- Wireless LAN Overview
- Configuring a Basic Wireless LAN Connection
- Configuring Multiple Basic Service Set Identifiers and Microsoft WPS IE SSIDL
- Securing a Wireless LAN
- Configuring RADIUS or a Local Authenticator in a Wireless LAN
- Configuring Radio Settings on an Access Point
- NAC—L2 IEEE 802.1x
- VLAN Assignment by Name
- Implementing Quality of Service in a Wireless LAN
- Wireless LAN Error Messages
- Finding Feature Information
- Prerequisites for Configuring RADIUS or a Local Authenticator in a Wireless LAN
- Information About Configuring RADIUS or a Local Authenticator in a Wireless LAN
- How to Configure RADIUS or a Local Authenticator in a Wireless LAN
- How to Configure RADIUS in a Wireless LAN
- Identifying the RADIUS Server Host in a Wireless LAN
- What to Do Next
- Configuring RADIUS Login Authentication for a Wireless LAN
- Defining and Associating a AAA Server Group to a RADIUS Server
- Enabling RADIUS Accounting for a Wireless LAN
- Configuring Global Communication Settings Between an Access Point and a RADIUS Server
- Configuring the Access Point to Recognize and Use Vendor-Specific Attributes
- Configuring a Vendor-Proprietary RADIUS Server Host
- How to Configure a Local Authenticator in a Wireless LAN
- How to Configure RADIUS in a Wireless LAN
Configuring RADIUS or a Local Authenticator in a Wireless LAN
This module describes how to enable and configure RADIUS in a wireless LAN (WLAN), which is a protocol that provides detailed accounting information and flexible administrative control over the authentication and authorization processes. RADIUS is facilitated through authentication, authorization, and accounting (AAA) and can be enabled only through AAA commands.
This module also describes how to configure a Cisco 800, 1800, 2800, or 3800 series integrated services router, hereafter referred to as an access point or AP, as a local authenticator. The AP can serve as a standalone authenticator for a small wireless LAN or provide backup authentication service. As a local authenticator, an AP performs Lightweight Extensible Authentication Protocol (LEAP) and MAC-based authentication for up to 50 client devices.
You can configure your APs to use the local authenticator when they cannot reach the main servers, or you can configure your APs to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the APs periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn . You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
- Finding Feature Information
- Prerequisites for Configuring RADIUS or a Local Authenticator in a Wireless LAN
- Information About Configuring RADIUS or a Local Authenticator in a Wireless LAN
- How to Configure RADIUS or a Local Authenticator in a Wireless LAN
- Configuration Examples for a RADIUS Server or a Local Authenticator in a Wireless LAN
- Additional References
- Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring RADIUS or a Local Authenticator in a Wireless LAN
The following prerequisites apply to configuring RADIUS or a local authenticator in a wireless LAN:
Read the "Wireless LAN Overview" module.
Read the "Configuring a Basic Wireless LAN Connection" module.
Information About Configuring RADIUS or a Local Authenticator in a Wireless LAN
- Network Environments Recommended to Use RADIUS for Access Security in a Wireless LAN
- RADIUS Operation in a Wireless LAN
- Local Authentication in a Wireless LAN
- Configuration Overview for a Local Authenticator in a Wireless LAN
Network Environments Recommended to Use RADIUS for Access Security in a Wireless LAN
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider. For more information, refer to the RADIUS server documentation.
Use RADIUS in these network environments, which require access security:
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that is customized to work with the Kerberos security system.
Turnkey network security environments in which applications support the RADIUS protocol, such as an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma’s security cards to validate users and to grant access to network resources.
Networks already using RADIUS. You can add a Cisco AP containing a RADIUS client to the network.
Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.
RADIUS Operation in a Wireless LAN
When a wireless user attempts to log in and authenticate to an AP whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in the figure below.
In Steps 1 through 9 in the above figure, a wireless client device and a RADIUS server on the wired LAN use 802.1x and Extensible Authentication Protocol (EAP) to perform a mutual authentication through the AP. The RADIUS server sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a Wired Equivalent Privacy (WEP) key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the login session.
