Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.4(3g)JA & 12.3(8)JEB
Chapter 9 - Configuring an Access Point as a Local Authenticator
Downloads: This chapterpdf (PDF - 390.0KB) The complete bookPDF (PDF - 8.74MB) | Feedback

Configuring an Access Point as a Local Authenticator

Table Of Contents

Configuring an Access Point as a Local Authenticator

Understanding Local Authentication

Configuring a Local Authenticator

Guidelines for Local Authenticators

Configuration Overview

Configuring the Local Authenticator Access Point

Configuring Other Access Points to Use the Local Authenticator

Limiting the Local Authenticator to One Authentication Type

Unblocking Locked Usernames

Viewing Local Authenticator Statistics

Using Debug Messages


Configuring an Access Point as a Local Authenticator


This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide backup authentication service. As a local authenticator, the access point performs LEAP and MAC-based authentication for up to 50 client devices. This chapter contains these sections:

Understanding Local Authentication

Configuring a Local Authenticator

Understanding Local Authentication

Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link. If the WAN link fails, or if the access points cannot access the RADIUS servers for any reason, client devices cannot access the wireless network even if the work they wish to do is entirely local.

To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an access point to act as a local authentication server. The access point can authenticate up to 50 wireless client devices using LEAP or MAC-based authentication. The access point performs up to 5 authentications per second.

You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with the main RADIUS servers. You can also specify a VLAN and a list of SSIDs that a client is allowed to use.


Note If your wireless LAN contains only one access point, you can configure the access point as both the 802.1x authenticator and the local authenticator. However, users associated to the local authenticator access point might notice a drop in performance when the access point authenticates client devices.


You can configure your access points to use the local authenticator when they cannot reach the main servers, or you can configure your access points to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the access points periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.


Caution The access point you use as an authenticator contains detailed authentication information for your wireless LAN, so you should secure it physically to protect its configuration.

Configuring a Local Authenticator

This section provides instructions for setting up an access point as a local authenticator and includes these sections:

Guidelines for Local Authenticators

Configuration Overview

Configuring the Local Authenticator Access Point

Configuring Other Access Points to Use the Local Authenticator

Unblocking Locked Usernames

Viewing Local Authenticator Statistics

Using Debug Messages

Guidelines for Local Authenticators

Follow these guidelines when configuring an access point as a local authenticator:

Use an access point that does not serve a large number of client devices. When the access point acts as an authenticator, performance might degrade for associated client devices.

Secure the access point physically to protect its configuration.

Configuration Overview

You complete four major steps when you set up a local authenticator:

1. On the local authenticator, create a list of access points authorized to use the authenticator to authenticate client devices. Each access point that uses the local authenticator is a network access server (NAS).


Note If your local authenticator access point also serves client devices, you must enter the local authenticator access point as a NAS. When a client associates to the local authenticator access point, the access point uses itself to authenticate the client.


2. On the local authenticator, create user groups and configure parameters to be applied to each group (optional).

3. On the local authenticator, create a list of up to 50 LEAP users or MAC addresses that the local authenticator is authorized to authenticate.


Note You do not have to specify which type of authentication that you want the local authenticator to perform. It automatically performs LEAP or MAC-address authentication for the users in its user database.


4. On the access points that use the local authenticator, enter the local authenticator as a RADIUS server.


Note If your local authenticator access point also serves client devices, you must enter the local authenticator as a RADIUS server in the local authenticator's configuration. When a client associates to the local authenticator access point, the access point uses itself to authenticate the client.


Configuring the Local Authenticator Access Point

Beginning in Privileged Exec mode, follow these steps to configure the access point as a local authenticator:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

aaa new-model

Enable AAA.

Step 3 

radius-server local

Enable the access point as a local authenticator and enter configuration mode for the authenticator.

Step 4 

nas ip-address key shared-key

Add an access point to the list of units that use the local authenticator. Enter the access point's IP address and the shared key used to authenticate communication between the local authenticator and other access points. You must enter this shared key on the access points that use the local authenticator. If your local authenticator also serves client devices, you must enter the local authenticator access point as a NAS.

Note Leading spaces in the key string are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

Repeat this step to add each access point that uses the local authenticator.

Step 5 

group group-name

(Optional) Enter user group configuration mode and configure a user group to which you can assign shared settings.

Step 6 

vlan vlan

(Optional) Specify a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group.

Step 7 

ssid ssid

(Optional) Enter up to 20 SSIDs to limit members of the user group to those SSIDs. The access point checks that the SSID that the client used to associate matches one of the SSIDs in the list. If the SSID does not match, the client is disassociated.

Step 8 

reauthentication time seconds

(Optional) Enter the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate.

Step 9 

block count count
time { seconds | infinite }

(Optional) To help protect against password guessing attacks, you can lock out members of a user group for a length of time after a set number of incorrect passwords.

count—The number of failed passwords that triggers a lockout of the username.

time—The number of seconds the lockout should last. If you enter infinite, an administrator must manually unblock the locked username. See the "Unblocking Locked Usernames" section for instructions on unblocking client devices.

Step 10 

exit

Exit group configuration mode and return to authenticator configuration mode.

Step 11 

user username
{
password | nthash } password
[ group group-name ]
[
mac-auth-only]

Enter the LEAP users allowed to authenticate using the local authenticator. You must enter a username and password for each user. If you only know the NT value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.

To add a client device for MAC-based authentication, enter the client MAC address as both the username and password. Enter 12 hexadecimal digits without a dot or dash between the numbers as the username and the password. For example, for the MAC address 0009.5125.d02b, enter 00095125d02b as both the username and the password.

