Configure a Cisco 887W AP to use Radius to authenticate users

In this quick tutorial, I am going to show you how to configure a Cisco 887W router’s AP to use a radius server to authenticate users to access the network. I will not cover how to setup a radius server, though if you are interested, I have made a blog post some time ago about setting up a radius server in linux and using it to test dot1x in a cisco switch.

In saying make sure you have already setup the following:

  • Radius server, you will need its IP and the shared secret key
  • Policy in your radius server if applicable to allow request coming from your router, in my lab I have setup to allow the entire LAN range of the router.
  • Cisco 887W already configured for DSL connectivity. In saying this, I also expect that you are familiar with configuring a Cisco 887. These are routers used for ADSL or NBN(based in Australia) services. Make sure you also configure this DHCP.

Let us jump right in, to access the AP you would need to type in the CLI:

It feels like being in the matrix as it is an IOS within an IOS. All the commands you all love and are familiar with are applicable here. Start configuring the AP as you would normally configure a router such as username, password, enable secret etc.

Now the fun bit, we would need to configure the AP to use a radius server to authenticate the users which means we would need to use IOS aaa.

config terminal
aaa new-model
radius-server host auth-port 1645 acct-port 1646 key p@ssw0rd
! — the radius-server declaration will be at the buttom of the config once applied but you need to declare this early on or else IOS will tell you the group hasn’t been created.
aaa group server radius test
server auth-port 1645 acct-port 1646
aaa authentication login eap_users group test
interface Dot11Radio0
no shut
description Dot1Radio0_DELAN_Radio
no ip address
no ip route-cache
! — Dot1Radio0 interface is by default shutdown
encryption vlan 1 mode ciphers aes-ccm tkip wep128
broadcast-key vlan 1 change 30
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip default-gateway
! – the gateway IP is the same default gateway of your wired LAN unless you want to setup your wireless users on another vlan.

Everything else I left as default. Once you have saved your config, do a reload just to be sure. There are times it takes as much as 8 mins to power cycle the device.
Pull out your smartphone, you should be able to see the SSID you’ve created in my config its THIS_IS_SSID. Choose the SSID, it should start asking you for the username and password that is configured on your radius server. If authenticated correctly, you’ll be assigned an IP and off you go!

By the way, to exit out of the AP just press Ctrl+Shift+6 then x. Warning, sometimes it takes time to get out of this console. Don’t forget to clear the TTY line as well.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s