During the login session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the AP. The AP encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and AP activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.
There is more than one type of EAP authentication, but the AP behaves the same way for each type: It relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the " Separating a Wireless Network by Configuring Multiple SSIDs " section in the " Securing a Wireless LAN " module for instructions on setting up client authentication using a RADIUS server.
Local Authentication in a Wireless LAN
To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an AP to act as a local authentication server. The AP can authenticate clients using LEAP or MAC-based authentication.
The Cisco 800, 1800, 1841, and 2801 series APs can locally authenticate up to 50 clients, the Cisco 2811 and 2821 APs can authenticate up to 100 clients, the Cisco 2851 AP can authenticate up to 200 clients, the Cisco 3825 AP can authenticate up to 500 clients, and the Cisco 3845 AP can locally authenticate up to 1000 clients. The AP performs up to 5 authentications per second.
Small wireless LANs that do not have access to a RADIUS server could be made more secure with 802.1x authentication. Also, on wireless LANs that use 802.1x authentication, the APs rely on RADIUS servers housed at a distant location to authenticate client devices and the authentication traffic must cross a WAN link. If the WAN link fails or the APs cannot access the RADIUS servers for any other reason, client devices cannot access the wireless network even if the work they want to do is entirely local and typically authorized.
Configuration of authentication on a local authenticator must be done manually with client usernames and passwords. The local authenticatior does not synchronize its database with the RADIUS servers. Also, a VLAN and a list of SSIDs that a client is allowed to use can be configured.
Note | If your wireless LAN contains only one AP, you can configure the AP as both the 802.1x authenticator and the local authenticator. However, users associated to the local authenticator might notice a decrease in performance during the authentication process. |
You can configure your APs to use the local authenticator when they cannot reach the main servers, or you can configure your APs to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the APs periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
Note | The AP you use as an authenticator contains detailed authentication information for your wireless LAN. Physically secure it to protect its configuration. |
Configuration Overview for a Local Authenticator in a Wireless LAN
These are the typical steps you will follow to set up a local authenticator. The task is fully described in the Configuring Local or Backup Authentication Service section.
On the local authenticator, create a list of APs authorized to use the authenticator to authenticate client devices. Each AP that uses the local authenticator is a network access server (NAS). If the local authenticator AP serves client devices directly, include the local authenticator AP as a NAS.
Create user groups and configure parameters to be applied to each group (optional).
Create a list of up to 1000 LEAP users or MAC addresses that the local authenticator is authorized to authenticate; the number of authorized users depends on the model of the AP. Verify the limit of your AP before creating the list.
You do not have to specify which type of authentication you want the local authenticator to perform. It automatically performs LEAP or MAC-address authentication for the users in its user database.
On the client APs that use a local authenticator AP for security, enter the local authenticator as a RADIUS server. If your local authenticator AP also serves client devices, you must enter the local authenticator as a RADIUS server in the local authenticator configuration. When a client associates to the local authenticator AP, the AP uses itself to authenticate the client.
How to Configure RADIUS or a Local Authenticator in a Wireless LAN
How to Configure RADIUS in a Wireless LAN
This section describes how to configure RADIUS in a wireless LAN.
At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
This section contains the following tasks:
- Identifying the RADIUS Server Host in a Wireless LAN
- What to Do Next
- Configuring RADIUS Login Authentication for a Wireless LAN
- Defining and Associating a AAA Server Group to a RADIUS Server
- Enabling RADIUS Accounting for a Wireless LAN
- Configuring Global Communication Settings Between an Access Point and a RADIUS Server
- Configuring the Access Point to Recognize and Use Vendor-Specific Attributes
- Configuring a Vendor-Proprietary RADIUS Server Host
Identifying the RADIUS Server Host in a Wireless LAN
Perform this task to identify the RADIUS server host in a wireless LAN.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the AP and the key string to be shared by both the server and the AP. For more information, refer to your RADIUS server documentation.
You identify RADIUS security servers by their hostname or IP address, hostname and specific User Datagram Protocol (UDP) port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service--such as accounting--the second host entry configured acts as a failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the AP tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the AP use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the AP.
