EAP Authentication with WLAN Controllers (WLC)Configuration Example

Document ID: 69730

IntroductionPrerequisites Requirements Components Used ConventionsConfigure Network Diagram Configure the WLC for Basic Operation and Register the Lightweight APs to theController Configure the WLC for RADIUS Authentication through an External RADIUS Server Configure WLAN Parameters Configure Cisco Secure ACS as the External RADIUS Server and Create a User Databasefor Authentication ClientsVerifyTroubleshoot Troubleshooting Tips Extracting the Package File from ACS RADIUS Server for TroubleshootingNetPro Discussion Forums − Featured ConversationsRelated Information

Introduction

This document explains how to configure the Wireless LAN controller (WLC) for Extensible AuthenticationProtocol (EAP) authentication with the use of an external RADIUS server. This configuration example usesthe Cisco Secure Access Control Server (ACS) as the external RADIUS server in order to validate the usercredentials.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

Basic knowledge of the configuration of Lightweight access points (APs) and Cisco WLCs.• Basic knowledge of Lightweight AP Protocol (LWAPP)

Refer to Understanding the Lightweight Access Point Protocol (LWAPP) for more information.

•

Knowledge of how to configure an external RADIUS server like the Cisco Secure ACS•

Components Used

The information in this document is based on these software and hardware versions:

Cisco Aironet 1000 Series Lightweight AP• Cisco 2000 Series WLC that runs firmware 3.2.78.0•

Cisco Secure ACS that runs version 3.2• Cisco Aironet 802.11 a/b/g Client Adapter• Cisco Aironet Desktop Utility (ADU) that runs firmware 2.5•

The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool ( registered customers only) in order to find more information on thecommands used in this document.

Complete these steps in order to configure the devices for EAP authentication:

Configure the WLC for basic operation and register the Lightweight APs to the controller.1. Configure the WLC for RADIUS authentication through an external RADIUS server.2. Configure the WLAN parameters.3. Configure Cisco Secure ACS as the external RADIUS server and create a user database forauthenticating clients.

4.

Network Diagram

In this setup, a Cisco 2006 WLC and a Lightweight AP are connected through a hub. An external RADIUSserver (Cisco Secure ACS) is also connected to the same hub. All the devices are in the same subnet. The APis initially registered to the controller. You must configure the WLC and AP for Lightweight ExtensibleAuthentication Protocol (LEAP) authentication. The clients that connect to the AP use LEAP authentication inorder to associate with the AP. Cisco Secure ACS is used in order to perform RADIUS authentication.

Configure the WLC for Basic Operation and Register the LightweightAPs to the Controller

Use the startup configuration wizard on the command−line interface (CLI) in order to configure the WLC forbasic operation. Alternatively, you can also use the GUI in order to configure the WLC. This documentexplains the configuration on the WLC with the startup configuration wizard on the CLI.

After the WLC boots for the first time, it directly enters into the startup configuration wizard. Use theconfiguration wizard in order to configure basic settings. You can run the wizard on the CLI or the GUI. Thisoutput shows an example of the startup configuration wizard on the CLI:

Welcome to the Cisco Wizard Configuration ToolUse the '−' character to backupSystem Name [Cisco_33:84:a0]: WLC−1Enter Administrative User Name (24 characters max): adminEnter Administrative Password (24 characters max): *****Management Interface IP Address: 172.16.1.30Management Interface Netmask: 255.255.0.0Management Interface Default Router: 172.16.1.75Management Interface VLAN Identifier (0 = untagged):Management Interface Port Num [1 to 4]: 1Management Interface DHCP Server IP Address: 172.16.1.1AP Manager Interface IP Address: 172.16.1.31AP−Manager is on Management subnet, using same valuesAP Manager Interface DHCP Server (172.16.1.1):Virtual Gateway IP Address: 1.1.1.1Mobility/RF Group Name: TestNetwork Name (SSID): Cisco123Allow Static IP Addresses [YES][no]: yesConfigure a RADIUS Server now? [YES][no]: noWarning! The default WLAN security policy requires a RADIUS server.Please see documentation for more details.Enter Country Code (enter 'help' for a list of countries) [US]:Enable 802.11b Network [YES][no]: yesEnable 802.11a Network [YES][no]: yesEnable 802.11g Network [YES][no]: yesEnable Auto−RF [YES][no]: yes

Configuration saved!Resetting system with new configuration..

These parameters set up the WLC for basic operation. In this configuration example, the WLC uses172.16.1.30 as the management interface IP address and 172.16.1.31 as the AP−manager interface IP address.

