- Configuring IEEE 802.1X Port-Based Authentication
- IEEE 802.1X Common Session ID
- IEEE 802.1X Guest VLAN
- IEEE 802.1X RADIUS Accounting
- IEEE 802.1X RADIUS-Supplied Session Timeout
- IEEE 802.1X Voice VLAN
- IEEE 802.1X VLAN Assignment
- Remote Site IEEE 802.1X Local Authentication Service
- IEEE 802.1X Multiple Authentication
- IEEE 802.1X Multidomain Authentication
- IEEE 802.1X Flexible Authentication
- IEEE 802.1X Open Authentication
- IEEE 802.1X Auth Fail VLAN
- Critical Voice VLAN Support
- IEEE 802.1X with ACL Assignments
- IEEE 802.1X Wake on LAN Support
- Network Edge Authentication Topology
- Per-User ACL Support for 802.1X/MAB/Webauth Users
- Finding Feature Information
- Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
- Information About Configuring Remote Site IEEE 802.1X Local Authentication Service
- How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Configuring the Local Authentication Server
- Configuring User Groups on the Local Authentication Server
- Creating the User List on the Local Authentication Server
- Saving the Configuration on the Local Authentication Server
- Configuring Access Points or Routers to Use the Local Authentication Server
- Verifying the Configuration for Local Authentication Service
- Monitoring and Maintaining 802.1X Local Authentication Service
- Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Additional References
- Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Remote Site IEEE 802.1X Local Authentication Service
The Remote Site IEEE 802.1X Local Authentication Service feature provides the ability to configure an access point or wireless-aware router to act as a local RADIUS server. Configuring local authentication service provides a backup authentication service in the event of a WAN link or server failure.
- Finding Feature Information
- Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
- Information About Configuring Remote Site IEEE 802.1X Local Authentication Service
- How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Monitoring and Maintaining 802.1X Local Authentication Service
- Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Additional References
- Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
The local authentication server does not synchronize its database with the main RADIUS servers. It is necessary to manually configure the local authentication server with client usernames and passwords.
LEAP is the only supported authentication protocol.
Although multiple local authentication servers can exist on one network, only one authentication server can be configured on any single device.
This feature does not support standard ACLs on the switch port.
Information About Configuring Remote Site IEEE 802.1X Local Authentication Service
On typical wireless LANs that use 802.1X authentication, access points and wireless-aware routers rely on remote site RADIUS servers to authenticate client devices. This authentication traffic must cross a WAN link. If the WAN link fails, or if the access points and routers cannot reach the RADIUS servers, then the client devices cannot access the wireless network even if their requirements for access are strictly local.
To provide for local authentication service or backup authentication service in the event of a WAN link or server failure, you can configure an access point or wireless-aware router to act as a local RADIUS server. The access point or wireless-aware router can authenticate Light Extensible Authentication Protocol (LEAP)-enabled wireless client devices and allow them to join your network.
Because the local authentication device does not synchronize its database with the main RADIUS servers. You must configure the local authentication server with client usernames and passwords. The local authentication server also permits you to specify a VLAN and a list of service set identifiers (SSIDs) that a client is allowed to use.
Follow these guidelines when you configure an access point or wireless-aware router as a local authentication server:
To prevent performance degradation, configure local authentication service on an access point or a wireless-aware router that does not have a high CPU load.
Physically secure the access point or router to protect its configuration.
The table below shows the maximum number of clients that can be configured on a local authentication server.
|
Local Authentication Server |
Maximum Number of Clients |
|---|---|
|
Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200 |
50 |
|
Cisco 2610XM, Cisco 2611XM routers |
50 |
|
Cisco 2620XM, Cisco 2621XM routers |
50 |
|
Cisco 2650XM, Cisco 2651XM routers |
50 |
|
Cisco 2691 routers |
50 |
|
Cisco 2811 routers |
50 |
|
Cisco 2821 routers |
50 |
|
Cisco 2851 routers |
50 |
|
Cisco 3725 routers |
50 |
|
Cisco 3745 routers |
50 |
|
Cisco 3825 routers |
50 |
|
Cisco 3845 routers |
50 |
 Note | Users that are associated to the local authentication server might notice a drop in performance during authentication of client devices. However, if your wireless LAN contains only one access point, you can configure that device as both the 802.1X authenticator and the local authentication server. |
You configure access points and routers to use the local authentication server when they cannot reach the main servers or when a RADIUS server is not available.
The access points and wireless-aware routers stop using the local authentication server automatically when the link to the main servers is restored.
If your local authentication server also serves client devices, you must enter the local authentication server access point or router as a network access server (NAS). When a LEAP client associates to the local authentication server access point, the access point uses itself to authenticate the client.
