Table Of Contents
Remote Site IEEE 802.1X Local Authentication Service
Prerequisites for Configuring Remote Site IEEE 802.1X Local Authentication Service
Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
Information About Configuring Remote Site IEEE 802.1x Local Authentication Service
How to Configure Remote Site IEEE 802.1X Local Authentication Service
Configuring the Local Authentication Server
Configuring User Groups on the Local Authentication Server
Creating the User List on the Local Authentication Server
Saving the Configuration on the Local Authentication Server
Configuring Access Points or Routers to Use the Local Authentication Server
Verifying the Configuration for Local Authentication Service
Monitoring and Maintaining 802.1X Local Authentication Service
Configuration Examples for Remote Site IEEE 802.1X Local Authentication Service
Setting Up a Local Authentication Server: Example
Setting Up Two Main Servers and a Local Authentication Server: Example
Displaying Local Authentication Server Configuration: Example
Displaying Local Authentication Server Statistics: Example
show radius local-server statistics
Remote Site IEEE 802.1X Local Authentication Service
The Remote Site IEEE 802.1X Local Authentication Service feature provides the ability to configure an access point or wireless-aware router to act as a local RADIUS server. Configuring local authentication service provides a backup authentication service in the event of a WAN link or server failure.
Feature History for the Remote Site IEEE 802.1X Local Authentication Service
Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Configuring Remote Site IEEE 802.1X Local Authentication Service
•
•
•
•
•
Prerequisites for Configuring Remote Site IEEE 802.1X Local Authentication Service
Follow these guidelines when you configure an access point or wireless-aware router as a local authentication server:
•
•
Restrictions for Configuring Remote Site IEEE 802.1X Local Authentication Service
The following are restrictions of the local authentication service feature:
•
•
•
Information About Configuring Remote Site IEEE 802.1x Local Authentication Service
On typical wireless LANs that use 802.1X authentication, access points and wireless-aware routers rely on remote site RADIUS servers to authenticate client devices. This authentication traffic must cross a WAN link. If the WAN link fails, or if the access points and routers cannot reach the RADIUS servers, then the client devices cannot access the wireless network even if their requirements for access are strictly local.
To provide for local authentication service or backup authentication service in the event of a WAN link or server failure, you can configure an access point or wireless-aware router to act as a local RADIUS server. The access point or wireless-aware router can authenticate Light Extensible Authentication Protocol (LEAP)-enabled wireless client devices and allow them to join your network.
Because the local authentication device does not synchronize its database with the main RADIUS servers. You must configure the local authentication server with client usernames and passwords. The local authentication server also permits you to specify a VLAN and a list of service set identifiers (SSIDs) that a client is allowed to use.
Table 1 shows the maximum number of clients that can be configured on a local authentication server.
Note
You configure access points and routers to use the local authentication server when they cannot reach the main servers or when a RADIUS server is not available.
The access points and wireless-aware routers stop using the local authentication server automatically when the link to the main servers is restored.
If your local authentication server also serves client devices, you must enter the local authentication server access point or router as a network access server (NAS). When a LEAP client associates to the local authentication server access point, the access point uses itself to authenticate the client.
Caution
How to Configure Remote Site IEEE 802.1X Local Authentication Service
This section contains the following procedures:
•
•
•
•
•
Configuring the Local Authentication Server
Perform this task to configure the access point as a local authentication server.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring User Groups on the Local Authentication Server
Perform this optional task (beginning in local RADIUS server configuration mode) to configure user groups on the local authentication server.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
Router(config-radsrv)# group group-name
Enters user group configuration mode and configures a user group to which you can assign shared settings.
Step 2
Router(config-radsrv-group)# vlan vlan
(Optional) Specifies a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group.
Step 3
Router(config-radsrv-group)# ssid ssid
(Optional) Enters up to 20 service set identifiers (SSIDs) to limit members of the user group to those SSIDs. The access point checks whether the client's SSID matches an SSID in the list. If the SSID does not match, the client is disassociated.
Step 4
Router(config-radsrv-group)# reauthentication time seconds
(Optional) Configures the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate.
Step 5
Router(config-radsrv-group)# block
count count time {seconds | infinite}(Optional) To help protect against password-guessing attacks, you can lock out group members for a length of time after a set number of incorrect passwords.
•
•
Step 6
Router(config-radsrv-group)# exit
Returns to authenticator configuration mode.
Unblocking Usernames
You can unblock usernames before the lockout time expires or when the lockout time is set to infinite. To unblock a locked username, enter the following command in privileged EXEC mode on the local authentication server.
Router# clear radius local-server user usernameCreating the User List on the Local Authentication Server
Perform the required task described in the following paragraphs to create a user list on the local authentication server and to configure the users that are allowed to authenticate using the local authentication server.
