- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
- Finding Feature Information
- Contents
- Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
- Information About Configuring Remote Site IEEE 802.1x Local Authentication Service
- How to Configure Remote Site IEEE 802.1X Local Authentication Service
- Configuring the Local Authentication Server
- Configuring User Groups on the Local Authentication Server
- Creating the User List on the Local Authentication Server
- Saving the Configuration on the Local Authentication Server
- Configuring Access Points or Routers to Use the Local Authentication Server
- Verifying the Configuration for Local Authentication Service
- Monitoring and Maintaining 802.1X Local Authentication Service
- Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
- Additional References
- Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Remote Site IEEE 802.1X Local Authentication Service
The Remote Site IEEE 802.1X Local Authentication Service feature provides the ability to configure an access point or wireless-aware router to act as a local RADIUS server. Configuring local authentication service provides a backup authentication service in the event of a WAN link or server failure.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Remote Site IEEE 802.1X Local Authentication Service" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
•Information About Configuring Remote Site IEEE 802.1x Local Authentication Service
•How to Configure Remote Site IEEE 802.1X Local Authentication Service
•Monitoring and Maintaining 802.1X Local Authentication Service
•Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
•Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
The following are restrictions of the local authentication service feature:
•The local authentication server does not synchronize its database with the main RADIUS servers. It is necessary to manually configure the local authentication server with client usernames and passwords.
•LEAP is the only supported authentication protocol.
•Although multiple local authentication servers can exist on one network, only one authentication server can be configured on any single device.
Information About Configuring Remote Site IEEE 802.1x Local Authentication Service
On typical wireless LANs that use 802.1X authentication, access points and wireless-aware routers rely on remote site RADIUS servers to authenticate client devices. This authentication traffic must cross a WAN link. If the WAN link fails, or if the access points and routers cannot reach the RADIUS servers, then the client devices cannot access the wireless network even if their requirements for access are strictly local.
To provide for local authentication service or backup authentication service in the event of a WAN link or server failure, you can configure an access point or wireless-aware router to act as a local RADIUS server. The access point or wireless-aware router can authenticate Light Extensible Authentication Protocol (LEAP)-enabled wireless client devices and allow them to join your network.
Because the local authentication device does not synchronize its database with the main RADIUS servers. You must configure the local authentication server with client usernames and passwords. The local authentication server also permits you to specify a VLAN and a list of service set identifiers (SSIDs) that a client is allowed to use.
Follow these guidelines when you configure an access point or wireless-aware router as a local authentication server:
•To prevent performance degradation, configure local authentication service on an access point or a wireless-aware router that does not have a high CPU load.
•Physically secure the access point or router to protect its configuration.
Table 1 shows the maximum number of clients that can be configured on a local authentication server.
Note Users that are associated to the local authentication server might notice a drop in performance during authentication of client devices. However, if your wireless LAN contains only one access point, you can configure that device as both the 802.1X authenticator and the local authentication server.
You configure access points and routers to use the local authentication server when they cannot reach the main servers or when a RADIUS server is not available.
The access points and wireless-aware routers stop using the local authentication server automatically when the link to the main servers is restored.
If your local authentication server also serves client devices, you must enter the local authentication server access point or router as a network access server (NAS). When a LEAP client associates to the local authentication server access point, the access point uses itself to authenticate the client.
The access point or wireless-aware router that you use as an authentication server contains detailed authentication information about your wireless LAN, so you should secure it physically to protect its configuration.
How to Configure Remote Site IEEE 802.1X Local Authentication Service
This section contains the following procedures:
•Configuring the Local Authentication Server (required)
•Configuring User Groups on the Local Authentication Server (optional)
•Creating the User List on the Local Authentication Server (required)
•Saving the Configuration on the Local Authentication Server (optional)
•Configuring Access Points or Routers to Use the Local Authentication Server (required)
Configuring the Local Authentication Server
Perform this task to configure the access point as a local authentication server.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. radius-server local
5. nas ip-address key shared-key
DETAILED STEPS
Configuring User Groups on the Local Authentication Server
Perform this optional task (beginning in local RADIUS server configuration mode) to configure user groups on the local authentication server.
Note If you do not wish to configure user groups on the local authentication server, skip this task and go to the "Creating the User List on the Local Authentication Server" section.
SUMMARY STEPS
1. group group-name
2. vlan vlan
3. ssid ssid
4. reauthentication time seconds
5. block count count time {seconds | infinite}
6. exit
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Router(config-radsrv)# group group-name |
Enters user group configuration mode and configures a user group to which you can assign shared settings. |
Step 2 |
Router(config-radsrv-group)# vlan vlan |
(Optional) Specifies a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group. |
Step 3 |
Router(config-radsrv-group)# ssid ssid |
(Optional) Enters up to 20 service set identifiers (SSIDs) to limit members of the user group to those SSIDs. The access point checks whether the client's SSID matches an SSID in the list. If the SSID does not match, the client is disassociated. |
Step 4 |
Router(config-radsrv-group)# reauthentication time seconds |
(Optional) Configures the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate. |
Step 5 |
Router(config-radsrv-group)# block |
(Optional) To help protect against password-guessing attacks, you can lock out group members for a length of time after a set number of incorrect passwords. • • |
Step 6 |
Router(config-radsrv-group)# exit |
Returns to authenticator configuration mode. |
Unblocking Usernames
You can unblock usernames before the lockout time expires or when the lockout time is set to infinite. To unblock a locked username, enter the following command in privileged EXEC mode on the local authentication server.