 Caution | The access point or wireless-aware router that you use as an authentication server contains detailed authentication information about your wireless LAN, so you should secure it physically to protect its configuration. |
How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Configuring the Local Authentication Server
- Configuring User Groups on the Local Authentication Server
- Creating the User List on the Local Authentication Server
- Saving the Configuration on the Local Authentication Server
- Configuring Access Points or Routers to Use the Local Authentication Server
- Verifying the Configuration for Local Authentication Service
Configuring the Local Authentication Server
Perform this task to configure the access point as a local authentication server.
1. Router> enable
2. Router# configure terminal
3. Router(config)# aaa new-model
4. Router(config)# radius-server local
5. Router(config-radsrv)# nas ip-address key shared-key
DETAILED STEPS
Configuring User Groups on the Local Authentication Server
Perform this optional task (beginning in local RADIUS server configuration mode) to configure user groups on the local authentication server.
Note | If you do not wish to configure user groups on the local authentication server, skip this task and go to the Creating the User List on the Local Authentication_Server module. |
1. Router(config-radsrv)# group group-name
2. Router(config-radsrv-group)# vlan vlan
3. Router(config-radsrv-group)# ssid ssid
4. Router(config-radsrv-group)# reauthentication time seconds
5. Router(config-radsrv-group)# block countcounttime {seconds | infinite}
6. Router(config-radsrv-group)# exit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | Router(config-radsrv)# group group-name |
Enters user group configuration mode and configures a user group to which you can assign shared settings. |
| Step 2 | Router(config-radsrv-group)# vlan vlan |
(Optional) Specifies a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group. |
| Step 3 | Router(config-radsrv-group)# ssid ssid |
(Optional) Enters up to 20 service set identifiers (SSIDs) to limit members of the user group to those SSIDs. The access point checks whether the client’s SSID matches an SSID in the list. If the SSID does not match, the client is disassociated. |
| Step 4 | Router(config-radsrv-group)# reauthentication time seconds |
(Optional) Configures the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate. |
| Step 5 | Router(config-radsrv-group)# block countcounttime {seconds | infinite} |
(Optional) To help protect against password-guessing attacks, you can lock out group members for a length of time after a set number of incorrect passwords.
|
| Step 6 | Router(config-radsrv-group)# exit |
Returns to authenticator configuration mode. |
Unblocking Usernames
You can unblock usernames before the lockout time expires or when the lockout time is set to infinite. To unblock a locked username, enter the following command in privileged EXEC mode on the local authentication server.
Router# clear radius local-server user username
Creating the User List on the Local Authentication Server
Perform the required task described in the following paragraphs to create a user list on the local authentication server and to configure the users that are allowed to authenticate using the local authentication server.
Note | If you do not wish to configure users on the local authentication server, skip this task and go to the Saving the Configuration on the Local Authentication Server module. |
You must enter a username and password for each user. If you know only the NT hash value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.
To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.
Beginning in local RADIUS server configuration mode, enter the user command for each username:
Router(config-radsrv)# user
username {password
| nthash
} password [group
group-name]
Saving the Configuration on the Local Authentication Server
Perform this optional task to save the current configuration.
1. Router(config-radsrv)# end
2. Router# copy running-config startup-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | Router(config-radsrv)# end |
Returns to privileged EXEC mode. |
| Step 2 | Router# copy running-config startup-config |
Saves your entries in the configuration file. |
Configuring Access Points or Routers to Use the Local Authentication Server
Perform this required task to add the local authentication server to the list of servers on the client access point or wireless-aware router.
Note | If your local authentication server access point also serves client devices, you must configure the local authentication server to use itself to authenticate client devices. |
On the wireless devices that use the local authentication server, use the radius-server host command in privileged EXEC mode to enter the local authentication server as a RADIUS server. The order in which the devices attempt to use the servers matches the order in which you enter the servers in the device configuration. If you are configuring the device to use a RADIUS server for the first time, enter the main RADIUS servers first, and enter the local authentication server last.
Note | You must enter 1812 as the authentication port and 1813 as the accounting port. The local authentication server listens on User Datagram Protocol (UDP) port 1813 for RADIUS accounting packets. It discards the accounting packets but sends acknowledge packets back to the RADIUS clients to prevent the clients from reacting as though the server is down. |
Use the radius-server deadtime command in global configuration mode to set an interval during which the access point or router does not attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying the next configured server. A server marked as dead is skipped by additional requests for the duration of minutes that you specify, up to 1440 (24 hours).
To remove the local authentication server from the access point or router configuration, use the no radius-server host command in global configuration mode.