Before any other features can be configured on the WLCs, the Lightweight APs have to register with theWLC. This document assumes that the Lightweight AP is registered to the WLC. Refer to the Register theLightweight AP to the WLCs section of WLAN Controller Failover for Lightweight Access PointsConfiguration Example for more information on how the Lightweight APs register with the WLC.

Configure the WLC for RADIUS Authentication through an ExternalRADIUS Server

The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. Theexternal RADIUS server then validates the user credentials and provides access to the wireless clients.

Complete these steps in order to configure the WLC for an external RADIUS server:

Choose Security and RADIUS Authentication from the controller GUI to display the RADIUSAuthentication Servers page. Then click New in order to define a RADIUS server.

1.

Define the RADIUS server parameters in the RADIUS Authentication Servers > New page. Theseparameters include the RADIUS Server IP Address, Shared Secret, Port Number, and Server Status.

The Network User and Management check boxes determine if the RADIUS−based authenticationapplies for management and network users. This example uses the Cisco Secure ACS as the RADIUSserver with IP address 172.16.1.1:

2.

You can also use the local RADIUS server feature in order to authenticate users. Local RADIUSserver was introduced with version 4.1.171.0 code. WLCs that run previous versions do not have thelocal radius feature. Local EAP is an authentication method that allows users and wireless clients tobe authenticated locally. It is designed for use in remote offices that want to maintain connectivity towireless clients when the backend system becomes disrupted or the external authentication servergoes down. Local EAP retrieves user credentials from the local user database or the LDAP backenddatabase to authenticate users. Local EAP supports LEAP, EAP−FAST with PACs, EAP−FAST withcertificates, and EAP−TLS authentication between the controller and wireless clients.

Note: Local EAP is designed as a backup authentication system. If any RADIUS servers areconfigured on the controller, the controller tries to authenticate the wireless clients with the RADIUSservers first. Local EAP is attempted only if no RADIUS servers are found, either because theRADIUS servers timed out or no RADIUS servers were configured.

Note: RFC 3576 is supported on the Cisco CNS Access Registrar (CAR) RADIUS server, but not onCisco Secure ACS Server version 4.0 and earlier.

Configure WLAN Parameters

Next, configure the WLAN which the clients use to connect to the wireless network. When you configured thebasic parameters for the WLC, you also configured the SSID for the WLAN. You can use this SSID for theWLAN or create a new SSID.

Note: You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control upto sixteen WLANs for Lightweight APs. Each WLAN has a separate WLAN ID (1 through 16), a separateWLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight APs broadcast allactive Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.

Complete these steps to configure a new WLAN and its related parameters:

Click WLANs from the GUI of the controller in order to display the WLANs page.

This page lists the WLANs that exists on the controller.

1.

Choose New in order to create a new WLAN. Enter the WLAN ID and the WLAN SSID for theWLAN and click Apply.

2.

Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page youcan define various parameters specific to this WLAN that includes General Policies, RADIUS

3.

Servers, Security Policies, and 802.1x Parameters.

Check Admin Status under General Policies in order to enable the WLAN. If you want the AP tobroadcast the SSID in its beacon frames, check Broadcast SSID.

Choose the appropriate RADIUS server from the pull−down menu under RADIUS Servers. The otherparameters can be modified based on the requirement of the WLAN network. Click Apply.

Note: When you create a new WLAN, 802.1x is the default Layer 2 security mechanism. This settingforces a wireless client to first successfully authenticate by EAP before it gets network access. This isthe only setting that needs to be configured on the controller for EAP authentication. All otherconfigurations need to be done on the RADIUS server and the clients that need to be authenticated.

Configure Cisco Secure ACS as the External RADIUS Server and Createa User Database for Authentication Clients

Complete these steps to create the user database and enable EAP authentication on the Cisco Secure ACS:

Choose User Setup from the ACS GUI, enter the username, and click Add/Edit. In this example theuser is ABC.

1.

When the User Setup page appears, define all the parameters specific to the user. In this example theusername, password and Supplementary User Information are configured because you only need thisparameters for EAP authentication.

Click Submit and repeat the same process in order to add more users to the database. By default allusers are grouped under the default group. Refer to the User Group Management section of UserGuide for Cisco Secure ACS for Windows Server 3.2 for more information if you want to assignspecific users to different groups.

2.

Define the controller as an AAA client on the ACS server. Click Network Configuration from theACS GUI.

When the Network Configuration page appears, define the name of the WLC, IP address, sharedsecret and authentication method (RADIUS Cisco Aironet or RADIUS Cisco IOS/PIX). Refer to thedocumentation from the manufacturer for other non−ACS authentication servers.

Note: The shared secret key that you configure on the WLC and the ACS server must match. Theshared secret is case sensitive.