The timeout, retransmission, and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the AP, use the radius-server timeout, radius-server retransmit, and radius-server keycommands,respectively. To apply these values on a specific RADIUS server, use the radius-server hostcommand.
Note | If you configure both global and per-server functions (timeout, retransmission, and key commands) on the AP, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. For information on configuring these setting on all RADIUS servers, see Configuring Global Communication Settings Between an Access Point and a RADIUS Server. |
RADIUS and AAA are disabled by default.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
radius-server
host
{hostname |
ip-address} [auth-port
port-number] [acct-port
port-number] [timeout
seconds] [retransmit
retries] [key
string]
5.
end
6.
copy
running-config
startup-config
DETAILED STEPS
What to Do Next
After you identify the RADIUS host, configure RADIUS login authentication. See the Configuring RADIUS Login Authentication for a Wireless LAN section.
You can configure the AP to use AAA server groups to group existing server hosts for authentication by completing the optional task in the Defining and Associating a AAA Server Group to a RADIUS Server section.
Configuring RADIUS Login Authentication for a Wireless LAN
Perform this task to configure RADIUS login authentication for a wireless LAN.
To configure RADIUS authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default ). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle--meaning that the security server or local username database responds by denying the user access--the authentication process stops, and no other authentication methods are attempted.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
aaa
authentication
login
{default |
list-name }
method1 [method2... ]
5.
line
[console |
tty |
vty]
line-number [ending-line-number]
6.
login
authentication
{default |
list-name}
7.
radius-server
attribute
32
include-in-access-req
format
%h
8.
end
9.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
new-model
Example: Router(config)# aaa new-model |
Enables AAA. |
Step 4 |
aaa
authentication
login
{default |
list-name }
method1 [method2... ]
Example: Router(config)# aaa authentication login default local |
Creates a login authentication method list.
Select one of these methods:
|
Step 5 |
line
[console |
tty |
vty]
line-number [ending-line-number]
Example: Router(config)# line 10 |
Configures the lines to which you want to apply the authentication list, and enters line configuration mode. |
Step 6 |
login
authentication
{default |
list-name}
Example: Router(config-line)# login authentication default |
Applies the authentication list to a line or set of lines.
|
Step 7 |
radius-server
attribute
32
include-in-access-req
format
%h
Example: Router(config-line)# radius-server attribute 32 include-in-access-req format %h |
Configures the AP to send its system name in the NAS_ID attribute for authentication. |
Step 8 |
end
Example: Router(config-line)# end |
Returns to privileged EXEC mode. |
Step 9 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Defining and Associating a AAA Server Group to a RADIUS Server
Perform this task to define a AAA server group and associate a particular RADIUS server with that server group.
You can configure the AP to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a failover backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
radius-server
host
{hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
5.
aaa
group
server
radius
group-name
6.
server
ip-address
7.
end
8.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
aaa
new-model
Example: Router(config)# aaa new-model |
Enables AAA. | ||
Step 4 |
radius-server
host
{hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Example: Router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 |
Specifies the IP address or hostname of the remote RADIUS server host.
| ||
Step 5 |
aaa
group
server
radius
group-name
Example: Router(config)# aaa group server radius group1 |
Defines the AAA server group with a group name and places the AP in server group configuration mode. | ||
Step 6 |
server
ip-address
Example: Router(config-sg)# server 172.20.0.1 |
Associates a particular RADIUS server with the defined server group.
| ||
Step 7 |
end
Example: Router(config-sg)# end |
Returns to privileged EXEC mode. | ||
Step 8 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Enabling RADIUS Accounting for a Wireless LAN
Perform this task to enable RADIUS accounting for each Cisco IOS privilege level and for network services.
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the AP reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.
1.
enable
2.
configure
terminal
3.
aaa
accounting
network
start-stop
radius
4. ip radius source-interface bvi1
5. aaa accounting update periodic minutes
6.
end
7.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
accounting
network
start-stop
radius
Example: Router(config)# aaa accounting network start-stop radius |
Enables RADIUS accounting for all network-related service requests. |
Step 4 |
ip radius source-interface bvi1 Example: Router(config)# ip radius source-interface bvi1 |
Configures the AP to send its bridge virtual interface (BVI) IP address in the NAS_IP_ADDRESS attribute for accounting records. |
Step 5 |
aaa accounting update periodic minutes Example: Router(config)# aaa accounting update periodic 5 |
Specifies an accounting update interval in minutes. |
Step 6 |
end
Example: Router(config)# end |
Returns to privileged EXEC mode. |
Step 7 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Configuring Global Communication Settings Between an Access Point and a RADIUS Server
Perform this task to configure global communication settings between an AP and a RADIUS server.
1.
enable
2.
configure
terminal
3.
radius-server
key
{0 string | 7 string | string}
4.
radius-server
retransmit
retries
5.
radius-server
deadtime
minutes
6.
end
7.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
radius-server
key
{0 string | 7 string | string} Example: Router(config)# radius-server key anykey |
Specifies the shared secret text string used between the AP and all RADIUS servers.
| ||
Step 4 |
radius-server
retransmit
retries
Example: Router(config)# radius-server retransmit 5 |
Specifies the number of times the AP sends each RADIUS request to the server before giving up.
| ||
Step 5 |
radius-server
deadtime
minutes
Example: Router(config)# radius-server deadtime 5 |
Causes the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before the software tries the next configured server.
| ||
Step 6 |
end
Example: Router(config)# end |
Returns to privileged EXEC mode. | ||
Step 7 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Configuring the Access Point to Recognize and Use Vendor-Specific Attributes
Perform this task to configure the AP to recognize and use vendor-specific attributes (VSAs).
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the AP and the RADIUS server by using the vendor-specific attribute (attribute 26). A VSA allows a vendor to support its own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9, and the supported option has vendor type 1, which is named cisco-avpair . The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features to be used for RADIUS.
For example, the following AV pair activates Cisco’s Multiple Named IP Address Pools feature during IP authorization (during PPP’s IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"
The following example shows how to provide a user logging in from an AP with immediate access to privileged EXEC commands:
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, refer to RFC 2138, Remote Authentication Dial-In User Service (RADIUS).
1.
enable
2.
configure
terminal
3.
radius-server
vsa
send
[accounting | authentication]
4.
end
5.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
radius-server
vsa
send
[accounting | authentication] Example: Router(config)# radius-server vsa send |
Configures the AP to recognize and use VSAs as defined by RADIUS IETF attribute 26.
|
Step 4 |
end
Example: Router(config)# end |
Returns to privileged EXEC mode. |
Step 5 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Configuring a Vendor-Proprietary RADIUS Server Host
Perform this task to configure a vendor-proprietary RADIUS server host and a shared secret text string.
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the AP and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
To configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the AP. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
1.
enable
2.
configure
terminal
3. radius-server host {hostname | ip-address} non-standard
4.
end
5.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
radius-server host {hostname | ip-address} non-standard Example: Router(config)# radius-server host samplehost non-standard |
Specifies the IP address or hostname of the remote RADIUS server host and identifies that it is using a vendor-proprietary implementation of RADIUS. |
Step 4 |
end
Example: Router(config)# end |
Returns to privileged EXEC mode. |
Step 5 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
How to Configure a Local Authenticator in a Wireless LAN
This section describes how to configure an access point in a wireless LAN as a local authenticator.
This section contains the following task:
Configuring Local or Backup Authentication Service
Perform this task to configure local or backup authentication service.
You can configure your APs to use a local authenticator when they cannot reach the main servers, or you can configure your APs to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the APs periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
When you configure an AP as a local authenticator, use an AP that does not serve a large number of client devices. When the AP acts as an authenticator, performance might degrade for associated client devices. Also, the AP you use as an authenticator contains detailed authentication information for your wireless LAN. Physically secure it to protect its configuration.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4. radius-server local
5.
nas
ip-address
key
shared-key
6. Repeat Step 5 to add each AP that uses the local authenticator.
7.
group
group-name
8.
vlan
vlan
9.
ssid
name
10.
reauthentication
time
seconds
11.
block
count
count
time
{seconds | infinite}
12.
exit
13.
user
username
{password | nthash} password [group group-name] [mac-auth-only]
14.
