Table Of Contents
Configuring RADIUS or a Local Authenticator in a Wireless LAN
Prerequisites for Configuring RADIUS or a Local Authenticator in a Wireless LAN
Information About Configuring RADIUS or a Local Authenticator in a Wireless LAN
Network Environments Recommended to Use RADIUS for Access Security in a Wireless LAN
RADIUS Operation in a Wireless LAN
Local Authentication in a Wireless LAN
Configuration Overview for a Local Authenticator in a Wireless LAN
How to Configure RADIUS or a Local Authenticator in a Wireless LAN
How to Configure RADIUS in a Wireless LAN
Identifying the RADIUS Server Host in a Wireless LAN
Configuring RADIUS Login Authentication for a Wireless LAN
Defining and Associating a AAA Server Group to a RADIUS Server
Enabling RADIUS Accounting for a Wireless LAN
Configuring Global Communication Settings Between an Access Point and a RADIUS Server
Configuring the Access Point to Recognize and Use Vendor-Specific Attributes
Configuring a Vendor-Proprietary RADIUS Server Host
How to Configure a Local Authenticator in a Wireless LAN
Configuring Local or Backup Authentication Service
Configuration Examples for a RADIUS Server or a Local Authenticator in a Wireless LAN
Configuring a Local Authenticator in a Wireless LAN: Example
Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN
Configuring RADIUS or a Local Authenticator in a Wireless LAN
This module describes how to enable and configure RADIUS in a wireless LAN (WLAN), which is a protocol that provides detailed accounting information and flexible administrative control over the authentication and authorization processes. RADIUS is facilitated through authentication, authorization, and accounting (AAA) and can be enabled only through AAA commands.
This module also describes how to configure a Cisco 800, 1800, 2800, or 3800 series integrated services router, hereafter referred to as an access point or AP, as a local authenticator. The AP can serve as a standalone authenticator for a small wireless LAN or provide backup authentication service. As a local authenticator, an AP performs Lightweight Extensible Authentication Protocol (LEAP) and MAC-based authentication for up to 50 client devices.
You can configure your APs to use the local authenticator when they cannot reach the main servers, or you can configure your APs to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the APs periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Configuring RADIUS or a Local Authenticator in a Wireless LAN
•
•
•
•
Prerequisites for Configuring RADIUS or a Local Authenticator in a Wireless LAN
The following prerequisites apply to configuring RADIUS or a local authenticator in a wireless LAN:
•
•
Information About Configuring RADIUS or a Local Authenticator in a Wireless LAN
Before you configure a RADIUS server or local authenticator in a wireless LAN, you should understand the following concepts:
•
•
•
•
Network Environments Recommended to Use RADIUS for Access Security in a Wireless LAN
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider. For more information, refer to the RADIUS server documentation.
Use RADIUS in these network environments, which require access security:
•
•
•
•
RADIUS Operation in a Wireless LAN
When a wireless user attempts to log in and authenticate to an AP whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 8.
Figure 8 Sequence for EAP Authentication
In Steps 1 through 9 in Figure 8, a wireless client device and a RADIUS server on the wired LAN use 802.1x and Extensible Authentication Protocol (EAP) to perform a mutual authentication through the AP. The RADIUS server sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a Wired Equivalent Privacy (WEP) key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the login session.
During the login session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the AP. The AP encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and AP activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.
There is more than one type of EAP authentication, but the AP behaves the same way for each type: It relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the "Separating a Wireless Network by Configuring Multiple SSIDs" section in the "Securing a Wireless LAN" module for instructions on setting up client authentication using a RADIUS server.
Local Authentication in a Wireless LAN
To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an AP to act as a local authentication server. The AP can authenticate clients using LEAP or MAC-based authentication.