3.

Click System Configuration and Global Authentication Setup in order to ensure that theauthentication server is configured to perform the desired EAP authentication method. Under the EAPconfiguration settings, choose the appropriate EAP method. This example uses LEAP authentication.Click Submit when you are done.

4.

Verify

Use this section to confirm that your configuration works properly.

Try to associate a wireless client with the Lightweight AP using LEAP authentication in order to verify if theconfiguration works as expected.

Note: This document assumes that the client profile is configured for LEAP authentication. Refer to UsingEAP Authentication for more information on how to configure the 802.11 a/b/g Wireless Client Adapter forLEAP authentication.

Once the profile for the wireless client is activated, the user is asked to provide the username/password forLEAP authentication. Here is an example:

The Lightweight AP and then the WLC pass on the user credentials to the external RADIUS server (CiscoSecure ACS) in order to validate the credentials. The RADIUS server compares the data with the userdatabase and provides access to the wireless client whenever the user credentials are valid in order to verifythe user credentials. The Passed Authentication report on the ACS server shows that the client has passed theRADIUS authentication. Here is an example:

Upon successful RADIUS authentication the wireless client associates with the Lightweight AP.

Troubleshoot

Complete these steps to troubleshoot the configurations:

Use the debug lwapp events enable command in order to check if the AP registers with the WLC.

This output shows an example for a successful registration event:

Thu Mar 30 17:54:37 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1'Thu Mar 30 17:54:37 2006: Successful transmission of LWAPP Discovery−Response to AP 00:0b:85:5b:fb:d0 on Port 1Thu Mar 30 17:54:49 2006: Received LWAPP JOIN REQUEST from AP 00:0b:85:5b:fb:d0 to 00:0b:85:33:52:80 on port '1'Thu Mar 30 17:54:49 2006: LWAPP Join−Request MTU path from AP 00:0b:85:5b:fb:d0 is 1500, remote debug mode is 0Thu Mar 30 17:54:49 2006: Successfully added NPU Entry for AP 00:0b:85:5b:fb:d0 (index 49)Switch IP: 172.16.1.51, Switch Port: 12223, intIfNum 1, vlanId 0 AP IP: 172.16.1.42, AP Port: 49085, next hop MAC: 00:0b:85:5b:fb:d0Thu Mar 30 17:54:49 2006: Successfully transmission of LWAPP Join−Reply to AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:49 2006: Register LWAPP event for AP 00:0b:85:5b:fb:d0 slot 0Thu Mar 30 17:54:49 2006: Register LWAPP event for AP 00:0b:85:5b:fb:d0 slot 1Thu Mar 30 17:54:50 2006: Received LWAPP CONFIGURE REQUEST from AP 00:0b:85:5b:fb:d0 to 00:0b:85:33:52:80Thu Mar 30 17:54:50 2006: Updating IP info for AP 00:0b:85:5b:fb:d0−− static 1, 172.16.1.42/255.255.0.0, gtw 0.0.0.0Thu Mar 30 17:54:50 2006: spamVerifyRegDomain RegDomain set for slot 0 code 0 regstring −A regDfromCb −AThu Mar 30 17:54:50 2006: spamVerifyRegDomain RegDomain set for slot 1 code 0 regstring −A regDfromCb −AThu Mar 30 17:54:50 2006: spamEncodeDomainSecretPayload:Send domain secret TestCRET<da,c8,15,ab,44,ce,34,04,8d,91,45,e3,1b,a5,9f,1e,21,45,41,2c> to AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Successfully transmission of LWAPP Config−Messageto AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Running spamEncodeCreateVapPayload for SSID 'cisco123'Thu Mar 30 17:54:50 2006: Running spamEncodeCreateVapPayload for SSID 'cisco123'Thu Mar 30 17:54:50 2006: AP 00:0b:85:5b:fb:d0 associated. Last AP failure was due to Link FailureThu Mar 30 17:54:50 2006: Received LWAPP CHANGE_STATE_EVENT from AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Successfully transmission of LWAPP Change−State−Event Response to AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Received LWAPP Up event for AP 00:0b:85:5b:fb:d0 slot0!Thu Mar 30 17:54:50 2006: Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Received LWAPP CHANGE_STATE_EVENT from AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Successfully transmission of LWAPP Change−State−Event Response to AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Received LWAPP Up event for AP 00:0b:85:5b:fb:d0 slot1!Thu Mar 30 17:54:50 2006: Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5b:fb:d0Thu Mar 30 17:54:50 2006: Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5b:fb:d0

1.

Check if the RADIUS server receives and validates the authentication request from the wirelessclient.

2.