Note
You must enter a username and password for each user. If you know only the NT hash value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.
To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.
Beginning in local RADIUS server configuration mode, enter the user command for each username:
Router(config-radsrv)# user username {password | nthash} password [group group-name]Saving the Configuration on the Local Authentication Server
Perform this optional task to save the current configuration.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
Router(config-radsrv)# end
Returns to privileged EXEC mode.
Step 2
Router# copy running-config startup-config
Saves your entries in the configuration file.
Configuring Access Points or Routers to Use the Local Authentication Server
Perform this required task to add the local authentication server to the list of servers on the client access point or wireless-aware router.
Note
On the wireless devices that use the local authentication server, use the radius-server host command in privileged EXEC mode to enter the local authentication server as a RADIUS server. The order in which the devices attempt to use the servers matches the order in which you enter the servers in the device configuration. If you are configuring the device to use a RADIUS server for the first time, enter the main RADIUS servers first, and enter the local authentication server last.
Note
Use the radius-server deadtime command in global configuration mode to set an interval during which the access point or router does not attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying the next configured server. A server marked as dead is skipped by additional requests for the duration of minutes that you specify, up to 1440 (24 hours).
To remove the local authentication server from the access point or router configuration, use the no radius-server host command in global configuration mode.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Verifying the Configuration for Local Authentication Service
Use the show running-config command in global configuration mode to verify the current configuration for local authentication service.
SUMMARY STEPS
1.
2.
Step 1
Router> enable
Enables privileged EXEC mode.
Step 2
Router# show running-config
Displays the current access point operating configuration
DETAILED STEPS
Monitoring and Maintaining 802.1X Local Authentication Service
To view statistics collected by the local authentication server, enter the following command in privileged EXEC mode:
Router# show radius local-server statisticsTo reset local authentication server statistics to zero, enter the following command in privileged EXEC mode:
Router# clear radius local-server statisticsConfiguration Examples for Remote Site IEEE 802.1X Local Authentication Service
This section provides the following configuration examples:
•
•
•
•
Setting Up a Local Authentication Server: Example
This example shows how to set up a local authentication server used by three access points with three user groups and several users:
AP# configure terminalAP(config)# aaa new-modelAP(config)# aaa group server radius RADIUS_SERVER_GROUPAP(config-sg-radius)# server 10.0.0.1 auth-port 1812 acct-port 1813AP(config)# aaa authentication login RADIUS_METHOD_LISTAP(config)# radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key 110337AP(config)# radius-server localAP(config-radsrv)# nas 10.91.6.159 key 110337AP(config-radsrv)# nas 10.91.6.162 key 110337AP(config-radsrv)# nas 10.91.6.181 key 110337AP(config-radsrv)# group clerksAP(config-radsrv-group)# vlan 87AP(config-radsrv-group)# ssid batmanAP(config-radsrv-group)# ssid robinAP(config-radsrv-group)# reauthentication time 1800AP(config-radsrv-group)# block count 2 time 600AP(config-radsrv-group)# group cashiersAP(config-radsrv-group)# vlan 97AP(config-radsrv-group)# ssid deerAP(config-radsrv-group)# ssid antelopeAP(config-radsrv-group)# ssid elkAP(config-radsrv-group)# reauthentication time 1800AP(config-radsrv-group)# block count 2 time 600AP(config-radsrv-group)# group managersAP(config-radsrv-group)# vlan 77AP(config-radsrv-group)# ssid mouseAP(config-radsrv-group)# ssid chipmunkAP(config-radsrv-group)# reauthentication time 1800AP(config-radsrv-group)# block count 2 time 600AP(config-radsrv-group)# exitAP(config-radsrv)# user jsmith password twain74 group clerksAP(config-radsrv)# user stpatrick password snake100 group clerksAP(config-radsrv)# user nick password uptown group clerksAP(config-radsrv)# user sam password rover32 group cashiersAP(config-radsrv)# user patsy password crowder group cashiersAP(config-radsrv)# user carl password 272165 group managersAP(config-radsrv)# user vic password lid178 group managersAP(config-radsrv)# endSetting Up Two Main Servers and a Local Authentication Server: Example
This example shows how to set up two main servers and a local authentication server with a server deadtime of 10 minutes:
Router(config)# aaa new-modelRouter(config)# aaa group server radius RADIUS_SERVER_GROUPRouter(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001Router(config-sg-radius)# server 172.10.0.1 auth-port 1645 acct-port 1646Router(config-sg-radius)# server 10.91.6.151 auth-port 1812 acct-port 1813Router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654Router(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654Router(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337Router(config)# radius-server deadtime 10In this example, if the WAN link to the main servers fails, the access point or wireless-aware router completes these steps when a LEAP-enabled client device associates:
1.
2.
3.