The Cisco 800, 1800, 1841, and 2801 series APs can locally authenticate up to 50 clients, the Cisco 2811 and 2821 APs can authenticate up to 100 clients, the Cisco 2851 AP can authenticate up to 200 clients, the Cisco 3825 AP can authenticate up to 500 clients, and the Cisco 3845 AP can locally authenticate up to 1000 clients. The AP performs up to 5 authentications per second.
Small wireless LANs that do not have access to a RADIUS server could be made more secure with 802.1x authentication. Also, on wireless LANs that use 802.1x authentication, the APs rely on RADIUS servers housed at a distant location to authenticate client devices and the authentication traffic must cross a WAN link. If the WAN link fails or the APs cannot access the RADIUS servers for any other reason, client devices cannot access the wireless network even if the work they want to do is entirely local and typically authorized.
Configuration of authentication on a local authenticator must be done manually with client usernames and passwords. The local authenticatior does not synchronize its database with the RADIUS servers. Also, a VLAN and a list of SSIDs that a client is allowed to use can be configured.
Note
You can configure your APs to use the local authenticator when they cannot reach the main servers, or you can configure your APs to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the APs periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
Note
Configuration Overview for a Local Authenticator in a Wireless LAN
These are the typical steps you will follow to set up a local authenticator. The task is fully described in the "Configuring Local or Backup Authentication Service" section.
1.
2.
3.
You do not have to specify which type of authentication you want the local authenticator to perform. It automatically performs LEAP or MAC-address authentication for the users in its user database.
4.
How to Configure RADIUS or a Local Authenticator in a Wireless LAN
This section describes how to configure RADIUS or a local authenticator in a wireless LAN.
How to Configure RADIUS in a Wireless LAN
This section describes how to configure RADIUS in a wireless LAN.
At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Method List Overview
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
This section contains the following tasks:
•
•
•
•
•
•
•
Identifying the RADIUS Server Host in a Wireless LAN
Perform this task to identify the RADIUS server host in a wireless LAN.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the AP and the key string to be shared by both the server and the AP. For more information, refer to your RADIUS server documentation.
RADIUS Security Server Identification and Encryption
You identify RADIUS security servers by their hostname or IP address, hostname and specific User Datagram Protocol (UDP) port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—such as accounting—the second host entry configured acts as a failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the AP tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the AP use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the AP.
The timeout, retransmission, and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the AP, use the radius-server timeout, radius-server retransmit, and radius-server key commands, respectively. To apply these values on a specific RADIUS server, use the radius-server host command.
Note
RADIUS and AAA are disabled by default.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
What to Do Next
After you identify the RADIUS host, configure RADIUS login authentication. See the "Configuring RADIUS Login Authentication for a Wireless LAN" section.
You can configure the AP to use AAA server groups to group existing server hosts for authentication by completing the optional task in the "Defining and Associating a AAA Server Group to a RADIUS Server" section.
Configuring RADIUS Login Authentication for a Wireless LAN
Perform this task to configure RADIUS login authentication for a wireless LAN.
Authentication Method List Overview
To configure RADIUS authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
aaa new-model
Example:Router(config)# aaa new-model
Enables AAA.
Step 4
aaa authentication login {default | list-name} method1 [method2...]
Example:Router(config)# aaa authentication login default local
Creates a login authentication method list.
•
•
Select one of these methods:
•
•
•
Step 5
line [console | tty | vty] line-number [ending-line-number]
Example:Router(config)# line 10
Configures the lines to which you want to apply the authentication list, and enters line configuration mode.
Step 6
login authentication {default | list-name}
Example:Router(config-line)# login authentication default
Applies the authentication list to a line or set of lines.
•
•
Step 7
radius-server attribute 32 include-in-access-req format %h
Example:Router(config-line)# radius-server attribute 32 include-in-access-req format %h
Configures the AP to send its system name in the NAS_ID attribute for authentication.
Step 8
end
Example:Router(config-line)# end
Returns to privileged EXEC mode.