Check the Passed Authentications and Failed Attempts reports on the ACS server in order toaccomplish this. These reports are available under Reports and Activities on the ACS server. Here isan example when the RADIUS server authentication fails:

Note: Refer to Obtaining Version and AAA Debug Information for Cisco Secure ACS for Windowsfor information on how to troubleshoot and obtain debug information on Cisco Secure ACS.Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials.

This is very important because in some cases, the RADIUS server never receives the user credentialsif the RADIUS server configuration on the WLC is incorrect.

This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:

You can also use these debug commands in order to troubleshoot AAA authentication:

debug aaa all enable�Configures the debug of all AAA messages.♦ debug dot1x packet enable�Enables the debug of all dot1x packets.♦

3.

You can use a combination of the show wlan summary command in order to recognize which ofyour WLANs employ RADIUS server authentication. Then you can view the show client summarycommand in order to see which MAC addresses (clients) are successfully authenticated on RADIUSWLANs. You can also correlate this with your Cisco Secure ACS passed attempts or failed attemptslogs.

Troubleshooting Tips

Verify on the controller that RADIUS server is in active state, and not on standby ordisabled.

•

Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).• If you use WPA, then you have to install the latest Microsft WPA hotfix for Windows XP SP2. Also,you should upgrade the driver for your client supplicant to the latest.

•

DOT1X−1−MAX_EAPOL_KEY_RETRANS_FOR_MOBILE: MAX EAPOL−Key M1retransmissions reached for mobile xx:xx:xx:xx:xx

This error messages indicates that the client does not respond in time to the controller during theWPA (802.1x) key negotiation. The controllers set a timer for a response during key negotiation.Typically when you see this message, it is due to an issue with the supplicant. Ensure that you run thelatest versions of Client drivers and firmware.You can extend the EAP timers on the controllers towait for client 802.1x info if you use these commands on the WLC CLI:

config advanced eap identity−request−timeout 120config advanced eap identity−request−retries 20config advanced eap request−timeout 120config advanced eap request−retries 20save config

If you use Windows Zero Config/client supplicant, disable Enable Fast Reconnect. You can do thisif you choose Wireless Network Connection Properties > Wireless Networks > Preferrednetworks. Then choose SSID > Properties > Open > WEP > Authentication > EAP type > PEAP> Properties > Enable Fast Reconnect . You can then find the option to enable or disable at the endof the window.

•

If you do PEAP, for example certificates with XP, SP2 where the cards are managed by the Microsoftwireless−0 utility, you need to get the KB885453 patch from Microsoft.

•

If you have Intel 2200 or 2915 cards, refer to the statements on the Intel website about the knownissues with their cards:

Intel® PRO/Wireless 2200BG Network Connection♦ Intel® PRO/Wireless 2915ABG Network Connection♦

Download the most current Intel drivers in order to avoid any issues. You can download Intel driversat http://downloadcenter.intel.com/

•

If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAAserver as not responding. But, this should not be done because the AAA server is possibly notresponsive only to that particular client, if you do silent discard. It can be a response to other validclients with valid certificates. But, the WLC can still mark the AAA server as not respondingand not functional.

In order to overcome this, disable the aggressive failover feature. Issue the config radiusaggressive−failover disable command from the controller GUI in order to perform this. If this isdisabled, then the controller only fails over to the next AAA server if there are three consecutiveclients that fail to receive a response from the RADIUS server.

•

Extracting the Package File from ACS RADIUS Server forTroubleshooting

If you use ACS as the external radius server, this section can be used to troubleshoot. The package.cab is aZip file that contains all the necessary files needed in order to troubleshoot ACS efficiently. You can use theCSSupport.exe utility to create the package.cab, or you can collect the files manually.

Refer to the Creating a package.cab File section of Obtaining Version and AAA Debug Information for CiscoSecure ACS for Windows for more information on how to create and extract the package file from WCS.

NetPro Discussion Forums − Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions,and information about networking solutions, products, and technologies. The featured links are some of themost recent conversations available in this technology.

NetPro Discussion Forums − Featured Conversations for Wireless

Wireless − Mobility: WLAN Radio Standards

Wireless − Mobility: Security and Network Management

Wireless − Mobility: Getting Started with Wireless

Wireless − Mobility: General

Related Information

WLAN Controller Failover for Lightweight Access Points Configuration Example• Wireless LAN Controller (WLC) Software Upgrade• Cisco Wireless LAN Controller Command Reference• Wireless Support Page• Technical Support & Documentation − Cisco Systems•

Contacts & Feedback | Help | Site Map© 2007 − 2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks ofCisco Systems, Inc.

Updated: Jan 21, 2008 Document ID: 69730