Cisco Autonomous Access Point Configuration for PEAP Authentication with Windows RADIUS Server

Refer the link below for configuring Microsoft IAS Server (RADIUS Server)

Microsoft IAS RADIUS for wireless authentication

and the Cisco Autonomous Access-Point configuration needs to be as below

aaa group server radius rad_eap

server <RADIUS_SERVER_IP> auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

!

dot11 ssid PUBLIC

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

guest-mode

!

interface Dot11Radio0

encryption mode ciphers tkip (or aes-ccm)

ssid PUBLIC

!

radius-server host <RADIUS_SERVER_IP> auth-port 1812 acct-port 1813 key <RADIUS_KEY>

Configuring RADIUS VSA on ACS 5.2 for APC Authentication

If Cisco ACS is configured to do normal RADIUS authentication for APC UPS devices, the RADIUS user gets only Read-Only priviledges on the APC User Interface.

To get Admin priviledges for RADIUS users, Vendor Specific Attributes (VSA) have to be configured on Cisco ACS. Following are the Vendor Specific Attributes (can be obtained online, or from a VSA dictionary file) for APC devices.

VENDOR APC 318

ATTRIBUTE APC-Service-Type 1 integer APC

VALUE APC-Service-Type Admin 1

VALUE APC-Service-Type Device 2

VALUE APC-Service-Type ReadOnly 3

To configure VSA Attributes in Cisco ACS 5.2, Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA, click Create and Enter the Name: APC and Vendor ID: 318 and click Submit. Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > APC (or from the Vendor Specific Dictionary Page, check the box next to APC and click Show Vendor Attributes), click Create and enter the following values, Attribute: APC-Service-Type, Vendor Attribute ID: 1, Direction: BOTH, Multiple Allowed: True and Attribute Type: Unsigned Integer 32 and click Submit.

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, click Create and under the General tab enter a Name for the Profile (say RADIUS_AUTH). Then under the RADIUS Attributes tab, Select RADIUS-APC from the Dictionary Type drop down list, Select RADIUS Attribute as APC-Service-Type and enter the Attribute Value as Static with value 1 (to get Admin user privilege) and click Add^ to Manually Enter the Attribute and then click Submit.

To Add the APC device to Cisco ACS 5.2, go to Network Resources > Device Type, and click Create to create a new group for APC. Enter the Name: APC Devices. Then go to Network Resources > Network Devices and AAA Clients. Click Create and Then on the create page enter the Host name of the APC Device in the Name field, Device Type: APC Devices, Enter the IP of the APC Device in the IP field. Check the RADIUS check box and enter the Shared Secret.

To add a user to the ACS, go to Users and Identity Stores > Identity Groups, click Create and add a Group with the Name: APC User under All Groups. Then go to Users and Identity Stores > Internal Identity Stores > Users and create an user under APC User Indentity Group.

Now we need to tie up the created user and device with the RADIUS Authorization Profile by creating a policy. To do that go to Access Policies > Access Services, click Create and enter the Name: RADIUS Admin, Select User Selected Service Type and Network Access from the drop down list. From the Policy Structure select Identity and Authorization and then click Next. On the Allowed Protocols page select Allow PAP/ASCII and click Finish.

Go to Access Policies > Access Services > RADIUS Admin > Identity, Select Single result selection radio button and Select Internal Users as the Identity Source and click Save Changes. Go to Access Policies > Access Services > RADIUS Admin > Authorization, click on Customize (lower right of the screen) and choose Identity Group as the Conditions and Authorization Profiles as the Results and click Ok. Click Create to create a Network Access Authorization Policy. Under Conditions, Select Identity Group as APC User (created under Users and Identity Stores above) and under Results Select RADIUS_AUTH (depends on what you created under Policy Elements above) and click Ok.

Final step is to go to Access Policies > Access Services > Service Selection Rules, click on Customize. Select Conditions as Device Type and Protocol. Click Ok to save it. Now go to Access Policies > Access Services > Service Selection Rules, click Create... to create a new Service Selection Policy. Select Conditions, Device Type as APC Devices, Protocol as Radius and Results (Service) as RADIUS Admin. Click Ok to Save the Service Policy. With this user you should be able to login into the APC UI with Administrator privileges.

This might look very complicated, but its actually like solving a math problem. ACS 5.X is very flexible in creating policies. The above steps can be used for configuring RADIUS VSA for any other devices also.