网络管理 : Cisco Access Registrar

配置 Cisco Access Registrar 与 LEAP

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

Cisco网络服务访问登记(AR) 3.0支持小型可扩展认证协议(LEAP) (Cisco无线)。本文显示如何配置无线Aironet客户端工具和Cisco Aironet 340, 350或者1200系列接入点(AP) LEAP认证的对Cisco AR。

先决条件

要求

本文档没有任何特定的前提条件。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco Aironet� 340, 350或者1200系列接入点

  • AP固件11.21或以上Cisco LEAP的

  • Cisco Aironet 340或350系列网络接口界面卡(NIC)

  • 固件版本4.25.30或以上Cisco LEAP的

  • 网络驱动程序接口技术规范(NDIS) 8.2.3或以上Cisco LEAP的

  • Aironet客户端工具(ACU)版本5.02或以上

  • Cisco Access Registrar 3.0或以后要求运行和验证Cisco LEAP和MAC验证请求

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您是在真实网络上操作,请确保您在使用任何命令前已经了解其潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置 EAP-Cisco 无线 (CISCO LEAP)

此部分包括Cisco LEAP基本配置在思科AR服务器、AP和多种客户端的。

逐步指导

遵从这些说明配置LEAP :

  1. 更换思科AR服务器的端口。

    AP发送关于用户数据报协议(UDP)端口1812 (验证)和1813的RADIUS信息(核算)。默认情况下因为思科AR在UDP端口1645和1646侦听,您在UDP端口1812和1813必须配置思科AR侦听。

    1. 发出cd /radius/advanced/ports命令。

    2. 发出add 1812命令添加端口1812。

    3. 如果计划执行核算,发出add 1813命令添加端口1813。

    保存配置,然后重新启动服务。

  2. 添加对思科AR服务器的AP,发出这些命令:

    • cd /Radius/Clients

    • 添加ap350-1

    • cd ap350-1

    • 设置IP地址171.69.89.1

    • 设置sharedsecret cisco

  3. 要配置有线等效保密(WEP)密钥会话超时,请发出这些命令:

    注意: 802.1x指定重新验证选项。Cisco LEAP算法使用此选项超时用户的当前WEP会话密钥和发出一新的WEP会话密钥。

    • cd /Radius/Profiles

    • 添加ap-profile

    • cd ap-profile

    • cd属性

    • 设置session-timeout 600

  4. 要创建使用配置文件的用户组在步骤3添加了,发出这些命令:

    • cd /Radius/Usergroups

    • 添加ap-group

    • cd ap-group

    • 设置baseprofile ap-profile

    用户在此用户组中继承配置文件和反之接收会话超时。

  5. 要创建用户列表和添加的用户用户对在步骤定义的用户组4,发出这些命令:

    • cd /Radius/Userlists

    • 添加ap用户

    • cd ap用户

    • 添加user1

    • cd user1

    • set password思科

    • 集合组ap-group

  6. 要创建本地认证和授权服务使用UserService “ap-userservice”和设置服务类型为“eap-leap”,请发出这些命令:

    • cd /Radius/Services

    • 添加ap-localservice

    • cd ap-localservice

    • set type eap-leap

    • 设置UserService ap-userservice

  7. 要创建用户服务“ap-userservice”使用定义的用户列表在步骤5,请发出这些命令:

    • cd /Radius/Services

    • 添加ap-userservice

    • cd ap-localservice

    • set type本地

    • 设置userlist ap-users

  8. 要设置默认验证和授权请服务思科AR使用对定义的服务在步骤6,发出这些命令:

    • cd /radius

    • 设置defaultauthenticationservice ap-localservice

    • 设置defaultauthorizationservice ap-localservice

  9. 要保存和重新加载配置,请发出这些命令:

    • 保存

    • 重新加载

在 AP上 启用 EAP-Cisco (CISCO LEAP)

逐步指导

遵从这些步骤启用在AP的Cisco LEAP :