Router# clear radius local-server user username
Creating the User List on the Local Authentication Server
Perform the required task described in the following paragraphs to create a user list on the local authentication server and to configure the users that are allowed to authenticate using the local authentication server.
Note If you do not wish to configure users on the local authentication server, skip this task and go to the "Saving the Configuration on the Local Authentication Server" section.
You must enter a username and password for each user. If you know only the NT hash value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.
To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.
Beginning in local RADIUS server configuration mode, enter the user command for each username:
Router(config-radsrv)# user username {password | nthash} password [group group-name]
Saving the Configuration on the Local Authentication Server
Perform this optional task to save the current configuration.
SUMMARY STEPS
1. end
2. copy running-config startup-config
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Router(config-radsrv)# end |
Returns to privileged EXEC mode. |
Step 2 |
Router# copy running-config startup-config |
Saves your entries in the configuration file. |
Configuring Access Points or Routers to Use the Local Authentication Server
Perform this required task to add the local authentication server to the list of servers on the client access point or wireless-aware router.
Note If your local authentication server access point also serves client devices, you must configure the local authentication server to use itself to authenticate client devices.
On the wireless devices that use the local authentication server, use the radius-server host command in privileged EXEC mode to enter the local authentication server as a RADIUS server. The order in which the devices attempt to use the servers matches the order in which you enter the servers in the device configuration. If you are configuring the device to use a RADIUS server for the first time, enter the main RADIUS servers first, and enter the local authentication server last.
Note You must enter 1812 as the authentication port and 1813 as the accounting port. The local authentication server listens on User Datagram Protocol (UDP) port 1813 for RADIUS accounting packets. It discards the accounting packets but sends acknowledge packets back to the RADIUS clients to prevent the clients from reacting as though the server is down.
Use the radius-server deadtime command in global configuration mode to set an interval during which the access point or router does not attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying the next configured server. A server marked as dead is skipped by additional requests for the duration of minutes that you specify, up to 1440 (24 hours).
To remove the local authentication server from the access point or router configuration, use the no radius-server host command in global configuration mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
5. aaa group server {radius | tacacs+} group-name
6. server ip-address auth-port 1812 acct-port 1813
7. aaa authentication login named-authentication-list
8. end
9. show running-config
10. copy running-config startup-config
DETAILED STEPS
Verifying the Configuration for Local Authentication Service
Use the show running-config command in global configuration mode to verify the current configuration for local authentication service.
SUMMARY STEPS
1. enable
2. show running-config
|
|
|
|
|---|---|---|
Step 1 |
Router> enable |
Enables privileged EXEC mode. |
Step 2 |
Router# show running-config |
Displays the current access point operating configuration |
DETAILED STEPS
Monitoring and Maintaining 802.1X Local Authentication Service
To view statistics collected by the local authentication server, enter the following command in privileged EXEC mode:
Router# show radius local-server statistics
To reset local authentication server statistics to zero, enter the following command in privileged EXEC mode:
Router# clear radius local-server statistics
Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
This section provides the following configuration examples:
•Setting Up a Local Authentication Server: Example
•Setting Up Two Main Servers and a Local Authentication Server: Example
•Displaying Local Authentication Server Configuration: Example
•Displaying Local Authentication Server Statistics: Example
Setting Up a Local Authentication Server: Example
This example shows how to set up a local authentication server used by three access points with three user groups and several users:
AP# configure terminal
AP(config)# aaa new-model
AP(config)# aaa group server radius RADIUS_SERVER_GROUP
AP(config-sg-radius)# server 10.0.0.1 auth-port 1812 acct-port 1813
AP(config)# aaa authentication login RADIUS_METHOD_LIST
AP(config)# radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key 110337
AP(config)# radius-server local
AP(config-radsrv)# nas 10.91.6.159 key 110337
AP(config-radsrv)# nas 10.91.6.162 key 110337
AP(config-radsrv)# nas 10.91.6.181 key 110337
AP(config-radsrv)# group clerks
AP(config-radsrv-group)# vlan 87
AP(config-radsrv-group)# ssid batman
AP(config-radsrv-group)# ssid robin
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# block count 2 time 600
AP(config-radsrv-group)# group cashiers
AP(config-radsrv-group)# vlan 97
AP(config-radsrv-group)# ssid deer
AP(config-radsrv-group)# ssid antelope
AP(config-radsrv-group)# ssid elk
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# block count 2 time 600
AP(config-radsrv-group)# group managers
AP(config-radsrv-group)# vlan 77
AP(config-radsrv-group)# ssid mouse
AP(config-radsrv-group)# ssid chipmunk
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# block count 2 time 600
AP(config-radsrv-group)# exit
AP(config-radsrv)# user jsmith password twain74 group clerks
AP(config-radsrv)# user stpatrick password snake100 group clerks
AP(config-radsrv)# user nick password uptown group clerks
AP(config-radsrv)# user sam password rover32 group cashiers
AP(config-radsrv)# user patsy password crowder group cashiers
AP(config-radsrv)# user carl password 272165 group managers
AP(config-radsrv)# user vic password lid178 group managers
AP(config-radsrv)# end
Setting Up Two Main Servers and a Local Authentication Server: Example
This example shows how to set up two main servers and a local authentication server with a server deadtime of 10 minutes:
Router(config)# aaa new-model
Router(config)# aaa group server radius RADIUS_SERVER_GROUP
Router(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
Router(config-sg-radius)# server 172.10.0.1 auth-port 1645 acct-port 1646
Router(config-sg-radius)# server 10.91.6.151 auth-port 1812 acct-port 1813
Router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654
Router(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654
Router(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337
Router(config)# radius-server deadtime 10
In this example, if the WAN link to the main servers fails, the access point or wireless-aware router completes these steps when a LEAP-enabled client device associates:
