[c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..

Enno Rey erey at ernw.de
Sat Nov 28 14:09:41 EST 2009 

Hi,

On Sat, Nov 28, 2009 at 01:35:02PM -0500, Howard Leadmon wrote:
>   I have a question hopefully someone can give me a pointer or shed some
> light on..
> 
>  
> 
>  I have both an Aironet 1242AG and now a 1252AG access point, which are
> working fine.   I have WPA2-Personal with a shared key setup and running
> great as well.   As it was my impression that Vista and Win7 both supported
> Enterprise authentication, which I figured would be better and more secure
> than using the personal shared key stuff.
> 
>  
> 
>  I have tried, and googled, and I for the life of me just can't seem to get
> Enterprise auth going..   Does anyone have any docs on getting the Aironet
> and Windows to play together, configs, or links to info that will help?
> Just FYI, I am trying to use the radius server built into the AP, as I
> figured that would be simple enough, hopefully doing that is ok..
> 

Attached (below) you find a productive config file (anonymized sufficiently I hope) and a "config snippet template" for RADIUS auth against local database.
You should be able to understand (and assemble) the relevant pieces. Feel free to contact me off-list if you don't succeed...

The "standard windows client config" is described for example in:

https://www.cisco.com/en/US/docs/wireless/wlan_adapter/cb21ag/user/2.0/configuration/guide/winapEkh.html

And this doc on hardening the APs might be interesting as well:

http://www.ernw.de/content/e7/e183/e691/download693/ERNW_hard_cisco_aps_erey_ger.pdf

thanks,

Enno


-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135 
Geschaeftsfuehrer: Enno Rey


***  TROOPERS10 - This time it's a home match  ***
International Security Conference & Hacking Summit
***   8-12 March 2010 - Heidelberg, Germany    ***
*************** www.troopers.de ******************



==============================
Config snippet/template

! must be configured before 'radius-server local' is even ! available
aaa new-model

! enter local radius-server config mode
radius-server local

! include devices that act as RADIUS clients
nas 20.20.20.20 key radius123!
nas 20.20.20.21 key rad234!


! configure users

! user wds necessary for WDS communication
user wds pass wds456

! user needed for infrastructure_AP authentication
user infrastructureap pass infra678


! other users e.g. for LEAP
user erey pass hallo123
user fbrandtner pass franky
user tschuster pass franke


! 'point to self' radius-server config (as client)
! note port numbers!

radius-server host 20.20.20.20 kauth-port 1812 acct-port 1813 ey radius123!

======================
Full sample config

!

! No configuration change since last restart

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname A0119BG01

!

no logging console

enable secret 5 $1$3aRl$ms3dlasjaksjXefaQoRH.J1

!

clock timezone GMT 1

clock summer-time mesz recurring last Sun Mar 2:00 last Sun Oct 3:00

ip subnet-zero

no ip domain lookup

ip domain name warehouse.com

!

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius dummy

!

aaa group server radius Infrastructure

 server 10.28.86.1 auth-port 1812 acct-port 1813

!

aaa group server radius rad_pmip

!

aaa group server radius rad_eap1

!

aaa group server radius user

 server 10.28.86.1 auth-port 1812 acct-port 1813

 server 10.0.184.20 auth-port 1645 acct-port 1646

 server 10.0.184.21 auth-port 1645 acct-port 1646

!

aaa authentication login method_user group user

aaa authentication login mac_methods local

aaa authentication login method_infrastructure group Infrastructure

aaa authentication login eap_methods group user

aaa authorization exec default local 

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid abc115EPtz9aoMDE

   vlan 3

   authentication open 

   authentication key-management wpa

   wpa-psk ascii 7 BADEAFFE

!

dot11 ssid abcm303GHos7aoISI

   vlan 2

   authentication open eap eap_methods 

   authentication network-eap eap_methods 

   authentication key-management wpa

!

!

crypto pki trustpoint TP-self-signed-724177026

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-724177026

 revocation-check none

 rsakeypair TP-self-signed-724177026

!

