- Finding Feature Information
- Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
- Information About Configuring Remote Site IEEE 802.1X Local Authentication Service
- How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Configuring the Local Authentication Server
- Configuring User Groups on the Local Authentication Server
- Creating the User List on the Local Authentication Server
- Saving the Configuration on the Local Authentication Server
- Configuring Access Points or Routers to Use the Local Authentication Server
- Verifying the Configuration for Local Authentication Service
- Monitoring and Maintaining 802.1X Local Authentication Service
- Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Additional References
- Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Remote Site IEEE 802.1X Local Authentication Service
The Remote Site IEEE 802.1X Local Authentication Service feature provides the ability to configure an access point or wireless-aware router to act as a local RADIUS server. Configuring local authentication service provides a backup authentication service in the event of a WAN link or server failure.
- Finding Feature Information
- Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
- Information About Configuring Remote Site IEEE 802.1X Local Authentication Service
- How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Monitoring and Maintaining 802.1X Local Authentication Service
- Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Additional References
- Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
- The local authentication server does not synchronize its database with the main RADIUS servers. It is necessary to manually configure the local authentication server with client usernames and passwords.
- LEAP is the only supported authentication protocol.
- Although multiple local authentication servers can exist on one network, only one authentication server can be configured on any single device.
Information About Configuring Remote Site IEEE 802.1X Local Authentication Service
On typical wireless LANs that use 802.1X authentication, access points and wireless-aware routers rely on remote site RADIUS servers to authenticate client devices. This authentication traffic must cross a WAN link. If the WAN link fails, or if the access points and routers cannot reach the RADIUS servers, then the client devices cannot access the wireless network even if their requirements for access are strictly local.
To provide for local authentication service or backup authentication service in the event of a WAN link or server failure, you can configure an access point or wireless-aware router to act as a local RADIUS server. The access point or wireless-aware router can authenticate Light Extensible Authentication Protocol (LEAP)-enabled wireless client devices and allow them to join your network.
Because the local authentication device does not synchronize its database with the main RADIUS servers. You must configure the local authentication server with client usernames and passwords. The local authentication server also permits you to specify a VLAN and a list of service set identifiers (SSIDs) that a client is allowed to use.
Follow these guidelines when you configure an access point or wireless-aware router as a local authentication server:
- To prevent performance degradation, configure local authentication service on an access point or a wireless-aware router that does not have a high CPU load.
- Physically secure the access point or router to protect its configuration.
The table below shows the maximum number of clients that can be configured on a local authentication server.
Table 1 | Maximum Number of Clients That Can be Configured on a Local Authentication Server |
Local Authentication Server |
Maximum Number of Clients |
---|---|
Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200 |
50 |
Cisco 2610XM, Cisco 2611XM routers |
50 |
Cisco 2620XM, Cisco 2621XM routers |
50 |
Cisco 2650XM, Cisco 2651XM routers |
50 |
Cisco 2691 routers |
50 |
Cisco 2811 routers |
50 |
Cisco 2821 routers |
50 |
Cisco 2851 routers |
50 |
Cisco 3725 routers |
50 |
Cisco 3745 routers |
50 |
Cisco 3825 routers |
50 |
Cisco 3845 routers |
50 |
Note |
Users that are associated to the local authentication server might notice a drop in performance during authentication of client devices. However, if your wireless LAN contains only one access point, you can configure that device as both the 802.1X authenticator and the local authentication server. |
You configure access points and routers to use the local authentication server when they cannot reach the main servers or when a RADIUS server is not available.
The access points and wireless-aware routers stop using the local authentication server automatically when the link to the main servers is restored.
If your local authentication server also serves client devices, you must enter the local authentication server access point or router as a network access server (NAS). When a LEAP client associates to the local authentication server access point, the access point uses itself to authenticate the client.
