Configure a Cisco 887W AP to use Radius to authenticate users

In this quick tutorial, I am going to show you how to configure a Cisco 887W router’s AP to use a radius server to authenticate users to access the network. I will not cover how to setup a radius server, though if you are interested, I have made a blog post some time ago about setting up a radius server in linux and using it to test dot1x in a cisco switch.

https://running-config.net/2014/06/20/simple-dot1x-lab-with-windows-7-cisco-2950-centos-w-freeradius/

In saying make sure you have already setup the following:

  • Radius server, you will need its IP and the shared secret key
  • Policy in your radius server if applicable to allow request coming from your router, in my lab I have setup to allow the entire LAN range of the router.
  • Cisco 887W already configured for DSL connectivity. In saying this, I also expect that you are familiar with configuring a Cisco 887. These are routers used for ADSL or NBN(based in Australia) services. Make sure you also configure this DHCP.

Let us jump right in, to access the AP you would need to type in the CLI:

It feels like being in the matrix as it is an IOS within an IOS. All the commands you all love and are familiar with are applicable here. Start configuring the AP as you would normally configure a router such as username, password, enable secret etc.

Now the fun bit, we would need to configure the AP to use a radius server to authenticate the users which means we would need to use IOS aaa.

config terminal
!
aaa new-model
!
radius-server host 192.168.6.1 auth-port 1645 acct-port 1646 key p@ssw0rd
! — the radius-server declaration will be at the buttom of the config once applied but you need to declare this early on or else IOS will tell you the group hasn’t been created.
!
aaa group server radius test
server 192.168.6.1 auth-port 1645 acct-port 1646
!
!
aaa authentication login eap_users group test
!
interface Dot11Radio0
no shut
description Dot1Radio0_DELAN_Radio
no ip address
no ip route-cache
! — Dot1Radio0 interface is by default shutdown
!
encryption vlan 1 mode ciphers aes-ccm tkip wep128
!
broadcast-key vlan 1 change 30
!
ssid THIS_IS_SSID
!
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
!
ip default-gateway 10.0.0.1
! – the gateway IP is the same default gateway of your wired LAN unless you want to setup your wireless users on another vlan.

Everything else I left as default. Once you have saved your config, do a reload just to be sure. There are times it takes as much as 8 mins to power cycle the device.
Pull out your smartphone, you should be able to see the SSID you’ve created in my config its THIS_IS_SSID. Choose the SSID, it should start asking you for the username and password that is configured on your radius server. If authenticated correctly, you’ll be assigned an IP and off you go!

By the way, to exit out of the AP just press Ctrl+Shift+6 then x. Warning, sometimes it takes time to get out of this console. Don’t forget to clear the TTY line as well.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s