cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure RFS4000 with Radius authentication AD

How to configure RFS4000 with Radius authentication AD

fathaneMed
New Contributor

I  configure radius external Authentication AD with RFS4000 But not working, 

 

rfs4000-F8A311#sh running-config
!
! Configuration of RFS4000 version 5.9.1.10-002R
!
!
version 2.5
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
aaa-policy SRV-DC3-NPS
 authentication server 1 host 172.16.1.3 secret 0 ADMSRVL0C@L
 authentication server 1 proxy-mode through-rf-domain-manager
!
association-acl-policy FiltrageMAC
 permit 00-10-40-A8-9C-7B 00-10-40-A8-9C-7B precedence 1
 permit 00-10-40-A8-9D-62 00-10-40-A8-9D-62 precedence 2
 permit 00-10-40-A8-9D-83 00-10-40-A8-9D-83 precedence 3
 permit 00-10-40-A8-9D-BF 00-10-40-A8-9D-BF precedence 4
 permit 00-10-40-A8-BD-78 00-10-40-A8-BD-78 precedence 5
 permit 3E-4A-68-A4-FD-53 3E-4A-68-A4-FD-53 precedence 6
 permit 00-10-40-A8-9D-0E 00-10-40-A8-9D-0E precedence 7
 permit 00-10-40-A8-9C-BA 00-10-40-A8-9C-BA precedence 8
 permit 00-10-40-A8-9D-95 00-10-40-A8-9D-95 precedence 9
 permit 00-10-40-A8-BD-6F 00-10-40-A8-BD-6F precedence 10
 permit 00-10-40-A8-BD-51 00-10-40-A8-BD-51 precedence 11
!
wlan 1
 ssid WMS
 vlan 1
 bridging-mode local
 encryption-type ccmp
 authentication-type none
 wpa-wpa2 psk 0 B@TTU2016XU
!
wlan GX
 description Wifi Magasin MACFilter
 ssid GX
 vlan 1
 bridging-mode local
 encryption-type none
 authentication-type none
 use association-acl-policy FiltrageMAC
!
smart-rf-policy Smart
!
!
management-policy default
 telnet
 http server
 https server
 ftp username ftpuser password 1 cef6a511381477f8df605e3b81c2ec41d28d419c24daa7931 rootdir flash:/
 ssh
 user admin password 1 849fdef1e1303ec60f2d49c3ebb57a2a3d5a22f83f77deef5e1a0465ad8d73a1 role superuser access all
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
ex3500-management-policy default
 snmp-server community public ro
 snmp-server community private rw
 snmp-server notify-filter 1 remote 127.0.0.1
 snmp-server view defaultview 1 included
!
l2tpv3 policy default
!
profile rfs4000 default-rfs4000
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface up1
 interface ge1
 interface ge2
 interface ge3
 interface ge4
 interface ge5
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
 router ospf
 router bgp
 adoption-mode controller
!
profile ap82xx default-ap82xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 router ospf
 adoption-mode controller
--More-- Jun 15 19:28:32 2021: %DATAPLANE-4-IPMACCONFLICT: IP-MAC CONFLICT:  Conflict in ip-mac binding between packet and snoop table data : Vlan = 1, Pkt Src Mac: 50-3D-E5-78-5A-80, Pkt Dst Mac: 3C-A8-2A-82-CF-9D, Pkt Src IP : 172.16.2.186, Snoop Table  Mac: A0-A4-C5-72-AC-13, Snoop Table IP: 172.16.2.186 . !
profile ap81xx default-ap81xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface bluetooth1
  shutdown
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 router ospf
 adoption-mode controller
!
profile ap7522 default-ap7522
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
--More-- Jun 15 19:28:33 2021: %DATAPLANE-4-DOSATTACK: BAD_PACKET:  Bcast/Mcast ICMP not allowed : Src IP : 172.16.3.125, Dst IP: 224.0.0.1, Src Mac: 00-72-78-9C-7B-4E, Dst Mac: 01-00-5E-00-00-01, ICMP type = 9, ICMP code = 0, Prot  wlan 1 bss 1 primary
  wlan GX bss 2 primary
 interface radio2
  shutdown
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 router ospf
 adoption-mode controller
!
profile ap7532 default-ap7532
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 router ospf
 adoption-mode controller
!
profile ap7502 default-ap7502
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface fe1
 interface fe2
 interface fe3
  no power
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap71xx default-ap71xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap6532 default-ap6532
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap650 default-ap650
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap6521 default-ap6521
 autoinstall configuration
 autoinstall firmware
 interface radio1
  wlan 1 bss 1 primary
  wlan GX bss 2 primary
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap621 default-ap621
 autoinstall configuration
 autoinstall firmware
 interface radio1
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap6511 default-ap6511
 autoinstall configuration
 autoinstall firmware
 interface radio1
 interface up1
 interface fe1
 interface fe2
 interface fe3
 interface fe4
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap6562 default-ap6562
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  placement outdoor
 interface radio2
  placement outdoor
