Setting up administrative RADIUS logins on AIR-AP2800 with Mobility Express

The new Cisco AIR-AP2800 platform with Mobility Express provides a web interface where a network engineer can set up RADIUS servers for wireless enterprise authentication. To configure RADIUS authentication for administrative logins, no option is available to configure it.

However the Mobility Express can be configured by console or SSH and has the same set of commands like a Wireless Controller. With the command line interface it's possible to add additional RADIUS servers and set them up for management only.


config radius auth add (INDEX) (IP_ADDR) 1812 ascii (RADIUS_KEY)
config radius auth management (INDEX) enable
config radius auth network (INDEX) disable
Set up management RADIUS server on AIR-AP2800 with Mobility Express

The successful configuration can be verified with the command line below:


show radius summary
...    
Authentication Servers

Idx  Type  Server Address    Port    State     Tout  MgmtTout  RFC3576  IPSec - state/Profile Name/RadiusRegionSt
---  ----  ----------------  ------  --------  ----  --------  -------  -----------------------------------------
1  * N     (IP_ADDR)      1812    Enabled   2     2         Disabled  Disabled - /none
2  * M     (IP_ADDR)      1812    Enabled   2     2         Disabled  Disabled - /none
--More-- or (q)uit
...
Verify RADIUS server configuration on AIR-AP2800 with Mobility Express

During my setup I encountered here two types of error causes. The first type is that the management RADIUS server is also enabled for network, which means the administrative logins to the web interface or SSH will fail if the RADIUS servers are separated between WiFi and administrative logins (I.e. different IP).

The second type is a mismatch of the NAS-Identifier send by the Access point and the configured NAS-Identifier set up on the RADIUS server (for example if the RADIUS server need an identifier to separate between device types). To address this type of issue it's worth to verify the RADIUS communication and look into the AVP NAS-Identifier string for a mismatch. Note: If this is the case, the hostname of the Access point can be set with the following command:


config sysname (HOSTNAME)
Set up hostname (sysname) on AIR-AP2800 with Mobility Express

Search my web site