If another client device needs to authenticate during the 10-minute deadtime interval, the access point skips the first two servers and tries the local authentication server first. After the deadtime interval, the access point tries to use the main servers for authentication. When setting a deadtime, you must balance the need to skip dead servers with the need to check the WAN link and begin using the main servers again as soon as possible.
Each time an access point or wireless-aware router tries to use the main servers while they are down, the client device that is trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point or wireless-aware router tries the local authentication server. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Displaying Local Authentication Server Configuration: Example
The following is sample output for configuration of a local authentication server on the Cisco 2621 router.
2621-1# show runBuilding configuration...Current configuration : 2954 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 2621-1!!aaa new-model!!aaa group server radius RADIUS_LEAP_GROUPserver 10.0.0.1 auth-port 1812 acct-port 1813!aaa authentication login AUTH_LEAP group RADIUS_LEAP_GROUPaaa session-id commonip subnet-zero!!ip dhcp pool 2621-dhcp-poolnetwork 10.0.0.0 255.0.0.0!!!interface FastEthernet0/0no ip addressshutdownduplex autospeed auto!interface FastEthernet0/1no ip addressshutdownduplex autospeed auto!interface FastEthernet1/0no ip address!interface FastEthernet1/1switchport mode trunkno ip address!interface FastEthernet1/2no ip addressshutdown!interface FastEthernet1/3no ip addressshutdown!interface FastEthernet1/4no ip addressshutdown!interface FastEthernet1/5no ip address!!interface GigabitEthernet1/0no ip addressshutdown!interface Vlan1ip address 10.0.0.1 255.0.0.0!ip classless!ip http serverno ip http secure-server!!!radius-server localnas 10.0.0.1 key 0 ciscouser ap-1 nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780Auser ap-5 nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307user user1 nthash 7 1350344A5B5C227B78057B10107A452232515402097C77002B544B45087D0E7200!radius-server host 10.0.0.1 auth-port 1812 acct-port 1813radius-server key cisco!wlccp authentication-server infrastructure AUTH_LEAPwlccp authentication-server client leap AUTH_LEAPwlccp wds priority 255 interface Vlan1!line con 0line aux 0line vty 0 4!!!endDisplaying Local Authentication Server Statistics: Example
The following is sample output for configuration for the show radius local-server statistics command:
router-2621-1# show radius local-server statisticsSuccesses : 11262 Unknown usernames : 0Client blocks : 0 Invalid passwords : 8Unknown NAS : 0 Invalid packet from NAS: 0NAS : 10.0.0.1Successes : 11262 Unknown usernames : 0Client blocks : 0 Invalid passwords : 8Corrupted packet : 0 Unknown RADIUS message : 0No username attribute : 0 Missing auth attribute : 0Shared key mismatch : 0 Invalid state attribute: 0Unknown EAP message : 0 Unknown EAP auth type : 0Maximum number of configurable users: 50, current user count: 11Username Successes Failures Blocksvayu-ap-1 2235 0 0vayu-ap-2 2235 0 0vayu-ap-3 2246 0 0vayu-ap-4 2247 0 0vayu-ap-5 2247 0 0vayu-11 3 0 0vayu-12 5 0 0vayu-13 5 0 0vayu-14 30 0 0vayu-15 3 0 0scm-test 1 8 0router-2621-1#The first section shows cumulative statistics from the local authentication server. The second section shows statistics for each access point (NAS) that is authorized to use the local authentication server. The third section shows statistics for individual users. If a user is blocked and the lockout time is set to infinite, Blocked appears at the end of the line of statistics for that user. If the lockout time is not set to infinite, Unblocked in x seconds appears at the end of the statistics line for that user.
Additional References
The following sections provide references related to Remote Site IEEE 802.1X Local Authentication Service.
Related Documents
MIBs
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3T command reference publications.
•
•
•
•
•
block count
To lock out group members for a length of time after a set number of incorrect passwords, use the block count command in local RADIUS server group configuration mode. Use the no form of this command remove the user block after invalid login attempts.
block count count time {seconds | infinite}
no block count count time {seconds | infinite}
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server group configuration
Command History
Usage Guidelines
If a setting of infinite is entered, an administrator must manually unblock the locked username.