  1. 浏览对AP。

  2. 从Summary Status页,请点击设置

  3. 在服务菜单,请点击Security > Authentication服务器

  4. 选择802.1x版本运行在802.1x协议版本下拉菜单的此AP。

  5. 配置思科AR的IP地址在服务器名/IP文本框的。

  6. 验证下拉菜单设置为RADIUS的服务器类型。

  7. 更换波尔特文本框到1812。这是使用的正确IP端口号与思科AR。

  8. 配置有在思科AR使用的值的共享秘密文本框。

  9. 选择EAP Authentication复选框

  10. 修改超时文本框,如果如此希望。这是认证请求的超时值思科AR的。

  11. 点击OK键返回到Security Setup屏幕。

    如果也执行认为的RADIUS,请验证核算设置页的端口与在思科AR配置的端口一致(1813的集)。

  12. 单击 Radio Data Encryption (WEP)

  13. 通过键入在WEP密钥1文本框的一40或128比特的关键值配置广播WEP密钥。

  14. 选择认证类型使用。确保,最少, Network-EAP复选框选择。

  15. 验证下拉菜单设置为可选或全部加密的Use of Data Encryption。可选允许使用非WEP和WEP客户端同样AP的。注意这是不安全操作模式。请使用完全加密,当可能。

  16. 点击OK键完成。

配置ACU 6.00

逐步指导

遵从这些步骤配置ACU :

  1. 打开 ACU。

  2. 点击工具栏的配置文件管理器

  3. 单击添加创建新配置文件。

  4. 输入在文本框的配置文件名称,然后点击OK键。

  5. 输入在SSID1文本框的适当的服务集标识(SSID)。

  6. 点击网络安全

  7. 选择从网络安全类型下拉菜单的LEAP

  8. 单击 Configure

  9. 配置密码设置当必要时。

  10. 单击 Ok

  11. 点击OK键在Network Security屏幕的。

从 Cisco AR 跟踪

发出trace /r 5得到在思科AR的trace输出。如果需要AP调试,您能连接到AP通过Telnet和发出eap_diag1_oneap_diag2_on命令。

