Configuring Local Authentication Using LDAP

Local authentication using Lightweight Directory Access Protocol (LDAP) allows an endpoint to be authenticated using 802.1X, MAC authentication bypass (MAB), or web authentication with LDAP as a backend. Local authentication in Identity-Based Networking Services also supports associating an authentication, authorization, and accounting (AAA) attribute list with the local username. This module provides information about configuring local authentication for Identity-Based Networking Services.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to​go/​cfn. An account on is not required.

Information About Local Authentication Using LDAP

Local Authentication Using LDAP

Local authentication using LDAP allows an endpoint to be authenticated using 802.1X, MAB, or web authentication with LDAP as a backend. Local authentication also supports additional AAA attributes by associating an attribute list with a local username for wireless sessions.

AES Key Wrap

The Advanced Encryption Standard (AES) key wrap feature makes the shared secret between the controller and the RADIUS server more secure. AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server.

How to Configure Local Authentication Using LDAP

Configuring Local Authentication Using LDAP

Perform this task to specify the AAA method list for local authentication and to associate an attribute list with a local username.


    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    aaa local authentication {method-list-name | default} authorization {method-list-name | default}

    5.    username name aaa attribute list aaa-attribute-list [password password]

    6.    exit

     Command or ActionPurpose
    Step 1 enable

    Device> enable

    Enables privileged EXEC mode.

    • Enter your password if prompted.

    Step 2 configure terminal

    Device# configure terminal

    Enters global configuration mode.

    Step 3 aaa new-model

    Device(config)# aaa new-model

    Enables the authentication, authorization, and accounting (AAA) access control model.

    Step 4 aaa local authentication {method-list-name | default} authorization {method-list-name | default}

    Device(config)# aaa local authentication default authorization default

    Specifies the method lists to use for local authentication and authorization from a LDAP server.

    Step 5 username name aaa attribute list aaa-attribute-list [password password]

    Device(config)# username USER_1 aaa attribute list LOCAL_LIST password CISCO

    Associates a AAA attribute list with a local username.

    Step 6 exit

    Device(config)# exit

    Exits global configuration mode and returns to privileged EXEC mode.


    Configuring MAC Filtering Support

    Perform this task to set the RADIUS compatibility mode, the MAC delimiter, and the MAC address as the username to support MAC filtering.


      1.    enable

      2.    configure terminal

      3.    aaa new-model

      4.    aaa group server radius group-name

      5.    subscriber mac-filtering security-mode {mac | none | shared-secret}

      6.    mac-delimiter {colon | hyphen | none | single-hyphen}

      7.    exit

      8.    username mac-address mac [aaa attribute list aaa-attribute-list]

      9.    exit

       Command or ActionPurpose
      Step 1 enable

      Device> enable

      Enables privileged EXEC mode.

      • Enter your password if prompted.

      Step 2 configure terminal

      Device# configure terminal

      Enters global configuration mode.

      Step 3 aaa new-model

      Device(config)# aaa new-model

      Enables the authentication, authorization, and accounting (AAA) access control model.

      Step 4 aaa group server radius group-name

      Device(config)# aaa group server radius RAD_GROUP1

      Groups different RADIUS server hosts into distinct lists.

      Step 5 subscriber mac-filtering security-mode {mac | none | shared-secret}

      Device(config-sg-radius)# subscriber mac-filtering security-mode mac

      Specifies the RADIUS compatibility mode for MAC filtering.

      • The default value is none.

      Step 6 mac-delimiter {colon | hyphen | none | single-hyphen}

      Device(config-sg-radius)# mac-delimiter hyphen

      Specifies the MAC delimiter for RADIUS compatibility mode.

      • The default value is none.

      Step 7 exit

      Device(config-sg-radius)# exit

      Exits server group configuration mode and returns to global configuration mode.

      Step 8 username mac-address mac [aaa attribute list aaa-attribute-list]

      Device(config)# username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1

      Allows a MAC address to be used as the username for MAC filtering done locally.

      Step 9 exit

      Device(config)# exit

      Exits global configuration mode and returns to privileged EXEC mode.


