Skip to content

How to configure a WPA2 Enterprise on Cisco Aironet AP with the embedded Qnap NAS Radius

January 8, 2012

This is an how to configure a Cisco Aironet AP autonomous (12.4 ios based) with WPA2 Enterprise for authentication against a Qnap-nas with the embedded Radius Server (only for Firmware 3.5.2 Build 1126T or above )

This is a good solution for an smb context.

1. First step. Configure the AP in global config with:

aaa new-model
!
aaa group server radius rad_admin
server x.x.x.x auth-port 1812 acct-port 1813
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap
server x.x.x.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
server x.x.x.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
server x.x.x.x auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common

ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host x.x.x. auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting

2. Second step .

Define the:

dot11 vlan-name “name for the vlan” vlan 1

then

dot11 ssid  “ssid name”
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
accounting rad_acct
mbssid guest-mode

then define the ssid against the radios module:

interface Dot11Radio0

ssid “ssid name”

encryption vlan 1 mode ciphers aes-ccm

interface Dot11Radio1

encryption vlan 1 mode ciphers aes-ccm

ssid “ssid name”

Now if you already have on board the latest firmware on your Qnap, you’re ready to go with:

1. Access the Application folder, and select Radius Server.

2. Flag the Enable RADIUS Server and Grant dial-in access to system user accounts (if you want using predifined system user account)

3. Define Radius user and passwords

4. If you want grant access also to client devices, define it on the clients tab.

That’s it.

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

My80211.com

Networking tips

Wahl Network

Technical Solutions for Technical People