Setting up administrative RADIUS logins on AIR-AP2800 with Mobility Express

Table of contents

1. Mobility Express
2. Configure RADIUS
3. Verify RADIUS configuration
4. Troubleshooting errors

Mobility Express

The new Cisco AIR-AP2800 platform with Mobility Express provides a web interface where a network engineer can set up RADIUS servers for wireless enterprise authentication. To configure RADIUS authentication for administrative logins, no option is available to configure it.

Configure RADIUS

However the Mobility Express can be configured by console or SSH and has the same set of commands like a Wireless Controller. With the command line interface it’s possible to add additional RADIUS servers and set them up for management only.

    config radius auth add (INDEX) (IP_ADDR) 1812 ascii (RADIUS_KEY)
    config radius auth management (INDEX) enable
    config radius auth network (INDEX) disable

Verify RADIUS configuration

The successful configuration can be verified with the command line below:

    show radius summary
    ...    
    Authentication Servers

    Idx  Type  Server Address    Port    State     Tout  MgmtTout  RFC3576  IPSec - state/Profile Name/RadiusRegionSt
    ---  ----  ----------------  ------  --------  ----  --------  -------  -----------------------------------------
    1  * N     (IP_ADDR)      1812    Enabled   2     2         Disabled  Disabled - /none
    2  * M     (IP_ADDR)      1812    Enabled   2     2         Disabled  Disabled - /none
    --More-- or (q)uit
    ...

Troubleshooting errors

During my setup I encountered here two types of error causes. The first type is that the management RADIUS server is also enabled for network, which means the administrative logins to the web interface or SSH will fail if the RADIUS servers are separated between WiFi and administrative logins (I.e. different IP).

The second type is a mismatch of the NAS-Identifier send by the Access point and the configured NAS-Identifier set up on the RADIUS server (for example if the RADIUS server need an identifier to separate between device types). To address this type of issue it’s worth to verify the RADIUS communication and look into the AVPNAS-Identifier string for a mismatch.

Note: If this is the case, the hostname of the Access point can be set with the following command:

    config sysname (HOSTNAME)