The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Local authentication using Lightweight Directory Access Protocol (LDAP) allows an endpoint to be authenticated using 802.1X, MAC authentication bypass (MAB), or web authentication with LDAP as a backend. Local authentication in Identity-Based Networking Services also supports associating an authentication, authorization, and accounting (AAA) attribute list with the local username. This module provides information about configuring local authentication for Identity-Based Networking Services.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Local Authentication Using LDAP
Local authentication using LDAP allows an endpoint to be authenticated using 802.1X, MAB, or web authentication with LDAP as a backend. Local authentication also supports additional AAA attributes by associating an attribute list with a local username for wireless sessions.
The Advanced Encryption Standard (AES) key wrap feature makes the shared secret between the controller and the RADIUS server more secure. AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server.
How to Configure Local Authentication Using LDAP
Perform this task to specify the AAA method list for local authentication and to associate an attribute list with a local username.
1.
enable
2.
configure
terminal
3.
aaa new-model
4.
aaa local
authentication {method-list-name |
default}
authorization {method-list-name |
default}
5.
username
name
aaa
attribute list
aaa-attribute-list [password
password]
6.
exit
Perform this task to set the RADIUS compatibility mode, the MAC delimiter, and the MAC address as the username to support MAC filtering.
1.
enable
2.
configure
terminal
3.
aaa new-model
4.
aaa group server radius
group-name
5.
subscriber mac-filtering security-mode {mac |
none |
shared-secret}
6.
mac-delimiter {colon |
hyphen
|
none |
single-hyphen}
7.
exit
8.
username
mac-address
mac
[aaa attribute
list
aaa-attribute-list]
9.
exit
Advanced Encryption Standard (AES) key wrap makes the shared secret between the controller and the RADIUS server more secure. AES key wrap requires a key-wrap compliant RADIUS authentication server.
1.
enable
2.
configure
terminal
3.
radius-server host {hostname |
ip-address}
key-wrap
encryption-key
encryption-key
message-auth-code-key
encryption-key [format {ascii |
hex}]
4.
aaa new-model
5.
aaa group server radius
group-name
6.
server
ip-address [auth-port
port-number] [acct-port
port-number]
7.
key-wrap enable
8.
end
Configuration Examples for Local Authentication Using LDAP
The following example shows a configuration for local authentication:
! username USER_1 password 0 CISCO username USER_1 aaa attribute list LOCAL_LIST aaa new-model aaa local authentication EAP_LIST authorization EAP_LIST !
The following example shows a configuration for MAC filtering:
username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1 ! aaa new-model aaa group server radius RAD_GROUP1 subscriber mac-filtering security-mode mac mac-delimiter hyphen
The following example shows a configuration with key wrap enabled for a RADIUS server:
aaa new-model aaa group server radius RAD_GROUP1 server 10.10.1.2 key-wrap enable ! radius-server host 10.10.1.2 !
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Identity-Based Networking Services commands |
Cisco IOS Identity-Based Networking Services Command Reference |
Address Resolution Protocol (ARP) commands |
|
ARP configuration tasks |
IP Addressing - ARP Configuration Guide |
Authentication, authorization, and accounting (AAA) configuration tasks |
Authentication Authorization and Accounting Configuration Guide |
AAA commands |
Cisco IOS Security Command Reference |
Standard/RFC |
Title |
---|---|
RFC 5176 |
Dynamic Authorization Extensions to RADIUS |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name | Releases | Feature Information |
---|---|---|
Local Authentication Using LDAP |
Cisco IOS XE Release 3.2SE |
Introduces support for local authentication using Lightweight Directory Access Protocol (LDAP). The following commands were introduced or modified: aaa local authentication, key-wrap enable, mac-delimiter, radius-server host, subscriber mac-filtering security-mode, username. |