To limit the user to MAC authentication only, enter mac-auth-only.

To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.

Step 12 

end

Return to privileged EXEC mode.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to set up a local authenticator used by three access points with three user groups and several users:

AP# configure terminal
AP(config)# radius-server local
AP(config-radsrv)# nas 10.91.6.159 key 110337
AP(config-radsrv)# nas 10.91.6.162 key 110337
AP(config-radsrv)# nas 10.91.6.181 key 110337
AP(config-radsrv)# group clerks
AP(config-radsrv-group)# vlan 87
AP(config-radsrv-group)# ssid batman
AP(config-radsrv-group)# ssid robin
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# block count 2 time 600
AP(config-radsrv-group)# group cashiers
AP(config-radsrv-group)# vlan 97
AP(config-radsrv-group)# ssid deer
AP(config-radsrv-group)# ssid antelope
AP(config-radsrv-group)# ssid elk
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# block count 2 time 600
AP(config-radsrv-group)# group managers
AP(config-radsrv-group)# vlan 77
AP(config-radsrv-group)# ssid mouse
AP(config-radsrv-group)# ssid chipmunk
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# block count 2 time 600
AP(config-radsrv-group)# exit
AP(config-radsrv)# user jsmith password twain74 group clerks
AP(config-radsrv)# user stpatrick password snake100 group clerks
AP(config-radsrv)# user nick password uptown group clerks
AP(config-radsrv)# user 00095125d02b password 00095125d02b group clerks mac-auth-only
AP(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers
AP(config-radsrv)# user 00079431f04a password 00079431f04a group cashiers
AP(config-radsrv)# user carl password 272165 group managers
AP(config-radsrv)# user vic password lid178 group managers
AP(config-radsrv)# end
 
   

Configuring Other Access Points to Use the Local Authenticator

You add the local authenticator to the list of servers on the access point the same way that you add other servers. For detailed instructions on setting up RADIUS servers on your access points, see Chapter 13 "Configuring RADIUS and TACACS+ Servers."


Note If your local authenticator access point also serves client devices, you must configure the local authenticator to use itself to authenticate client devices.


On the access points that use the local authenticator, use the radius-server host command to enter the local authenticator as a RADIUS server. The order in which the access point attempts to use the servers matches the order in which you enter the servers in the access point configuration. If you are configuring the access point to use RADIUS for the first time, enter the main RADIUS servers first, and enter the local authenticator last.


Note You must enter 1812 as the authentication port and 1813 as the accounting port. The local authenticator listens on UDP port 1813 for RADIUS accounting packets. It discards the accounting packets but sends acknowledge packets back to RADIUS clients to prevent clients from assuming that the server is down.


Use the radius-server deadtime command to set an interval during which the access point does not attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying the next configured server. A server marked as dead is skipped by additional requests for the duration of minutes that you specify, up to 1440 (24 hours).

This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes:

AP(config)# aaa new-model
AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654
AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654
AP(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337
AP(config)# radius-server deadtime 10
 
   

In this example, if the WAN link to the main servers fails, the access point completes these steps when a LEAP-enabled client device associates:

1. It tries the first server, times out multiple times, and marks the first server as dead.

2. It tries the second server, times out multiple times, and marks the second server as dead.

3. It tries and succeeds using the local authenticator.

If another client device needs to authenticate during the 10-minute dead-time interval, the access point skips the first two servers and tries the local authenticator first. After the dead-time interval, the access point tries to use the main servers for authentication. When setting a dead time, you must balance the need to skip dead servers with the need to check the WAN link and begin using the main servers again as soon as possible.

Each time the access point tries to use the main servers while they are down, the client device trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point tries the local authenticator. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.

To remove the local authenticator from the access point configuration, use the no radius-server host hostname | ip-address global configuration command.

Limiting the Local Authenticator to One Authentication Type

By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types. Use the no form of the authentication command to restrict the authenticator to an authentication type:

AP(config-radsrv)# [no] authentication [eapfast] [leap] [mac] 
 
   

Because all authentication types are enabled by default, you enter the no form of the command to disable authentication types. For example, if you want the authenticator to perform only LEAP authentication, you enter these commands:

AP(config-radsrv)# no authentication eapfast 
AP(config-radsrv)# no authentication mac 
 
   

Unblocking Locked Usernames

You can unblock usernames before the lockout time expires, or when the lockout time is set to infinite. In Privileged Exec mode on the local authenticator, enter this command to unblock a locked username:

AP# clear radius local-server user username 

Viewing Local Authenticator Statistics

In privileged exec mode, enter this command to view statistics collected by the local authenticator:

AP# show radius local-server statistics 

This example shows local authenticator statistics:

Successes              : 0           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 0           Invalid packet from NAS: 0
 
   

The statistics list cumulative statistics from the local authenticator.

The section lists stats for individual users. If a user is blocked and the lockout time is set to infinite, blocked appears at the end of the stat line for that user. If the lockout time is not infinite, Unblocked in x seconds appears at the end of the stat line for that user.

Use this privileged exec mode command to reset local authenticator statistics to zero:

AP# clear radius local-server statistics 

Using Debug Messages

In privileged exec mode, enter this command to control the display of debug messages for the local authenticator:

AP# debug radius local-server { client | error | packets}
 
   

Use the command options to display this debug information:

Use the client option to display error messages related to failed client authentications.

Use the error option to display error messages related to the local authenticator.

Use the packets option to turn on display of the content of RADIUS packets sent and received.