06/28/2004 16:31:49: P1121: Packet received from 10.48.86.230
06/28/2004 16:31:49: P1121: Checking Message-Authenticator
06/28/2004 16:31:49: P1121: Trace of Access-Request packet
06/28/2004 16:31:49: P1121: identifier = 5
06/28/2004 16:31:49: P1121: length = 146
06/28/2004 16:31:49: P1121: 
   reqauth = e5:4f:91:27:0a:91:82:6b:a4:81:c1:cc:c8:11:86:0b
06/28/2004 16:31:49: P1121: User-Name = user1
06/28/2004 16:31:49: P1121: NAS-IP-Address = 10.48.86.230
06/28/2004 16:31:49: P1121: NAS-Port = 37
06/28/2004 16:31:49: P1121: Service-Type = Login
06/28/2004 16:31:49: P1121: Framed-MTU = 1400
06/28/2004 16:31:49: P1121: Called-Station-Id = 000d29e160f2
06/28/2004 16:31:49: P1121: Calling-Station-Id = 00028adc8f2e
06/28/2004 16:31:49: P1121: NAS-Identifier = frinket
06/28/2004 16:31:49: P1121: NAS-Port-Type = Wireless - IEEE 802.11
06/28/2004 16:31:49: P1121: EAP-Message = 02:02:00:0a:01:75:73:65:72:31
06/28/2004 16:31:49: P1121: 
   Message-Authenticator = f8:44:b9:3b:0f:33:34:a6:ed:7f:46:2d:83:62:40:30
06/28/2004 16:31:49: P1121: Cisco-AVPair = ssid=blackbird
06/28/2004 16:31:49: P1121: Using Client: ap1200-1 (10.48.86.230)
06/28/2004 16:31:49: P1121: Using Client ap1200-1 (10.48.86.230) as the NAS
06/28/2004 16:31:49: P1121: Authenticating and Authorizing with 
   Service ap-localservice
06/28/2004 16:31:49: P1121: Response Type is Access-Challenge, 
   skipping Remote Session Management.
06/28/2004 16:31:49: P1121: Response Type is Access-Challenge, 
   skipping Local Session Management.
06/28/2004 16:31:49: P1121: Adding Message-Authenticator to response
06/28/2004 16:31:49: P1121: Trace of Access-Challenge packet
06/28/2004 16:31:49: P1121: identifier = 5
06/28/2004 16:31:49: P1121: length = 61
06/28/2004 16:31:49: P1121: 
   reqauth = 60:ae:19:8d:41:5e:a8:dc:4c:25:1b:8d:49:a3:47:c4
06/28/2004 16:31:49: P1121: EAP-Message = 
   01:02:00:15:11:01:00:08:66:27:c3:47:d6:be:b3:67:75:73:65:72:31
06/28/2004 16:31:49: P1121: Message-Authenticator = 
   59:d2:bc:ec:8d:85:36:0b:3a:98:b4:90:cc:af:16:2f
06/28/2004 16:31:49: P1121: Sending response to 10.48.86.230
06/28/2004 16:31:49: P1123: Packet received from 10.48.86.230
06/28/2004 16:31:49: P1123: Checking Message-Authenticator
06/28/2004 16:31:49: P1123: Trace of Access-Request packet
06/28/2004 16:31:49: P1123: identifier = 6
06/28/2004 16:31:49: P1123: length = 173
06/28/2004 16:31:49: P1123: 
   reqauth = ab:f1:0f:2d:ab:6e:b7:49:9e:9e:99:00:28:0f:08:80
06/28/2004 16:31:49: P1123: User-Name = user1
06/28/2004 16:31:49: P1123: NAS-IP-Address = 10.48.86.230
06/28/2004 16:31:49: P1123: NAS-Port = 37
06/28/2004 16:31:49: P1123: Service-Type = Login
06/28/2004 16:31:49: P1123: Framed-MTU = 1400
06/28/2004 16:31:49: P1123: Called-Station-Id = 000d29e160f2
06/28/2004 16:31:49: P1123: Calling-Station-Id = 00028adc8f2e
06/28/2004 16:31:49: P1123: NAS-Identifier = frinket
06/28/2004 16:31:49: P1123: NAS-Port-Type = Wireless - IEEE 802.11
06/28/2004 16:31:49: P1123: EAP-Message = 
   02:02:00:25:11:01:00:18:5e:26:d6:ab:3f:56:f7:db:21:96:f3:b0:fb:ec:6b:
   a7:58:6f:af:2c:60:f1:e3:3c:75:73:65:72:31
06/28/2004 16:31:49: P1123: Message-Authenticator = 
   21:da:35:89:30:1e:e1:d6:18:0a:4f:3b:96:f4:f8:eb
06/28/2004 16:31:49: P1123: Cisco-AVPair = ssid=blackbird
06/28/2004 16:31:49: P1123: Using Client: ap1200-1 (10.48.86.230)
06/28/2004 16:31:49: P1123: Using Client ap1200-1 (10.48.86.230) as the NAS
06/28/2004 16:31:49: P1123: Authenticating and Authorizing 
   with Service ap-localservice
06/28/2004 16:31:49: P1123: Calling external service ap-userservice 
   for authentication and authorization
06/28/2004 16:31:49: P1123: Getting User user1's UserRecord
   from UserList ap-users
06/28/2004 16:31:49: P1123: User user1's MS-CHAP password matches
06/28/2004 16:31:49: P1123: Processing UserGroup ap-group's check items
06/28/2004 16:31:49: P1123: User user1 is part of UserGroup ap-group
06/28/2004 16:31:49: P1123: Merging UserGroup ap-group's BaseProfiles
