Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3 |
aaa
new-model
Example:
Router(config)# aaa new-model
|
Enables the AAA access control system.
|
Step 4 |
radius-server local
Example:
Router(config)# radius-server local
|
Configures the AP or wireless-aware router as a local authentication server, and enters authenticator configuration mode.
|
Step 5 |
nas
ip-address
key
shared-key
Example:
Router(config-radsrv)# nas 10.91.6.159 key 110337
|
Adds an AP to the list of devices that use the local authentication server.
Enter the AP IP address and the shared key used to authenticate communication between the local authenticator and other APs.
You must enter this shared key on the APs that use the local authenticator. If your local authenticator also serves client devices, you must enter the local authenticator AP as a NAS.
Leading spaces in the shared key string are ignored, but spaces within and at the end of the key are used. If you use spaces in your shared key, do not enclose the key in quotation marks unless the quotation marks are part of the shared key.
|
Step 6 |
Repeat Step 5 to add each AP that uses the local authenticator.
|
--
|
Step 7 |
group
group-name
Example:
Router(config-radsrv)# group clerks
|
(Optional) Configures a user group to which you can assign shared settings, and enters user group configuration mode.
|
Step 8 |
vlan
vlan
Example:
Router(config-radsrv-group)# vlan 87
|
(Optional) Specifies a VLAN to be used by members of the user group.
The AP moves group members into a VLAN, overriding other VLAN assignments.
You can assign only one VLAN to the group.
|
Step 9 |
ssid
name
Example:
Router(config-radsrv-group)# ssid anyname
|
(Optional) Creates an SSID for a radio interface.
Enter up to 20 SSIDs to limit members of the user group to those SSIDs.
The AP checks that the SSID that the client used to associate matches one of the SSIDs in the list. If the SSID does not match, the client is disassociated.
|
Step 10 |
reauthentication
time
seconds
Example:
Router(config-radsrv-group)# reauthentication time 1800
|
(Optional) Specifies the number of seconds after which the AP should reauthenticate members of the group.
|
Step 11 |
block
count
count
time
{seconds | infinite}
Example:
Router(config-radsrv-group)# block count 3 time infinite
|
(Optional) To help protect against password guessing attacks, locks out members of a user group for a length of time after a set number of incorrect passwords.
count
--The number of failed passwords that triggers a lockout of the username.
seconds
--The number of seconds the lockout should last. If you use the infinite keyword, an administrator must manually unblock the locked username.
See the clear radius local-server command for information on how to unblock a locked username.
|
Step 12 |
exit
Example:
Router(config-radsrv-group)# exit
|
Exits user group configuration mode and returns to authenticator configuration mode.
|
Step 13 |
user
username
{password | nthash} password [group group-name] [mac-auth-only]
Example:
Router(config-radsrv)# user anyuser password pwd1234 group clerks
|
Specifies the LEAP users allowed to authenticate using the local authenticator.
If you do not know the user password, look up the NT value of the password in the authentication server database, and enter the NT hash as a hexadecimal string.
To add a client device for MAC-based authentication, enter the client MAC address as both the username and password. Enter 12 hexadecimal digits without a dot or dash between the numbers as the username and the password. For example, for the MAC address 0009.5125.d02b, enter 00095125d02b
as both the username and the password.
(Optional) To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.
(Optional) To limit the user to MAC authentication only, enter mac-auth-only.
|
Step 14 |
end
Example:
Router(config-radsrv)# end
|
Returns to privileged EXEC mode.
|
Step 15 |
copy
running-config
startup-config
Example:
Router# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file.
|