      Enabling AES Key Wrap

      Advanced Encryption Standard (AES) key wrap makes the shared secret between the controller and the RADIUS server more secure. AES key wrap requires a key-wrap compliant RADIUS authentication server.


        1.    enable

        2.    configure terminal

        3.    radius-server host {hostname | ip-address} key-wrap encryption-key encryption-key message-auth-code-key encryption-key [format {ascii | hex}]

        4.    aaa new-model

        5.    aaa group server radius group-name

        6.    server ip-address [auth-port port-number] [acct-port port-number]

        7.    key-wrap enable

        8.    end

         Command or ActionPurpose
        Step 1 enable

        Device> enable

        Enables privileged EXEC mode.

        • Enter your password if prompted.

        Step 2 configure terminal

        Device# configure terminal

        Enters global configuration mode.

        Step 3 radius-server host {hostname | ip-address} key-wrap encryption-key encryption-key message-auth-code-key encryption-key [format {ascii | hex}]

        Device(config)# radius-server host key-wrap encryption-key testkey99 message-auth-code-key testkey123

        Defines a RADIUS server host.

        Step 4 aaa new-model

        Device(config)# aaa new-model

        Enables the authentication, authorization, and accounting (AAA) access control model.

        Step 5 aaa group server radius group-name

        Device(config)# aaa group server radius RAD_GROUP1

        Groups different RADIUS server hosts into distinct lists.

        Step 6 server ip-address [auth-port port-number] [acct-port port-number]

        Device(config-sg-radius)# server

        Specifies the IP address of the RADIUS server in the server group.

        Step 7 key-wrap enable

        Device(config-sg-radius)# key-wrap enable

        Enables AES key wrap for this RADIUS server.

        Step 8 end

        Device(config-sg-radius)# end

        Exits server group configuration mode and returns to privileged EXEC mode.


        Configuration Examples for Local Authentication Using LDAP

        Example: Configuring Local Authentication Using LDAP

        The following example shows a configuration for local authentication:

        username USER_1 password 0 CISCO
        username USER_1 aaa attribute list LOCAL_LIST
        aaa new-model
        aaa local authentication EAP_LIST authorization EAP_LIST

        Example: Configuring MAC Filtering Support

        The following example shows a configuration for MAC filtering:

        username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1
        aaa new-model
        aaa group server radius RAD_GROUP1
        subscriber mac-filtering security-mode mac
        mac-delimiter hyphen

        Example: Configuring AES Key Wrap

        The following example shows a configuration with key wrap enabled for a RADIUS server:

        aaa new-model
        aaa group server radius RAD_GROUP1
        key-wrap enable
        radius-server host

        Additional References

        Related Documents

        Related Topic

        Document Title

        Cisco IOS commands

        Cisco IOS Master Command List, All Releases

        Identity-Based Networking Services commands

        Cisco IOS Identity-Based Networking Services Command Reference

        Address Resolution Protocol (ARP) commands

        Cisco IOS IP Addressing Services Command Reference

        ARP configuration tasks

        IP Addressing - ARP Configuration Guide

        Authentication, authorization, and accounting (AAA) configuration tasks

        Authentication Authorization and Accounting Configuration Guide

        AAA commands

        Cisco IOS Security Command Reference

        Standards and RFCs



        RFC 5176

        Dynamic Authorization Extensions to RADIUS

        Technical Assistance



        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a user ID and password.


        Feature Information for Local Authentication Using LDAP

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on is not required.
        Table 1 Feature Information for Local Authentication Using LDAP
        Feature Name Releases Feature Information

        Local Authentication Using LDAP

        Cisco IOS XE Release 3.2SE

        Introduces support for local authentication using Lightweight Directory Access Protocol (LDAP).

        In Cisco IOS XE 3.2SE, this feature is supported on the following platforms:
        • Cisco Catalyst 3650 Series Switches

        • Cisco Catalyst 3850 Series Switches

        • Cisco 5700 Wireless LAN Controllers

        The following commands were introduced or modified: aaa local authentication, key-wrap enable, mac-delimiter, radius-server host, subscriber mac-filtering security-mode, username.