Examples
The following command locks out group members for 120 seconds after 3 incorrect passwords are entered:
block count 3 time 120Related Commands
clear radius local-server
To clear the display on the local server or to unblock a locked username, use the clear radius local-server command in privileged EXEC mode. This command does not have a no form.
clear radius local-server {statistics | user username}
Syntax Description
statistics
Clears the display of statistical information.
user
Unblocks the locked username specified.
username
Locked username.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example unblocks the locked username smith:
Router# clear radius local-server user smithRelated Commands
debug radius local-server
To control the display of debug messages for the local authentication server, use the debug radius local-server command in privileged EXEC mode. Use the no form of this command to stop the debug printing.
debug radius local-server {packets | error | client}
no debug radius local-server {packets | error | client}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following command displays messages regarding failed client authentication:
Router# debug radius local-server clientRelated Commands
group
To enter user group configuration mode and to configure shared settings for a user group, use the group command in local RADIUS server configuration mode. Use the no form of the command to remove the group configuration from the local RADIUS server.
group group-name
no group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Examples
The following example is used to enter group configuration mode for the team1 group:
group team1Related Commands
nas
To add an access point or router to the list of devices that use the local authentication server, use the nas ip-address key command in local RADIUS server configuration mode. Use the no form of this command to remove the identity of the network access server (NAS) that is configured on the local RADIUS server.
nas ip-address key shared-key
no nas ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Examples
The following command adds the access point with IP address 192.168.12.17 to the list of devices that use the local authentication server, using the shared key shared256.
nas 192.168.12.17 key shared256Related Commands
radius-server local
To enable the access point or wireless-aware router as a local authentication server and to enter into configuration mode for the authenticator, use the radius-server local command in global configuration mode. Use the no form of this command to remove the local RADIUS server configuration from the router or access point.
radius-server local
no radius-server local
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Examples
The following example enables the access point on which the command is issued to serve as a local authentication server and to enter into configuration mode for the authenticator:
AP# radius-server localRelated Commands
reauthentication time
To enter the time limit after which the users should reauthenticate, use the reauthentication time command in local RADIUS server group configuration mode. Use the no form of this command to remove the requirement that users reauthenticate after the specified duration.
reauthentication time seconds
no reauthentication time seconds
Syntax Description
Defaults
The default setting is 0 seconds, which means that group members are not required to reauthenticate.
Command Modes
Local RADIUS server group configuration
Command History
Examples
The following command sets the time limit after which the authenticator should reauthenticate to 30 seconds:
reauthentication time 30Related Commands
show radius local-server statistics
To display the statistics for the local authentication server, use the show radius local-server statistics command in privileged EXEC mode.
show radius local-server statistics
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows statistics displayed for the local authentication server:
Router# show radius local-server statisticsSuccesses : 11262 Unknown usernames : 0Client blocks : 0 Invalid passwords : 8Unknown NAS : 0 Invalid packet from NAS: 0NAS : 10.0.0.1Successes : 11262 Unknown usernames : 0Client blocks : 0 Invalid passwords : 8Corrupted packet : 0 Unknown RADIUS message : 0No username attribute : 0 Missing auth attribute : 0Shared key mismatch : 0 Invalid state attribute: 0Unknown EAP message : 0 Unknown EAP auth type : 0Maximum number of configurable users: 50, current user count: 11Username Successes Failures Blocksvayu-ap-1 2235 0 0vayu-ap-2 2235 0 0vayu-ap-3 2246 0 0vayu-ap-4 2247 0 0vayu-ap-5 2247 0 0vayu-11 3 0 0vayu-12 5 0 0vayu-13 5 0 0vayu-14 30 0 0vayu-15 3 0 0scm-test 1 8 0Related Commands
ssid
To enter up to 20 SSIDs to a user group, use the ssid command in local RADIUS server group configuration mode. Use the no form of this command to instruct the access point not to check whether a client SSID is on the list of specified SSIDs.
ssid ssid-number
no ssid ssid-number
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server group configuration
Command History
Usage Guidelines
You can enter up to 20 SSIDs to limit users to those SSIDs.
Examples
The following command adds the SSID batman to the local user group:
ssid batmanRelated Commands
user
To enter the names of users that are allowed to authenticate using the local authentication server, use the user command in local RADIUS server configuration mode. Use the no form of this command to remove the username and password from local RADIUS server.
user username {password | nthash} password [group group-name]
no user username
Syntax Description
Defaults
If no group name is entered, the user is not assigned to a VLAN and is never required to reauthenticate.
Command Modes
Local RADIUS server configuration
Command History
Usage Guidelines
If you do not know the user password, look up the NT value of the password in the authentication server database, and enter the NT hash as a hexadecimal string.
Examples
The following command designates that user ssmith is allowed to authenticate using the local authentication server with the password smithisok; the command further adds the user to the group team1:
user ssmith password smithisok group team1Related Commands
vlan
To specify a VLAN to be used by members of the user group, use the vlan command in local RADIUS server group configuration mode. Use the no form of the command to reset the parameter to the default value.
vlan vlan
no vlan vlan
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server group configuration
Command History
Usage Guidelines
The access point or router moves group members into the VLAN that you specify, overriding any other VLAN assignments. You can assign only one VLAN to a user group.
Examples
When issued in local RADIUS server group configuration mode, the following command designates the VLAN with ID 225 to be used by members of the group:
vlan 225Related Commands
