (Page 6-12,13,14,15) for comprehensive list of CLI command for this. Below shows the important configurable options.
(WLC3) >config radius ? acct Configures a RADIUS Accounting Server. aggressive-failover Enables/Disables Aggressive Failover auth Configures a RADIUS Authentication Server. backward Configures RADIUS Vendor Id backward compatibility callStationIdCase Configures Call Station Id case in RADIUS messages. callStationIdType Configures Call Station Id information sent in radius messages fallback-test Configures server fallback test (WLC3) >config radius auth ? add Configures a RADIUS Authentication Server. delete Deletes a RADIUS Server. disable Disables a RADIUS Server. enable Enables a RADIUS Server. ipsec Enables or disables IPSEC support for an authentication server keywrap Configures RADIUS keywrap mac-delimiter Configures MAC delimiter for caller-station-ID and calling-station-ID management Configures a RADIUS Server for management users. network Configures a default RADIUS server for network users. retransmit-timeout Changes the default retransmission timeout for the server rfc3576 Enables or disables RFC-3576 support for an authentication server (WLC3) >config radius acct ? add Configures a RADIUS Authentication Server. delete Deletes a RADIUS Server. disable Disables a RADIUS Server. enable Enables a RADIUS Server. ipsec Enables or disables IPSEC support for an accounting server mac-delimiter Configures MAC delimiter for caller-station-ID and calling-station-ID network Configures a default RADIUS server for network users. retransmit-timeout Changes the default retransmission timeout for the server
Here is the basic CLI configuration for a RADIUS authentication on a WLC. “1″ is the server index ID given & you can configure upto 17 RADIUS server in a WLC.
(WLC3) >config radius callStationIdType ipaddr (WLC3) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen} (WLC3) >config radius auth add 1 192.168.100.2 1812 ascii cisco ->shard secret in ASCII format (WLC3) >config radius auth retransmit-timeout 1 5 -> default is 2s (WLC3) >config radius auth network 1 {enable|disable} (WLC3) >config radius auth management 1 {enable|disable} (WLC3) >config radius auth {enable|disable} 1 -> by default enable
Here is the basic CLI configuration for a RADIUS Accounting on a WLC.
(WLC3) >config radius callStationIdType ipaddr (WLC3) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen} (WLC3) >config radius acct add 1 192.168.100.2 1813 ascii cisco ->shard secret in ASCII format (WLC3) >config radius acct retransmit-timeout 1 5 -> default is 2s (WLC3) >config radius acct network 1 {enable|disable} (WLC3) >config radius acct {enable|disable} 1 -> by default enable
Here is the Accounting configuration settings if you see it via GUI derived from the above CLI commands.
Following CLI commands can be used to verify your configurations.
(WLC3) >show radius summary Vendor Id Backward Compatibility................. Disabled Call Station Id Case............................. lower Call Station Id Type............................. IP Address Aggressive Failover.............................. Enabled Keywrap.......................................... Disabled Fallback Test: Test Mode.................................... Off Probe User Name.............................. cisco-probe Interval (in seconds)........................ 300 MAC Delimiter for Authentication Messages........ colon MAC Delimiter for Accounting Messages............ colon Authentication Servers Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr --- ---- ---------------- ------ -------- ---- ------- ------------------------------------------------ 1 NM 192.168.100.2 1812 Enabled 5 Disabled Disabled - none/unknown/group-0/0 none/none Accounting Servers Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr --- ---- ---------------- ------ -------- ---- ------- ------------------------------------------------ 1 N 192.168.100.2 1813 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/none (WLC3) >show radius auth statistics Authentication Servers: Server Index..................................... 1 Server Address................................... 192.168.100.2 Msg Round Trip Time.............................. 4 (msec) First Requests................................... 53327 Retry Requests................................... 60 Accept Responses................................. 4923 Reject Responses................................. 2610 Challenge Responses.............................. 45788 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 70 Unknowntype Msgs................................. 0 Other Drops...................................... 6 (WLC3) >show radius acct statistics Global Accounting Info: Accounting Interim update sent count........... 0 Accounting Info per Servers: Accounting Server Index........................ 1 Server Address............................... 192.168.100.2 Msg Round Trip Time.......................... 3 (msec) First Requests............................... 34194 Retry Requests............................... 243 Accounting Responses......................... 34150 Malformed Msgs............................... 0 Bad Authenticator Msgs....................... 0 Pending Requests............................. 0 Timeout Requests............................. 287 Unknowntype Msgs............................. 0 Other Drops.................................. 9
You have to remember you need to configure ACS with same shared key & WLC IP for this task to complete. Here is the ACS 5.2 screen capture related to this ( In Network Resources -> Network Device Groups -> Network Devices and AAA Clients section)
In next post we will see the TACACS configuration on a WLC.