1. Router> enable
2. Router# configure terminal
3. Router(config)# aaa new-model
4. Router(config)# radius-server host {hostname | ip-address } [auth-portport-number ] [acct-portport-number ] [timeoutseconds ] [retransmitretries ] [keystring ]
5.
aaa
group
server
{radius | tacacs+} group-name
6. Router(config-sg-radius)# server ip-address auth-port 1812 acct-port 1813
7. Router(config)# aaa authentication loginnamed-authentication-list
8. Router(config)# end
9. Router# show running-config
10. Router# copy running-config startup-config
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | Router> enable |
Enables privileged EXEC mode. | ||
| Step 2 | Router# configure terminal |
Enters global configuration mode. | ||
| Step 3 | Router(config)# aaa new-model |
Enables authentication, authorization, and accounting (AAA). This step must be configured before the rest of the AAA configuration steps. | ||
| Step 4 | Router(config)# radius-server host {hostname | ip-address } [auth-portport-number ] [acct-portport-number ] [timeoutseconds ] [retransmitretries ] [keystring ] |
Specifies the IP address or hostname of the remote RADIUS server host.
To configure the access point to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure to use a different UDP port number for each host. The access point software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host. | ||
| Step 5 |
aaa
group
server
{radius | tacacs+} group-name |
Defines the AAA server-group with a group name. | ||
| Step 6 | Router(config-sg-radius)# server ip-address auth-port 1812 acct-port 1813 |
Defines the AAA server IP address, authentication port, and accounting port. | ||
| Step 7 | Router(config)# aaa authentication loginnamed-authentication-list |
Creates an authentication method list for the server group. | ||
| Step 8 | Router(config)# end |
Returns to privileged EXEC mode. | ||
| Step 9 | Router# show running-config |
Displays the current configuration for your verification. | ||
| Step 10 | Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Verifying the Configuration for Local Authentication Service
Use the show running-config command in global configuration mode to verify the current configuration for local authentication service.
1. Router> enable
2. Router# show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | Router> enable |
Enables privileged EXEC mode. |
| Step 2 | Router# show running-config |
Displays the current access point operating configuration |
Monitoring and Maintaining 802.1X Local Authentication Service
To view statistics collected by the local authentication server, enter the following command in privileged EXEC mode:
Router# show radius local-server statistics
To reset local authentication server statistics to zero, enter the following command in privileged EXEC mode:
Router# clear radius local-server statistics
Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Setting Up a Local Authentication Server Example
- Setting Up Two Main Servers and a Local Authentication Server Example
- Displaying Local Authentication Server Configuration Example
- Displaying Local Authentication Server Statistics Example
Setting Up a Local Authentication Server Example
This example shows how to set up a local authentication server used by three access points with three user groups and several users:
AP# configure terminal AP(config)# aaa new-model AP(config)# aaa group server radius RADIUS_SERVER_GROUP AP(config-sg-radius)# server 10.0.0.1 auth-port 1812 acct-port 1813 AP(config)# aaa authentication login RADIUS_METHOD_LIST AP(config)# radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key 110337 AP(config)# radius-server local AP(config-radsrv)# nas 10.91.6.159 key 110337 AP(config-radsrv)# nas 10.91.6.162 key 110337 AP(config-radsrv)# nas 10.91.6.181 key 110337 AP(config-radsrv)# group clerks AP(config-radsrv-group)# vlan 87 AP(config-radsrv-group)# ssid batman AP(config-radsrv-group)# ssid robin AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# block count 2 time 600 AP(config-radsrv-group)# group cashiers AP(config-radsrv-group)# vlan 97 AP(config-radsrv-group)# ssid deer AP(config-radsrv-group)# ssid antelope AP(config-radsrv-group)# ssid elk AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# block count 2 time 600 AP(config-radsrv-group)# group managers AP(config-radsrv-group)# vlan 77 AP(config-radsrv-group)# ssid mouse AP(config-radsrv-group)# ssid chipmunk AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# block count 2 time 600 AP(config-radsrv-group)# exit AP(config-radsrv)# user jsmith password twain74 group clerks AP(config-radsrv)# user stpatrick password snake100 group clerks AP(config-radsrv)# user nick password uptown group clerks AP(config-radsrv)# user sam password rover32 group cashiers AP(config-radsrv)# user patsy password crowder group cashiers AP(config-radsrv)# user carl password 272165 group managers AP(config-radsrv)# user vic password lid178 group managers AP(config-radsrv)# end
Setting Up Two Main Servers and a Local Authentication Server Example
This example shows how to set up two main servers and a local authentication server with a server deadtime of 10 minutes:
Router(config)# aaa new-model Router(config)# aaa group server radius RADIUS_SERVER_GROUP Router(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 Router(config-sg-radius)# server 172.10.0.1 auth-port 1645 acct-port 1646 Router(config-sg-radius)# server 10.91.6.151 auth-port 1812 acct-port 1813 Router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 Router(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 Router(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337 Router(config)# radius-server deadtime 10
In this example, if the WAN link to the main servers fails, the access point or wireless-aware router completes these steps when a LEAP-enabled client device associates:
It tries the first server, times out multiple times, and marks the first server as dead.