Caution |
The access point or wireless-aware router that you use as an authentication server contains detailed authentication information about your wireless LAN, so you should secure it physically to protect its configuration. |
How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Configuring the Local Authentication Server
- Configuring User Groups on the Local Authentication Server
- Creating the User List on the Local Authentication Server
- Saving the Configuration on the Local Authentication Server
- Configuring Access Points or Routers to Use the Local Authentication Server
- Verifying the Configuration for Local Authentication Service
Configuring the Local Authentication Server
Perform this task to configure the access point as a local authentication server.
DETAILED STEPS
Configuring User Groups on the Local Authentication Server
Perform this optional task (beginning in local RADIUS server configuration mode) to configure user groups on the local authentication server.
Note |
If you do not wish to configure user groups on the local authentication server, skip this task and go to the Creating the User List on the Local Authentication_Server module. |
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
|
Enters user group configuration mode and configures a user group to which you can assign shared settings. |
|
|
(Optional) Specifies a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group. |
|
|
(Optional) Enters up to 20 service set identifiers (SSIDs) to limit members of the user group to those SSIDs. The access point checks whether the client's SSID matches an SSID in the list. If the SSID does not match, the client is disassociated. |
|
|
(Optional) Configures the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate. |
|
|
(Optional) To help protect against password-guessing attacks, you can lock out group members for a length of time after a set number of incorrect passwords.
|
|
|
Returns to authenticator configuration mode. |
Unblocking Usernames
You can unblock usernames before the lockout time expires or when the lockout time is set to infinite. To unblock a locked username, enter the following command in privileged EXEC mode on the local authentication server.
Router# clear radius local-server user username
Creating the User List on the Local Authentication Server
Perform the required task described in the following paragraphs to create a user list on the local authentication server and to configure the users that are allowed to authenticate using the local authentication server.
Note |
If you do not wish to configure users on the local authentication server, skip this task and go to the Saving the Configuration on the Local Authentication Server module. |
You must enter a username and password for each user. If you know only the NT hash value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.
To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.
Beginning in local RADIUS server configuration mode, enter the user command for each username:
Router(config-radsrv)# user username {password | nthash } password [group group-name]
Saving the Configuration on the Local Authentication Server
Perform this optional task to save the current configuration.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
|
Returns to privileged EXEC mode. |
|
|
Saves your entries in the configuration file. |
Configuring Access Points or Routers to Use the Local Authentication Server
Perform this required task to add the local authentication server to the list of servers on the client access point or wireless-aware router.
Note |
If your local authentication server access point also serves client devices, you must configure the local authentication server to use itself to authenticate client devices. |
On the wireless devices that use the local authentication server, use the radius-server host command in privileged EXEC mode to enter the local authentication server as a RADIUS server. The order in which the devices attempt to use the servers matches the order in which you enter the servers in the device configuration. If you are configuring the device to use a RADIUS server for the first time, enter the main RADIUS servers first, and enter the local authentication server last.
Note |
You must enter 1812 as the authentication port and 1813 as the accounting port. The local authentication server listens on User Datagram Protocol (UDP) port 1813 for RADIUS accounting packets. It discards the accounting packets but sends acknowledge packets back to the RADIUS clients to prevent the clients from reacting as though the server is down. |
Use the radius-server deadtime command in global configuration mode to set an interval during which the access point or router does not attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying the next configured server. A server marked as dead is skipped by additional requests for the duration of minutes that you specify, up to 1440 (24 hours).
To remove the local authentication server from the access point or router configuration, use the no radius-server host command in global configuration mode.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
|
|
Enables privileged EXEC mode. |
||
|
|
Enters global configuration mode. |
||
|
|
Enables authentication, authorization, and accounting (AAA). This step must be configured before the rest of the AAA configuration steps. |
||
|
|
Specifies the IP address or hostname of the remote RADIUS server host.