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap6522 default-ap6522
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
profile ap622 default-ap622
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 use firewall-policy default
 use client-identity-group default
 service pm sys-restart
 adoption-mode controller
!
rf-domain default
 location AP
 contact TA
 country-code fr
 use smart-rf-policy Smart
!
rfs4000 B4-C7-99-F8-A1-09
 use profile default-rfs4000
 use rf-domain default
 hostname rfs4000-F8A109
 license AP DEFAULT-6AP-LICENSE
 license ADSEC DEFAULT-ADV-SEC-LICENSE
 device-upgrade auto ap6521
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1-2,10
 interface vlan1
  ip address 172.16.1.201/16
  ip address 192.168.0.1/24 secondary
  ip dhcp client request options all
  no shutdown
 cluster name cl_bottu
 cluster member ip 172.16.1.12 level 1
 cluster member ip 172.16.1.201
 cluster member ip 172.16.1.200 level 1
 cluster member ip 172.16.1.13 level 1
 cluster master-priority 1
 logging on
 logging console warnings
 logging buffered warnings
!
rfs4000 B4-C7-99-F8-A3-11
 use profile default-rfs4000
 use rf-domain default
 hostname rfs4000-F8A311
 license AP DEFAULT-6AP-LICENSE
 license AAP d8370195e5a2268312f2ad1b43eb92927ce131cf118579c3dd6558e28d72cc69cc1688b96d5e336b
 license ADSEC DEFAULT-ADV-SEC-LICENSE
 device-upgrade auto ap6521
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1-2
 interface vlan1
  ip address 172.16.1.200/16
  ip address 192.168.0.1/24 secondary
  ip dhcp client request options all
  no shutdown
 cluster name cl_bottu
 cluster member ip 172.16.1.12 level 1
 cluster member ip 172.16.1.201
 cluster member ip 172.16.1.200 level 1
 cluster member ip 172.16.1.13 level 1
 cluster master-priority 200
 logging on
 logging console warnings
 logging buffered warnings
!
ap7522 B8-50-01-A8-DD-60
 use profile default-ap7522
 use rf-domain default
 hostname ap7522-A8DD60
!
ap7522 B8-50-01-A8-DE-7C
 use profile default-ap7522
 use rf-domain default
 hostname ap7522-A8DE7C
!
ap7522 B8-50-01-A8-DF-AC
 use profile default-ap7522
 use rf-domain default
 hostname ap7522-A8DFAC
!
ap6521 FC-0A-81-44-80-08
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-448008
!
ap6521 FC-0A-81-44-83-B2
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-4483B2
!
ap6521 FC-0A-81-44-83-BA
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-4483BA
!
ap6521 FC-0A-81-44-86-70
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-448670
!
ap6521 FC-0A-81-44-86-F0
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-4486F0
!
ap6521 FC-0A-81-44-89-08
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-448908
!
ap6521 FC-0A-81-44-8B-04
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-448B04
!
ap6521 FC-0A-81-44-8B-08
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-448B08
!
ap6521 FC-0A-81-F1-12-2A
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1122A
!
ap6521 FC-0A-81-F1-12-72
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F11272
!
ap6521 FC-0A-81-F1-12-F2
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F112F2
!
ap6521 FC-0A-81-F1-81-C4
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F181C4
!
ap6521 FC-0A-81-F1-83-1E
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1831E
!
ap6521 FC-0A-81-F1-85-14
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F18514
!
ap6521 FC-0A-81-F1-B9-18
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1B918
!
ap6521 FC-0A-81-F1-B9-1A
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1B91A
!
ap6521 FC-0A-81-F1-B9-22
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1B922
!
ap6521 FC-0A-81-F1-C0-4C
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1C04C
!
ap6521 FC-0A-81-F1-C0-52
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1C052
!
ap6521 FC-0A-81-F1-C0-54
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1C054
!
ap6521 FC-0A-81-F1-C0-92
 use profile default-ap6521
 use rf-domain default
 hostname ap6521-F1C092
!
!
end
 

 

1 ACCEPTED SOLUTION

Christopher_Fra
Contributor III

Hello,

     I don’t see a WLAN configured for EAP authentication, only a AAA policy configured for external radius.

Please add a new WLAN using EAP for “Select Authentication”, map your existing AAA policy to the WLAN, and select encryption type that will be used for EAP (802.1x). 

View solution in original post

1 REPLY 1

Christopher_Fra
Contributor III

Hello,

     I don’t see a WLAN configured for EAP authentication, only a AAA policy configured for external radius.

Please add a new WLAN using EAP for “Select Authentication”, map your existing AAA policy to the WLAN, and select encryption type that will be used for EAP (802.1x). 

GTM-P2G8KFN