Step 9
copy running-config startup-config
Example:Router# copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Defining and Associating a AAA Server Group to a RADIUS Server
Perform this task to define a AAA server group and associate a particular RADIUS server with that server group.
Benefits of AAA Server Groups
You can configure the AP to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a failover backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Enabling RADIUS Accounting for a Wireless LAN
Perform this task to enable RADIUS accounting for each Cisco IOS privilege level and for network services.
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the AP reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuring Global Communication Settings Between an Access Point and a RADIUS Server
Perform this task to configure global communication settings between an AP and a RADIUS server.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuring the Access Point to Recognize and Use Vendor-Specific Attributes
Perform this task to configure the AP to recognize and use vendor-specific attributes (VSAs).
Vendor-Specific Attributes Use on Access Points
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the AP and the RADIUS server by using the vendor-specific attribute (attribute 26). A VSA allows a vendor to support its own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco's vendor ID is 9, and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features to be used for RADIUS.
For example, the following AV pair activates Cisco's Multiple Named IP Address Pools feature during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"The following example shows how to provide a user logging in from an AP with immediate access to privileged EXEC commands:
cisco-avpair= "shell:priv-lvl=15"Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, refer to RFC 2138, Remote Authentication Dial-In User Service (RADIUS).
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a Vendor-Proprietary RADIUS Server Host
Perform this task to configure a vendor-proprietary RADIUS server host and a shared secret text string.
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the AP and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
To configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the AP. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
How to Configure a Local Authenticator in a Wireless LAN
This section describes how to configure an access point in a wireless LAN as a local authenticator.
This section contains the following task:
•
Configuring Local or Backup Authentication Service
Perform this task to configure local or backup authentication service.
You can configure your APs to use a local authenticator when they cannot reach the main servers, or you can configure your APs to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the APs periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
When you configure an AP as a local authenticator, use an AP that does not serve a large number of client devices. When the AP acts as an authenticator, performance might degrade for associated client devices. Also, the AP you use as an authenticator contains detailed authentication information for your wireless LAN. Physically secure it to protect its configuration.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Configuration Examples for a RADIUS Server or a Local Authenticator in a Wireless LAN
This section contains the following example:
•
Configuring a Local Authenticator in a Wireless LAN: Example
The following example shows how to:
•
•
•
configure terminalradius-server localnas 10.91.6.159 key 110337nas 10.91.6.162 key 110337nas 10.91.6.181 key 110337group salesvlan 87ssid name1ssid name2reauthentication time 1800block count 2 time 600group marketingvlan 97ssid name3ssid name4ssid name5reauthentication time 1800block count 2 time 600group managersvlan 77ssid name6ssid name7reauthentication time 1800block count 2 time 600exit! The following three users will authenticate using their own passwords.user username1 password pwd1 group salesuser username2 password pwd2 group salesuser username3 password pwd3 group sales! These three users will authenticate using their MAC addresses.user 00095125d02b password 00095125d02b group marketing mac-auth-onlyuser 00095125d02b password 00095125d02b group sales mac-auth-onlyuser 00079431f04a password 00079431f04a group sales mac-auth-onlyuser username4 password 272165 group managersuser username5 password 383981 group managersendcopy running-config startup-configAdditional References
The following sections provide references related to configuring a RADIUS server or a local authenticator.
Related Documents
Standards
No new or modified standards are supported, and support for existing standards has not been modified.
—
MIBs
RFCs
No new or modified RFCs are supported, and support for existing RFCs has not been modified.
—
Technical Assistance
Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN
Table 5 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.4T or later appear in the table.
For information on a feature in this technology that is not documented here, see the "Cisco IOS Wireless LAN Features Roadmap" module.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 5 Feature Information for Configuring RADIUS or a Local Authenticator in a Wireless LAN
RADIUS Server per SSID
12.4T
This feature allows RADIUS servers to be specified on a per-SSID basis.
The following sections provide information about this feature:
•
•
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
© 2005-2007 Cisco Systems, Inc. All rights reserved.