To configure the access point to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure to use a different UDP port number for each host. The access point software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host. |
||
|
|
Defines the AAA server-group with a group name. |
||
|
|
Defines the AAA server IP address, authentication port, and accounting port. |
||
|
|
Creates an authentication method list for the server group. |
||
|
|
Returns to privileged EXEC mode. |
||
|
|
Displays the current configuration for your verification. |
||
|
|
(Optional) Saves your entries in the configuration file. |
Verifying the Configuration for Local Authentication Service
Use the show running-config command in global configuration mode to verify the current configuration for local authentication service.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
|
Enables privileged EXEC mode. |
|
|
Displays the current access point operating configuration |
Monitoring and Maintaining 802.1X Local Authentication Service
To view statistics collected by the local authentication server, enter the following command in privileged EXEC mode:
Router# show radius local-server statistics
To reset local authentication server statistics to zero, enter the following command in privileged EXEC mode:
Router# clear radius local-server statistics
Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Setting Up a Local Authentication Server Example
- Setting Up Two Main Servers and a Local Authentication Server Example
- Displaying Local Authentication Server Configuration Example
- Displaying Local Authentication Server Statistics Example
Setting Up a Local Authentication Server Example
This example shows how to set up a local authentication server used by three access points with three user groups and several users:
AP# configure terminal AP(config)# aaa new-model AP(config)# aaa group server radius RADIUS_SERVER_GROUP AP(config-sg-radius)# server 10.0.0.1 auth-port 1812 acct-port 1813 AP(config)# aaa authentication login RADIUS_METHOD_LIST AP(config)# radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key 110337 AP(config)# radius-server local AP(config-radsrv)# nas 10.91.6.159 key 110337 AP(config-radsrv)# nas 10.91.6.162 key 110337 AP(config-radsrv)# nas 10.91.6.181 key 110337 AP(config-radsrv)# group clerks AP(config-radsrv-group)# vlan 87 AP(config-radsrv-group)# ssid batman AP(config-radsrv-group)# ssid robin AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# block count 2 time 600 AP(config-radsrv-group)# group cashiers AP(config-radsrv-group)# vlan 97 AP(config-radsrv-group)# ssid deer AP(config-radsrv-group)# ssid antelope AP(config-radsrv-group)# ssid elk AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# block count 2 time 600 AP(config-radsrv-group)# group managers AP(config-radsrv-group)# vlan 77 AP(config-radsrv-group)# ssid mouse AP(config-radsrv-group)# ssid chipmunk AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# block count 2 time 600 AP(config-radsrv-group)# exit AP(config-radsrv)# user jsmith password twain74 group clerks AP(config-radsrv)# user stpatrick password snake100 group clerks AP(config-radsrv)# user nick password uptown group clerks AP(config-radsrv)# user sam password rover32 group cashiers AP(config-radsrv)# user patsy password crowder group cashiers AP(config-radsrv)# user carl password 272165 group managers AP(config-radsrv)# user vic password lid178 group managers AP(config-radsrv)# end
Setting Up Two Main Servers and a Local Authentication Server Example
This example shows how to set up two main servers and a local authentication server with a server deadtime of 10 minutes:
Router(config)# aaa new-model Router(config)# aaa group server radius RADIUS_SERVER_GROUP Router(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 Router(config-sg-radius)# server 172.10.0.1 auth-port 1645 acct-port 1646 Router(config-sg-radius)# server 10.91.6.151 auth-port 1812 acct-port 1813 Router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 Router(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 Router(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337 Router(config)# radius-server deadtime 10
In this example, if the WAN link to the main servers fails, the access point or wireless-aware router completes these steps when a LEAP-enabled client device associates:
- It tries the first server, times out multiple times, and marks the first server as dead.
- It tries the second server, times out multiple times, and marks the second server as dead.
- It tries and succeeds using the local authentication server.
If another client device needs to authenticate during the 10-minute deadtime interval, the access point skips the first two servers and tries the local authentication server first. After the deadtime interval, the access point tries to use the main servers for authentication. When setting a deadtime, you must balance the need to skip dead servers with the need to check the WAN link and begin using the main servers again as soon as possible.
