The new Cisco AIR-AP2800 platform with Mobility Express provides a web interface where a network engineer can set up RADIUS servers for wireless enterprise authentication. To configure RADIUS authentication for administrative logins, no option is available to configure it.
However the Mobility Express can be configured by console or SSH and has the same set of commands like a Wireless Controller. With the command line interface it’s possible to add additional RADIUS servers and set them up for management only.
The successful configuration can be verified with the command line below: \
During my setup I encountered here two types of error causes. The first type is that the management RADIUS server is also enabled for network, which means the administrative logins to the web interface or SSH will fail if the RADIUS servers are separated between WiFi and administrative logins (I.e. different IP).
The second type is a mismatch of the NAS-Identifier send by the Access point and the configured NAS-Identifier set up on the RADIUS server (for example if the RADIUS server need an identifier to separate between device types). To address this type of issue it’s worth to verify the RADIUS communication and look into the AVPNAS-Identifier string for a mismatch.
Note: If this is the case, the hostname of the Access point can be set with the following command: