The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
You can set a global username, password, and enable password for all access points that are currently joined to the device and any that join in the future inherit as they join the device. If desired, you can override the global credentials and assign a unique username, password, and enable password for a specific access point.
After an access point joins the device, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point’s console port. When you log in, you are in nonprivileged mode, and you must enter the enable password in order to use the privileged mode.
The global credentials that you configure on the device are retained across device and access point reboots. They are overwritten only if the access point joins a new device that is configured with a global username and password. If the new device is not configured with global credentials, the access point retains the global username and password configured for the first device.
You must track the credentials used by the access points. Otherwise, you might not be able to log into an access point’s console port. If you need to return the access points to the default Cisco/Cisco username and password, you must clear the device’s configuration and the access point’s configuration to return them to factory-default settings. To reset the default access point configuration, enter the ap name Cisco_AP mgmtuser username Cisco password Cisco command. Entering the command does not clear the static IP address of the access point. Once the access point rejoins a device, it adopts the default Cisco/Cisco username and password.
You can configure global authentication settings for all access points that are currently joined to the device and any that join in the future. If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.
This feature is supported on the following hardware:
All Cisco switches that support authentication.
Cisco Aironet 1140, 1260, 1310, 1520, 1600, 2600, 3500, and 3600 access points
The device name in the AP configuration is case sensitive. Therefore, make sure to configure the exact system name on the AP configuration. Failure to do this results in the AP fallback not working.
Cisco IOS access points are shipped from the factory with Cisco as the default enable password. This password allows users to log into the nonprivileged mode and enter the show and debug commands that pose a security threat to your network. You must change the default enable password to prevent unauthorized access and to enable users to enter configuration commands from the access point’s console port.
You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The access point acts as an 802.1X supplicant and is authenticated by the switch where it uses EAP-FAST with anonymous PAC provisioning.
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable Example: |
Enters privileged EXEC mode. |
||
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
| Step 3 |
ap mgmtuser username user_name password 0 passsword secret 0 secret_value Example: |
Configures the global username and password and enables the password for all access points that are currently joined to the device and any access points that join the device in the future. In the command, the parameter 0 specifies that an unencrypted password will follow and 8 specifies that an AES encrypted password will follow. |
||
| Step 4 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
||
| Step 5 |
ap name Cisco_AP mgmtuser username user_name password password secret secret Example: |
Overrides the global credentials for a specific access point and assigns a unique username and password and enables password to this access point.
|
||
| Step 6 |
show ap summary Example: |
Displays a summary of all connected Cisco APs. |
||
| Step 7 |
show ap name Cisco_AP config general Example: |
Displays the global credentials configuration for a specific access point.
|
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable Example: |
Enters privileged EXEC mode. |
||
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
| Step 3 |
ap dot1x username user_name_value password 0 password_value Example: |
Configures the global authentication username and password for all access points that are currently joined to the device and any access points that join the device in the future. This command contains the following keywords and arguments:
|
||
| Step 4 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
||
| Step 5 |
ap name Cisco_AP dot1x-user username username_value password password_value Example: |
Overrides the global authentication settings and assigns a unique username and password to a specific access point. This command contains the following keywords and arguments:
The authentication settings that you enter in this command are retained across device and access point reboots and whenever the access point joins a new device. |
||
| Step 6 |
configure terminal Example: |
Enters global configuration mode. |
||
| Step 7 |
no ap dot1x username user_name_value password 0 password_value Example: |
Disables 802.1X authentication for all access points or for a specific access point.
|
||
| Step 8 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
||
| Step 9 |
show ap summary Example: |
Displays the authentication settings for all access points that join the device.
|
||
| Step 10 |
show ap name Cisco_AP config general Example: |
Displays the authentication settings for a specific access point.
|
 Note |
The procedure to perform this task using the device GUI is not currently available. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enters privileged EXEC mode. |
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
dot1x system-auth-control Example: |
Enables system authentication control. |
| Step 4 |
aaa new-model Example: |
Enables new access control commands and functions. |
| Step 5 |
aaa authentication dot1x default group radius Example: |
Sets the default authentications lists for IEEE 802.1X by using all the radius hosts in a server group. |
| Step 6 |
radius-server host host_ip_adress acct-port port_number auth-port port_number key 0 unencryptied_server_key Example: |
Sets a clear text encryption key for the RADIUS authentication server. |
| Step 7 |
interface TenGigabitEthernet1/0/1 Example: |
Sets the 10-Gigbit Ethernet interface. The command prompt changes from Controller(config)# to Controller(config-if)#. |
| Step 8 |
switch mode access Example: |
Sets the unconditional truncking mode access to the interface. |
| Step 9 |
dot1x pae authenticator Example: |
Sets the 802.1X interface PAE type as the authenticator. |
| Step 10 |
end Example: |
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
This example shows how to display the authentication settings for all access points that join the device:
Device# show ap summary
Number of APs.................................... 1
Global AP User Name.............................. globalap
Global AP Dot1x User Name........................ globalDot1xThis example shows how to display the authentication settings for a specific access point:
Device# show ap name AP02 config dot11 24ghz general
Cisco AP Identifier.............................. 0
Cisco AP Name.................................... TSIM_AP2
...
AP Dot1x User Mode............................... AUTOMATIC
AP Dot1x User Name............................... globalDot1x
Feedback