In small wireless network (Autonomous) there may not be Radius server available for 802.1x authentication.In a situation like this you can configure one of your AAP as local authentication server. Then this AP can authenticate upto 50 clients using LEAP, EAP-FAST or MAC based authentication.
In this post we will configure AAP as local radius server to support LEAP authentication. I will create SSID called “data3 with vlan 14 – 10.10.14.0/24). In this first we will configure this on GUI & later on derive the CLI commands. I will use WPA2 key management method.
First of all you need to configure the vlan on the AAP1. You can do this in ” SERVICES -> VLAN” section. 
Next step is to configure an encryption method for this vlan. Since I am planning to use WPA2, I have to configure encryption as AES-CCMP. You can do this in ” SECURITY – > Encryption Manager” section.
Then you can create SSID & configure Authentication key management method (WPA2). You have to go to “SECURITY -> SSID Manager” section for this. You have to use client Authentication settings as ” Network EAP” in order to support LEAP. Key management configured as WPA2.
Now you have to configure Radius server, in this case we will pointing this to AAP itself. You can do this from ” SECURITY -> Server Manager” section. Authentication & Accounting port configured as 1812 & 1813. AAP BVI IP is configured as server IP & shared secret as “cisco”
Make sure you select the configured radius server as Default Server priority for EAP authentication. See below
Now you need to configure AAP as local radius server & specify the Authentication Protocol. In this example LEAP is sufficient, but configured others to familiar with CLI commands to enable those. Shared secret is used as “cisco”
Finally you can configure a local username & password for a client. I have configured one as “cisco/cisco”.
Now you can check this configuration with Anyconnect client.
Now we will look at CLI commands where we can achieve this. First of all you have to configure your basic AAP configurations as below.
hostname AAP1 ! interface Dot11Radio1.14 encapsulation dot1Q 14 bridge-group 14 ! interface Dot11Radio1.110 encapsulation dot1Q 110 native bridge-group 1 ! interface GigabitEthernet0.14 encapsulation dot1Q 14 bridge-group 14 ! interface GigabitEthernet0.110 encapsulation dot1Q 110 native bridge-group 1 ! interface BVI1 ip address 10.10.110.100 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.110.3
Next step is to configure the SSID & configure authentication key management method. For LEAP to work properly with windows client you have to specify “Open Authentication with EAP Methods”. For Cisco Anyconnect “Network EAP” should be sufficient.
Also you have to configure Encryption to be used under radio interface. Since we are using WPA2 encryption should be AES-CCMP.
dot11 ssid data3 vlan 14 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 mbssid guest-mode ! interface Dot11Radio1 mbssid encryption vlan 14 mode ciphers aes-ccm ssid data3
Next you can configure RADIUS on AAP pointing to its own IP. “radius-server attribute 32 include-in-access-req format %h” will allow AP to send its system name in the NAS_ID attribute for authentication. Radius server group defined as “rad_eap” & it is called for login authentication.
aaa new-model radius-server host 10.10.110.100 auth-port 1812 acct-port 1813 key cisco radius-server attribute 32 include-in-access-req format %h ! aaa group server radius rad_eap server 10.10.110.100 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa authorization exec default local
Finally you can configure AAP as local authenticator. You have to define all your local username/password for clients in this section. Also any other AAP use this AP as radius you have to specify other AAP IPs with secret key. In this example only single AP & one local user created for testing.
radius-server local nas 10.10.110.100 key cisco user cisco password cisco
That’s pretty much it & you can test with your Any Connect client now. You should see client get associated & you can check the details via CLI using “show dot11 association” command.
So for the exam I have to remember this CLI commands. As you breakdown it to simple sections it is much easier than I thought. We will look another example with multiple AAP & multiple user groups in next example.
Related Posts
1. Autonomous AP with WEP Security
2. Autonomous AP with WPA-PSK Security
3. Autonomous AP with PEAP Security
4. Autonomous AP with LEAP Security
5 Autonomous AP with EAP-FAST Security
6 Autonomous AP with EAP-TLS Security
7.
8.
9.
10.