Each time an access point or wireless-aware router tries to use the main servers while they are down, the client device that is trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point or wireless-aware router tries the local authentication server. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Displaying Local Authentication Server Configuration Example
The following is sample output for configuration of a local authentication server on the Cisco 2621 router.
2621-1# show run Building configuration... Current configuration : 2954 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 2621-1 ! ! aaa new-model ! ! aaa group server radius RADIUS_LEAP_GROUP server 10.0.0.1 auth-port 1812 acct-port 1813 ! aaa authentication login AUTH_LEAP group RADIUS_LEAP_GROUP aaa session-id common ip subnet-zero ! ! ip dhcp pool 2621-dhcp-pool network 10.0.0.0 255.0.0.0 ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet1/0 no ip address ! interface FastEthernet1/1 switchport mode trunk no ip address ! interface FastEthernet1/2 no ip address shutdown ! interface FastEthernet1/3 no ip address shutdown ! interface FastEthernet1/4 no ip address shutdown ! interface FastEthernet1/5 no ip address ! ! interface GigabitEthernet1/0 no ip address shutdown ! interface Vlan1 ip address 10.0.0.1 255.0.0.0 ! ip classless ! ip http server no ip http secure-server ! ! ! radius-server local nas 10.0.0.1 key 0 cisco user ap-1 nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A user ap-5 nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307 user user1 nthash 7 1350344A5B5C227B78057B10107A452232515402097C77002B544B45087D0E7200 ! radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 radius-server key cisco ! wlccp authentication-server infrastructure AUTH_LEAP wlccp authentication-server client leap AUTH_LEAP wlccp wds priority 255 interface Vlan1 ! line con 0 line aux 0 line vty 0 4 ! ! ! end
Displaying Local Authentication Server Statistics Example
The following is sample output for configuration for the show radius local-server statistics command:
router-2621-1# show radius local-server statistics
Successes : 11262 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 8
Unknown NAS : 0 Invalid packet from NAS: 0
NAS : 10.0.0.1
Successes : 11262 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 8
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 0
Maximum number of configurable users: 50, current user count: 11
Username Successes Failures Blocks
vayu-ap-1 2235 0 0
vayu-ap-2 2235 0 0
vayu-ap-3 2246 0 0
vayu-ap-4 2247 0 0
vayu-ap-5 2247 0 0
vayu-11 3 0 0
vayu-12 5 0 0
vayu-13 5 0 0
vayu-14 30 0 0
vayu-15 3 0 0
scm-test 1 8 0
router-2621-1#
The first section shows cumulative statistics from the local authentication server. The second section shows statistics for each access point (NAS) that is authorized to use the local authentication server. The third section shows statistics for individual users. If a user is blocked and the lockout time is set to infinite, Blocked appears at the end of the line of statistics for that user. If the lockout time is not set to infinite, Unblocked in x seconds appears at the end of the statistics line for that user.
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Comprehensive set of software configuration commands |
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points |
Configuration commands for wireless roaming |
Configuring Fast Secure Roaming |
MIBs
MIB |
MIBs Link |
---|---|
Non. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Remote Site IEEE 802.1X Local Authentication Service
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 2 | Feature Information for Remote Site IEEE 802.1X Local Authentication Service |
Feature Name |
Releases |
Feature Information |
---|---|---|
Remote Site IEEE 802.1X Local Authentication Service |
12.2(11)JA 12.3(11)T |
The Remote Site IEEE 802.1X Local Authentication Service feature provides the ability to configure an access point or wireless-aware router to act as a local RADIUS server. Configuring local authentication service provides a backup authentication service in the event of a WAN link or server failure. This feature was introduced in Cisco IOS Release 12.2(11)JA on Cisco Aironet access points. This feature was integrated in Cisco IOS Release 12.3(11)T on the Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700 series, and Cisco 3800 series routers. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.