Adaptive AP5131 with Radius Authentication

// Expert user has replied.
G Gabe Bennett 3 years ago
12 4 0

Motorola IT is interested in using the AP5131 in adaptive mode to extend Motorola's internal network and M-Wireless to remote sites (ex.off-site meetings).  We are able to connect the AP5131 from the internet to an RFS7000 in our DMZ via an IPsec connection and the AP is receiving the WLAN (M-Wireless) configuration from the controller.  The problem is that we cannot authenticate with M-Wireless.  The WLAN security configuration is WPA/WPA2 Enterprise (TKIP/AES) 802.1x (EAP-TLS) using a radius server to authenticate the device.  We have confirmed that the RFS7000 is configured correctly by connecting an AP300 directly to the controller and authenticating through M-Wireless.Any thoughts as to why the 5131 is not communicating with the radius server to authenticate the device?Thanks,Gabe 
Please register or login to post a reply

4 Replies

W William Honig 4 years 11 months ago

Gabe,Have you enabled the proxy-radius option against the M-Wireless WLAN within the RFS-7000? I assume the external radius server ip is already configured under the wlan. You’ll just need to make sure that this external radius server is reachable through the switch and enable the aap-radius-proxy setting.  You should also start the onboard radius server.

 

For example :

 

If the external radius server ip is 10.10.10.111, first make sure it is reachable through switch.

RFS7000(config)#do ping 10.10.10.111

 

Configure following cli commands under

RFS7000(config-wireless)#wlan 1 radius server primary 10.10.10.111

RFS7000(config-wireless)#wlan 1 radius server primary radius-key 0 testme

RFS7000(config-wireless)#wlan 1 aap-proxy-radius enable

 

To enable onboard radius server under

RFS7000(config)#service radius

 

With the aap-proxy-radius option enabled, switch configures the AAP to forward all requests to the onboard radius server and it proxies the requests to the external radius server. If you don’t enable proxy-radius you’d have to add the IP address of each AAP 5131 as a RADIUS client within your external RADIUS server.

G Gabe Bennett 4 years 11 months ago

Thanks for the quick replies. Raymond, the checkbox for Independent Mode is not checked. Bill, we think the overall radius configuration is correct on the switch because we are able to authenticate to M-Wireless through an AP300 that is directly connected to the switch.  I don't think we have the onboard radius server enabled so we will give that a try. Thanks, Gabe

M Matthieu Dierick 4 years 11 months ago

Hi Gabe, As Bill said, "If you don’t enable proxy-radius you’d have to add the IP address of each AAP 5131 as a RADIUS client within your external RADIUS server" You can check that by checking your radius log. You will see that the radius client (IP address of AAP 5131) is not known. Matt

R Raymond Clounch 4 years 11 months ago

Under the WLAN settings on the RFS7000 do you the Independent mode check? If so uncheck that box.

CONTACT
Can’t find what you’re looking for?
Get in touch