Cisco AP

um auch ältere Clients zu unterstützen die keine WPA-TKIP können wird WEP-128bit und WPA-TKIP am Cisco AP ativiert!
Wenn möglich soll WPA-TKIP verwendet werden da es erheblich höhere Sicherheit bietet!

Telnet wurde deaktiviert … per SSH konfigurieren, die Authentifizierung erfolgt ebenfalls über den Radiusserver, enable-Authentifizierung erfolgt lokal am AP.

Versionsinformationen:

AP-Test#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 16-Apr-04 12:22 by cmong
Image text-base: 0x00003000, data-base: 0x0053CF74

ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

AP-Test uptime is 5 days, 39 minutes
System returned to ROM by power-on
System image file is "flash:/c1200-k9w7-mx.122-13.JA4/c1200-k9w7-mx.122-13.JA4"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1231G-E-K9     (PowerPC405GP) processor (revision B0) with 14326K/2048K bytes of memory.
Processor board ID FOC08463AAP
PowerPC405GP CPU at 196Mhz, revision number 0x0145
Last reset from power-on
Bridging software.
1 FastEthernet/IEEE 802.3 interface(s)
1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:80:4F:2C:37
Part Number                          : 73-8704-08
PCA Assembly Number                  : 800-23211-09
PCA Revision Number                  : A0                   : FOC08463AAP
Top Assembly Part Number             : 800-23304-08
Top Assembly Serial Number           : FCZ0850Z0J9
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1231G-E-K9    

Configuration register is 0xF

running-config:

sh run
Building configuration...

Current configuration : 3118 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname prakt-AP
!
enable secret 5 $1$l2Nw$tMcnMh5mn1fkzPGo7qNp11
!
username Cisco privilege 15 password 7 032752180500
ip subnet-zero
ip domain name ISALAB.local
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 141.201.43.16 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
 server 141.201.43.16 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
 server 141.201.43.16 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
 server 141.201.43.16 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_acct1
 server 141.201.43.16 auth-port 1645 acct-port 1646
!
aaa group server radius rad_eap1
 server 141.201.43.16 auth-port 1645 acct-port 1646
!
aaa authentication login default group tac_admin group rad_admin
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default group tac_admin group rad_admin 
aaa authorization ipmobile default group rad_pmip 
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods1 start-stop group rad_acct1
aaa session-id common
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers tkip wep128 
 !
 ssid prakt
    vlan 1
    authentication open eap eap_methods1
    authentication network-eap eap_methods1 
    authentication key-management wpa optional
    accounting acct_methods1
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 rts threshold 2312
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 141.201.43.118 255.255.255.0
 no ip route-cache
!
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1 
access-list 111 permit tcp any any neq telnet
radius-server host 141.201.43.16 auth-port 1645 acct-port 1646 key 7 082D1D401C013A05460F5D1139
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
line con 0
 access-class 111 in
line vty 0 4
 access-class 111 in
 password 7 072C285F4D06
line vty 5 15
 access-class 111 in
 password 7 072C285F4D06
!
end

Radiusserver

Am Radiusserver muss der neue NAS nun auch als Client eingetragen werden:

/etc/raddb/clients.conf

client 141.201.43.118 {
	secret		= l1nux_r4d1us
	shortname	= ciso-wlan
	nastype     = cisco	# Filter-ID is specified in dictionary.cisco
}

Internet Ressourcen

 
cisco-wlan-ap-aaa.txt · Last modified: 2009/09/13 17:39 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki