wlc(config)# radius-server local
We configure a NAS ap that contains access point subnets that will be served by the local RADIUS server during Enterprise authorization of Wi-Fi users:
wlc(config-radius)# nas ap wlc(config-radius-nas)# key ascii-text password wlc(config-radius-nas)# network 192.168.1.0/24 wlc(config-radius-nas)# exit
Configuring NAS local. Used when WLC accesses local RADIUS server during SoftGRE tunnels building:
wlc(config-radius)# nas local wlc(config-radius-nas)# key ascii-text password wlc(config-radius-nas)# network 127.0.0.1/32 wlc(config-radius-nas)# exit
Create user domain:
wlc(config-radius)# domain default
In this domain, create a Wi-Fi user account to connect to the Enterprise SSID:
wlc(config-radius-domain)# user name1 wlc(config-radius-user)# password ascii-text password1 wlc(config-radius-user)# exit wlc(config-radius-domain)# exit
In the factory configuration, the user account is not configured for security purposes, so you must create an account to connect to the Enterprise SSID in the factory configuration.
The virtual server settings contain port numbers for authentication and accounting, proxying settings to the external RADIUS server. Using standard ports (1812 for authentication and 1813 for accounting) requires no configuration. In case of configuring a local RADIUS server, simply enabling the virtual server is sufficient.
wlc(config-radius)# virtual-server default wlc(config-radius-vserver)# enable wlc(config-radius-vserver)# exit wlc(config-radius)# enable wlc(config)# exit
Define the parameters for interaction with the RADIUS server: IP address and key.
Since the RADIUS server is located locally on the controller, we set 127.0.0.1 as the host address. The key must match the key specified for nas local, which was set in radius-server local.
wlc(config)# radius-server host 127.0.0.1 wlc(config-radius-server)# key ascii-text password wlc(config-radius-server)# exit
Add AAA profile, specify the address of the server to be used:
wlc(config)# aaa radius-profile default_radius wlc(config-aaa-radius-profile)# radius-server host 127.0.0.1 wlc(config-aaa-radius-profile)# exit
Configure and enable the functionality of automatic raising of SoftGRE tunnels:
wlc(config)# softgre-controller
The RADIUS server is located locally on the controller, so we specify nas-ip-address 127.0.0.1:
wlc(config-softgre)# nas-ip-address 127.0.0.1
Choose the WLC mode of creating data SoftGRE tunnels:
wlc(config-softgre)# data-tunnel configuration wlc
Specify the user vlan:
wlc(config-softgre)# service-vlan add 3
Specify the AAA profile created earlier:
wlc(config-softgre)# aaa radius-profile default_radius wlc(config-softgre)# keepalive-disable wlc(config-softgre)# enable wlc(config-softgre)# exit
Switch to the settings of the AP configuration management module:
wlc(config)# wlc
Configure the RADIUS server profile that will be used to authenticate wireless clients with the Enterprise SSID of Wi-Fi access points:
wlc(config-wlc)# radius-profile default-radius
RADIUS server is located locally on the controller, specify the address of the controller in the access point subnet:
wlc(config-wlc-radius-profile)# auth-address 192.168.1.1
The RADIUS server key must match the key specified for the NAS ap we specified in radius-server local:
wlc(config-wlc-radius-profile)# auth-password ascii-text password
Specify the RADIUS domain. This domain must match the domain in which the Enterprise user accounts are created, which is located in radius-server local:
wlc(config-wlc-radius-profile)# domain default wlc(config-wlc-radius-profile)# exit
SSID profile contains SSID of AP:
wlc(config-wlc)# ssid-profile default-ssid
In the ssid-profile specify the previously configured RADIUS server settings profile that will be used for Wi-Fi user authorization and the user vlan:
wlc(config-wlc-ssid-profile)# radius-profile default-radius wlc(config-wlc-ssid-profile)# vlan-id 3