!

crypto ca certificate chain TP-self-signed-724177026

 certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 37323431 37373032 36301E17 0D303230 33303130 30303035 

  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3732 34313737 

  30323630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 

  C68F64C4 AE33F858 240A1126 8C2E41AF 511C542D 17E4DD0E 3E29BD36 7F8B280C 

  26FE86DB B671E0DD FC5C23F9 E5ED65E2 95990E9C C73A1A30 70B2C011 4D5803E0 

  2FA3E66E EB109922 4385B2B0 DB755888 692E7B80 A6811950 726DC7FB E8DF3175 

  72734D2A 611DF0D4 342E7AD0 E1AB1638 9D5EC5B7 35569203 AE1B113D 4AACAE0B 

  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 

  23041830 16801447 DF8B63E0 D1A0E27A D2CFE272 A6A8F3C0 B819B430 1D060355 

  1D0E0416 041447DF 8B63E0D1 A0E27AD2 CFE272A6 A8F3C0B8 19B4300D 06092A86 

  4886F70D 01010405 00038181 009E3010 9569DBE5 C3DBE314 FFF59CC1 DE75CB77 

  9082FDBD 7883DBBD 28556576 4F8FF831 625E146E 52FC84D0 13B8CB7B EC84AB50 

  C3E3AB1E 464056B7 9027010D E4E881FE 316CBFA5 617E5697 DBC11AF8 837299E8 

  7A3BE1B5 902E3FFF E77D1B00 405EAD3F 4FEE79BD 617DF22A 28FE4C7C 80D6021B 

  16832994 2F8A462C 7FF45615 B7

  quit

username ibm_inst privilege 15 password 7 xyz

!

!

policy-map Office

 class class-default

  set cos 0

policy-map POS

 class class-default

  set cos 5

!

bridge irb

!

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 shutdown

 !

 encryption vlan 2 mode ciphers aes-ccm 

 !

 encryption mode ciphers aes-ccm 

 !

 encryption vlan 3 mode ciphers tkip 

 !

 ssid abc115EPtz9aoMDE

 !

 ssid abcm303GHos7aoISI

 !

 speed basic-1.0 basic-2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

 power local cck 30

 power local ofdm 30

 power client 30

 channel 2437

 station-role root fallback shutdown

 infrastructure-client

!

interface Dot11Radio0.2

 encapsulation dot1Q 2 native

 service-policy input POS

 service-policy output POS

 no ip route-cache

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio0.3

 encapsulation dot1Q 3

 service-policy input Office

 service-policy output Office

 no ip route-cache

 bridge-group 3

 bridge-group 3 subscriber-loop-control

 bridge-group 3 block-unknown-source

 no bridge-group 3 source-learning

 no bridge-group 3 unicast-flooding

 bridge-group 3 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 speed 100

 full-duplex

!

interface FastEthernet0.2

 encapsulation dot1Q 2 native

 service-policy input POS

 service-policy output POS

 no ip route-cache

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled

!

interface FastEthernet0.3

 encapsulation dot1Q 3

 service-policy input Office

 service-policy output Office

 no ip route-cache

 bridge-group 3

 no bridge-group 3 source-learning

 bridge-group 3 spanning-disabled

!

interface BVI1

 ip address 10.28.86.1 255.255.252.0

 no ip route-cache

!

ip default-gateway 10.28.87.254

no ip http server

ip http authentication local

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1 

!

snmp-server view basic iso included

snmp-server view basic ieee802dot11 included

snmp-server community a0_wlan_wh_ro view basic RO

snmp-server community a0_wlan_wh_rw view basic RW

snmp-server enable traps tty

radius-server local

  nas 10.28.86.1 key 7 abc

  user wds nthash 7 0A7BADE


  user abc001IBMinst nthash 7 some_hash

  user abc002IBMinst nthash 7 some_hash


  user abc003IBMinst nthash 7 some_hash

  user abc004IBMinst nthash 7 some_hash

  user abc005IBMinst nthash 7 some_hash

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.28.86.1 auth-port 1812 acct-port 1813 key 7 ABDC

radius-server host 10.0.184.21 auth-port 1645 acct-port 1646 key 7 ABDC

radius-server host 10.0.184.20 auth-port 1645 acct-port 1646 key 7 ABDC

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

wlccp ap username wds password 7 ABCD

wlccp authentication-server infrastructure method_infrastructure

wlccp authentication-server client leap method_user

wlccp wds priority 100 interface BVI1

wlccp wnm ip address 10.1.240.41

!

line con 0

 terminal-type ansi

 transport preferred all

 transport output all

line vty 0 4

 terminal-type ansi

 transport preferred all

 transport input all

 transport output all

line vty 5 15

 terminal-type ansi

 transport preferred all

 transport input all

 transport output all

!

sntp server 192.168.4.35

sntp broadcast client

end

More information about the cisco-nsp mailing list