end
15.
copy
running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
new-model
Example: Router(config)# aaa new-model |
Enables the AAA access control system. |
Step 4 |
radius-server local Example: Router(config)# radius-server local |
Configures the AP or wireless-aware router as a local authentication server, and enters authenticator configuration mode. |
Step 5 |
nas
ip-address
key
shared-key
Example: Router(config-radsrv)# nas 10.91.6.159 key 110337 |
Adds an AP to the list of devices that use the local authentication server.
|
Step 6 | Repeat Step 5 to add each AP that uses the local authenticator. |
-- |
Step 7 |
group
group-name
Example: Router(config-radsrv)# group clerks |
(Optional) Configures a user group to which you can assign shared settings, and enters user group configuration mode. |
Step 8 |
vlan
vlan
Example: Router(config-radsrv-group)# vlan 87 |
(Optional) Specifies a VLAN to be used by members of the user group.
|
Step 9 |
ssid
name
Example: Router(config-radsrv-group)# ssid anyname |
(Optional) Creates an SSID for a radio interface.
|
Step 10 |
reauthentication
time
seconds
Example: Router(config-radsrv-group)# reauthentication time 1800 |
(Optional) Specifies the number of seconds after which the AP should reauthenticate members of the group.
|
Step 11 |
block
count
count
time
{seconds | infinite} Example: Router(config-radsrv-group)# block count 3 time infinite |
(Optional) To help protect against password guessing attacks, locks out members of a user group for a length of time after a set number of incorrect passwords.
|
Step 12 |
exit
Example: Router(config-radsrv-group)# exit |
Exits user group configuration mode and returns to authenticator configuration mode. |
Step 13 |
user
username
{password | nthash} password [group group-name] [mac-auth-only] Example: Router(config-radsrv)# user anyuser password pwd1234 group clerks |
Specifies the LEAP users allowed to authenticate using the local authenticator.
If you do not know the user password, look up the NT value of the password in the authentication server database, and enter the NT hash as a hexadecimal string.
|
Step 14 |
end
Example: Router(config-radsrv)# end |
Returns to privileged EXEC mode. |
Step 15 |
copy
running-config
startup-config
Example: Router# copy running-config startup-config |
(Optional) Saves your entries in the configuration file. |
Configuration Examples for a RADIUS Server or a Local Authenticator in a Wireless LAN
Configuring a Local Authenticator in a Wireless LAN Example
The following example shows how to:
Configure a local authenticator in a wireless LAN used by three APs all sharing the same key.
Configure three user groups: sales, marketing, and managers.
Configure individual users, each of which will authenticate to the AP using either a personal password or a MAC address.
configure terminal radius-server local nas 10.91.6.159 key 110337 nas 10.91.6.162 key 110337 nas 10.91.6.181 key 110337 group sales vlan 87 ssid name1 ssid name2 reauthentication time 1800 block count 2 time 600 group marketing vlan 97 ssid name3 ssid name4 ssid name5 reauthentication time 1800 block count 2 time 600 group managers vlan 77 ssid name6 ssid name7 reauthentication time 1800 block count 2 time 600 exit ! The following three users will authenticate using their own passwords. user username1 password pwd1 group sales user username2 password pwd2 group sales user username3 password pwd3 group sales ! These three users will authenticate using their MAC addresses. user 00095125d02b password 00095125d02b group marketing mac-auth-only user 00095125d02b password 00095125d02b group sales mac-auth-only user 00079431f04a password 00079431f04a group sales mac-auth-only user username4 password 272165 group managers user username5 password 383981 group managers end copy running-config startup-config
Additional References
The following sections provide references related to configuring a RADIUS server or a local authenticator.
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS wireless LAN commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS Wireless LAN Command Reference |
Standards
Standard |
Title |
---|---|
No new or modified standards are supported, and support for existing standards has not been modified. |
-- |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported, and support for existing MIBs has not been modified. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
No new or modified RFCs are supported, and support for existing RFCs has not been modified. |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |
Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
RADIUS Server per SSID |
12.4T |
This feature allows RADIUS servers to be specified on a per-SSID basis. |