It tries the second server, times out multiple times, and marks the second server as dead.
It tries and succeeds using the local authentication server.
If another client device needs to authenticate during the 10-minute deadtime interval, the access point skips the first two servers and tries the local authentication server first. After the deadtime interval, the access point tries to use the main servers for authentication. When setting a deadtime, you must balance the need to skip dead servers with the need to check the WAN link and begin using the main servers again as soon as possible.
Each time an access point or wireless-aware router tries to use the main servers while they are down, the client device that is trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point or wireless-aware router tries the local authentication server. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Displaying Local Authentication Server Configuration Example
The following is sample output for configuration of a local authentication server on the Cisco 2621 router.
2621-1# show run Building configuration... Current configuration : 2954 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 2621-1 ! ! aaa new-model ! ! aaa group server radius RADIUS_LEAP_GROUP server 10.0.0.1 auth-port 1812 acct-port 1813 ! aaa authentication login AUTH_LEAP group RADIUS_LEAP_GROUP aaa session-id common ip subnet-zero ! ! ip dhcp pool 2621-dhcp-pool network 10.0.0.0 255.0.0.0 ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet1/0 no ip address ! interface FastEthernet1/1 switchport mode trunk no ip address ! interface FastEthernet1/2 no ip address shutdown ! interface FastEthernet1/3 no ip address shutdown ! interface FastEthernet1/4 no ip address shutdown ! interface FastEthernet1/5 no ip address ! ! interface GigabitEthernet1/0 no ip address shutdown ! interface Vlan1 ip address 10.0.0.1 255.0.0.0 ! ip classless ! ip http server no ip http secure-server ! ! ! radius-server local nas 10.0.0.1 key 0 cisco user ap-1 nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A user ap-5 nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307 user user1 nthash 7 1350344A5B5C227B78057B10107A452232515402097C77002B544B45087D0E7200 ! radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 radius-server key cisco ! wlccp authentication-server infrastructure AUTH_LEAP wlccp authentication-server client leap AUTH_LEAP wlccp wds priority 255 interface Vlan1 ! line con 0 line aux 0 line vty 0 4 ! ! ! end
Displaying Local Authentication Server Statistics Example
The following is sample output for configuration for the show radius local-server statistics command:
router-2621-1# show radius local-server statistics Successes : 11262 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 8 Unknown NAS : 0 Invalid packet from NAS: 0 NAS : 10.0.0.1 Successes : 11262 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 8 Corrupted packet : 0 Unknown RADIUS message : 0 No username attribute : 0 Missing auth attribute : 0 Shared key mismatch : 0 Invalid state attribute: 0 Unknown EAP message : 0 Unknown EAP auth type : 0 Maximum number of configurable users: 50, current user count: 11 Username Successes Failures Blocks vayu-ap-1 2235 0 0 vayu-ap-2 2235 0 0 vayu-ap-3 2246 0 0 vayu-ap-4 2247 0 0 vayu-ap-5 2247 0 0 vayu-11 3 0 0 vayu-12 5 0 0 vayu-13 5 0 0 vayu-14 30 0 0 vayu-15 3 0 0 scm-test 1 8 0 router-2621-1#
The first section shows cumulative statistics from the local authentication server. The second section shows statistics for each access point (NAS) that is authorized to use the local authentication server. The third section shows statistics for individual users. If a user is blocked and the lockout time is set to infinite, Blocked appears at the end of the line of statistics for that user. If the lockout time is not set to infinite, Unblocked in x seconds appears at the end of the statistics line for that user.
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Comprehensive set of software configuration commands |
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points |
|
Configuration commands for wireless roaming |
Configuring Fast Secure Roaming |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
Non. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Remote Site IEEE 802.1X Local Authentication Service
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Remote Site IEEE 802.1X Local Authentication Service |
12.2(11)JA 12.3(11)T |
The Remote Site IEEE 802.1X Local Authentication Service feature provides the ability to configure an access point or wireless-aware router to act as a local RADIUS server. Configuring local authentication service provides a backup authentication service in the event of a WAN link or server failure. This feature was introduced in Cisco IOS Release 12.2(11)JA on Cisco Aironet access points. This feature was integrated in Cisco IOS Release 12.3(11)T on the Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700 series, and Cisco 3800 series routers. |
Feedback