   into response dictionary
06/28/2004 16:31:49: P1123: Merging BaseProfile ap-profile
   into response dictionary
06/28/2004 16:31:49: P1123: Merging attributes into the Response Dictionary:
06/28/2004 16:31:49: P1123: Adding attribute Session-Timeout, value = 600
06/28/2004 16:31:49: P1123: Merging UserGroup ap-group's Attributes 
   into response Dictionary
06/28/2004 16:31:49: P1123: Merging attributes into the Response Dictionary:
06/28/2004 16:31:49: P1123: Removing all attributes except for 
   EAP-Message from response - they will be sent back in the Access-Accept
06/28/2004 16:31:49: P1123: Response Type is Access-Challenge, 
   skipping Remote Session Management.
06/28/2004 16:31:49: P1123: Response Type is Access-Challenge, 
   skipping Local Session Management.
06/28/2004 16:31:49: P1123: Adding Message-Authenticator to response
06/28/2004 16:31:49: P1123: Trace of Access-Challenge packet
06/28/2004 16:31:49: P1123: identifier = 6
06/28/2004 16:31:49: P1123: length = 44
06/28/2004 16:31:49: P1123: 
   reqauth = 28:2e:a3:27:c6:44:9e:13:8d:b3:60:01:7f:da:8b:62
06/28/2004 16:31:49: P1123: EAP-Message = 03:02:00:04
06/28/2004 16:31:49: P1123: Message-Authenticator = 
   2d:63:6a:12:fd:91:9e:7d:71:9d:8b:40:04:56:2e:90
06/28/2004 16:31:49: P1123: Sending response to 10.48.86.230
06/28/2004 16:31:49: P1125: Packet received from 10.48.86.230
06/28/2004 16:31:49: P1125: Checking Message-Authenticator
06/28/2004 16:31:49: P1125: Trace of Access-Request packet
06/28/2004 16:31:49: P1125: identifier = 7
06/28/2004 16:31:49: P1125: length = 157
06/28/2004 16:31:49: P1125: 
   reqauth = 72:94:8c:34:4c:4a:ed:27:98:ba:71:33:88:0d:8a:f4
06/28/2004 16:31:49: P1125: User-Name = user1
06/28/2004 16:31:49: P1125: NAS-IP-Address = 10.48.86.230
06/28/2004 16:31:49: P1125: NAS-Port = 37
06/28/2004 16:31:49: P1125: Service-Type = Login
06/28/2004 16:31:49: P1125: Framed-MTU = 1400
06/28/2004 16:31:49: P1125: Called-Station-Id = 000d29e160f2
06/28/2004 16:31:49: P1125: Calling-Station-Id = 00028adc8f2e
06/28/2004 16:31:49: P1125: NAS-Identifier = frinket
06/28/2004 16:31:49: P1125: NAS-Port-Type = Wireless - IEEE 802.11
06/28/2004 16:31:49: P1125: EAP-Message = 
   01:02:00:15:11:01:00:08:3e:b9:91:18:a8:dd:98:ee:75:73:65:72:31
06/28/2004 16:31:49: P1125: Message-Authenticator = 
   8e:73:2b:a6:54:c6:f5:d9:ed:6d:f0:ce:bd:4f:f1:d6
06/28/2004 16:31:49: P1125: Cisco-AVPair = ssid=blackbird
06/28/2004 16:31:49: P1125: Using Client: ap1200-1 (10.48.86.230)
06/28/2004 16:31:49: P1125: Using Client ap1200-1 (10.48.86.230) as the NAS
06/28/2004 16:31:49: P1125: Authenticating and Authorizing 
   with Service ap-localservice
06/28/2004 16:31:49: P1125: Merging attributes into the Response Dictionary:
06/28/2004 16:31:49: P1125: Adding attribute Session-Timeout, value = 600
06/28/2004 16:31:49: P1125: Restoring all attributes to response 
   that were removed in the last Access-Challenge
06/28/2004 16:31:49: P1125: No default Remote Session Service defined.
06/28/2004 16:31:49: P1125: Adding Message-Authenticator to response
06/28/2004 16:31:49: P1125: Trace of Access-Accept packet
06/28/2004 16:31:49: P1125: identifier = 7
06/28/2004 16:31:49: P1125: length = 142
06/28/2004 16:31:49: P1125: 
   reqauth = 71:f1:ef:b4:e6:e0:c2:4b:0a:d0:95:47:35:3d:a5:84
06/28/2004 16:31:49: P1125: Session-Timeout = 600
06/28/2004 16:31:49: P1125: EAP-Message = 
02:02:00:25:11:01:00:18:86:5c:78:3d:82:f7:69:c7:96:70:35:31:bb:51:a7:ba:f8:48:8c:
45:66:00:e8:3c:75:73:65:72:31
06/28/2004 16:31:49: P1125: Message-Authenticator = 7b:48:c3:17:53:67:44:f3:af:5e:17:27:3d:3d:23:5f
06/28/2004 16:31:49: P1125: Cisco-AVPair = 6c:65:61:70:3a:73:65:73:73:69:6f:6e:2d:6b:65:79:3d:04:f2:c5:2a:de:fb:4e:1e:8a:8d
:b8:1b:e9:2c:f9:9a:3e:83:55:ff:ae:54:57:4b:60:e1:03:05:fd:22:95:4c:b4:62
06/28/2004 16:31:49: P1125: Sending response to 10.48.86.230

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 28901