1. It tries the first server, times out multiple times, and marks the first server as dead.
2. It tries the second server, times out multiple times, and marks the second server as dead.
3. It tries and succeeds using the local authentication server.
If another client device needs to authenticate during the 10-minute deadtime interval, the access point skips the first two servers and tries the local authentication server first. After the deadtime interval, the access point tries to use the main servers for authentication. When setting a deadtime, you must balance the need to skip dead servers with the need to check the WAN link and begin using the main servers again as soon as possible.
Each time an access point or wireless-aware router tries to use the main servers while they are down, the client device that is trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point or wireless-aware router tries the local authentication server. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Displaying Local Authentication Server Configuration: Example
The following is sample output for configuration of a local authentication server on the Cisco 2621 router.
2621-1# show run
Building configuration...
Current configuration : 2954 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2621-1
!
!
aaa new-model
!
!
aaa group server radius RADIUS_LEAP_GROUP
server 10.0.0.1 auth-port 1812 acct-port 1813
!
aaa authentication login AUTH_LEAP group RADIUS_LEAP_GROUP
aaa session-id common
ip subnet-zero
!
!
ip dhcp pool 2621-dhcp-pool
network 10.0.0.0 255.0.0.0
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/1
switchport mode trunk
no ip address
!
interface FastEthernet1/2
no ip address
shutdown
!
interface FastEthernet1/3
no ip address
shutdown
!
interface FastEthernet1/4
no ip address
shutdown
!
interface FastEthernet1/5
no ip address
!
!
interface GigabitEthernet1/0
no ip address
shutdown
!
interface Vlan1
ip address 10.0.0.1 255.0.0.0
!
ip classless
!
ip http server
no ip http secure-server
!
!
!
radius-server local
nas 10.0.0.1 key 0 cisco
user ap-1 nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
user ap-5 nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
user user1 nthash 7 1350344A5B5C227B78057B10107A452232515402097C77002B544B45087D0E7200
!
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813
radius-server key cisco
!
wlccp authentication-server infrastructure AUTH_LEAP
wlccp authentication-server client leap AUTH_LEAP
wlccp wds priority 255 interface Vlan1
!
line con 0
line aux 0
line vty 0 4
!
!
!
end
Displaying Local Authentication Server Statistics: Example
The following is sample output for configuration for the show radius local-server statistics command:
router-2621-1# show radius local-server statistics
Successes : 11262 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 8
Unknown NAS : 0 Invalid packet from NAS: 0
NAS : 10.0.0.1
Successes : 11262 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 8
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 0
Maximum number of configurable users: 50, current user count: 11
Username Successes Failures Blocks
vayu-ap-1 2235 0 0
vayu-ap-2 2235 0 0
vayu-ap-3 2246 0 0
vayu-ap-4 2247 0 0
vayu-ap-5 2247 0 0
vayu-11 3 0 0
vayu-12 5 0 0
vayu-13 5 0 0
vayu-14 30 0 0
vayu-15 3 0 0
scm-test 1 8 0
router-2621-1#
The first section shows cumulative statistics from the local authentication server. The second section shows statistics for each access point (NAS) that is authorized to use the local authentication server. The third section shows statistics for individual users. If a user is blocked and the lockout time is set to infinite, Blocked appears at the end of the line of statistics for that user. If the lockout time is not set to infinite, Unblocked in x seconds appears at the end of the statistics line for that user.
Additional References
Related Documents
|
|
|
|---|---|
Comprehensive set of software configuration commands |
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points |
Configuration commands for wireless roaming |
MIBs
|
|
|
|---|---|
Non. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Feature Information for Remote Site IEEE 802.1X Local Authentication Service
Table 2 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 2 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2003-2011 Cisco Systems, Inc. All rights reserved.
Feedback