Configuring Authentication for Access Points
Download this chapter
Configuring Authentication for Access PointsConfiguring Authentication for Access Points
 Feedback

Configuring Authentication for Access Points

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring Authentication for Access Points

  • You can set a global username, password, and enable password for all access points that are currently joined to the switch and any that join in the future inherit as they join the switch. If desired, you can override the global credentials and assign a unique username, password, and enable password for a specific access point.
  • After an access point joins the switch, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point’s console port. When you log in, you are in nonprivileged mode, and you must enter the enable password in order to use the privileged mode.
  • The global credentials that you configure on the switch are retained across switch and access point reboots. They are overwritten only if the access point joins a new switch that is configured with a global username and password. If the new switch is not configured with global credentials, the access point retains the global username and password configured for the first switch.
  • You must track the credentials used by the access points. Otherwise, you might not be able to log into an access point’s console port. If you need to return the access points to the default Cisco/Cisco username and password, you must clear the switch’s configuration and the access point’s configuration to return them to factory-default settings. To reset the default access point configuration, enter the ap name Cisco_AP mgmtuser username Cisco password Cisco command. Entering the command does not clear the static IP address of the access point. Once the access point rejoins a switch, it adopts the default Cisco/Cisco username and password.
  • You can configure global authentication settings for all access points that are currently joined to the switch and any that join in the future. If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.
  • This feature is supported on the following hardware:
    • All Cisco switches that support authentication.
    • Cisco Aironet 1260, 3500, 3600, 1140, 1310, and 1520 access points

Restrictions for Configuring Authentication for Access Points

  • The switch name in the AP configuration is case sensitive. Therefore, make sure to configure the exact system name on the AP configuration. Failure to do this results in the AP fallback not working.
  • The following access points are not supported by the Cisco switch:
    • All non 802.11 access points (also AP 1120) and AP 1250.

Information about Configuring Authentication for Access Points

Cisco IOS access points are shipped from the factory with Cisco as the default enable password. This password allows users to log into the nonprivileged mode and enter the show and debug commands that pose a security threat to your network. You must change the default enable password to prevent unauthorized access and to enable users to enter configuration commands from the access point’s console port.

You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The access point acts as an 802.1X supplicant and is authenticated by the switch where it uses EAP-FAST with anonymous PAC provisioning.

How to Configure Authentication for Access Points

Configuring Global Credentials for Access Points (CLI)


Note

The procedure to perform this task using the switch GUI is not currently available.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ap mgmtuser username user_name password 0 passsword secret 0 secret_value

    4.    end

    5.    ap name Cisco_AP mgmtuser username user_name password password secret secret

    6.    show ap summary

    7.    show ap name Cisco_AP config dot11 24ghz general


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Switch# enable
     

    Enters privileged EXEC mode.

     
    Step 2 configure terminal


    Example: 
    Switch# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ap mgmtuser username user_name password 0 passsword secret 0 secret_value


    Example: 
    Switch(config)# ap mgmtuser apusr1
 password appass 0 secret 0 appass1
     

    Configures the global username and password and enables the password for all access points that are currently joined to the switch and any access points that join the switch in the future. In the command, the parameter 0 specifies that an unencrypted password will follow and 8 specifies that an AES encrypted password will follow.

     
    Step 4end


    Example:
    Switch(config)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.

     
    Step 5ap name Cisco_AP mgmtuser username user_name password password secret secret


    Example:
    Switch(config)# ap name TSIM_AP-2
 mgmtuser apusr1 password appass secret secret
     

    Overrides the global credentials for a specific access point and assigns a unique username and password and enables password to this access point.

    The credentials that you enter in this command are retained across switch and access point reboots and if the access point joins a new switch.
    Note   

    If you want to force this access point to use the switch’s global credentials, enter the ap name Cisco_AP no mgmtuser command. The following message appears after you execute this command: “AP reverted to global username configuration.”

     
    Step 6show ap summary


    Example:
    Switch# show ap summary
     

    Displays the global credentials configuration information that corresponds to all access points that join the switch.

    Note   

    If global credentials are not configured, the Global AP User Name text box shows “Not Configured.”

     
    Step 7show ap name Cisco_AP config dot11 24ghz general


    Example:
    Switch# show ap name AP02 config dot11 24ghz
 general
     

    Displays the global credentials configuration for a specific access point.

    Note   

    If this access point is configured for global credentials, the AP User Mode text boxes shows “Automatic.” If the global credentials have been overwritten for this access point, the AP User Mode text box shows “Customized.”

     

    Configuring Authentication for Access Points (CLI)


    Note

    The procedure to perform this task using the switch GUI is not currently available.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ap dot1x username user_name_value password 0 password_value

      4.    end

      5.    ap name Cisco_AP dot1x-user username username_value password password_value

      6.    configure terminal

      7.    no ap dot1x username user_name_value password 0 password_value

      8.    end

      9.    show ap summary

      10.    show ap name Cisco_AP config general


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Switch# enable
       

      Enters privileged EXEC mode.

       
      Step 2 configure terminal


      Example: 
      Switch# configure terminal
       

      Enters global configuration mode.

       
      Step 3ap dot1x username user_name_value password 0 password_value


      Example: 
      Switch(config)# ap dot1x username AP3 password 0
 password
       

      Configures the global authentication username and password for all access points that are currently joined to the switch and any access points that join the switch in the future. This command contains the following keywords and arguments:

      • username—Specifies an 802.1X username for all access points.
      • user-id—Username.
      • password—Specifies an 802.1X password for all access points.
      • 0—Specifies an unencrypted password.
      • 8—Specifies an AES encrypted password.
      • passwd—Password.
      Note   

      You must enter a strong password for the password parameter. Strong passwords are at least eight characters long, contain a combination of uppercase and lowercase letters, numbers, and symbols, and are not a word in any language.

       
      Step 4end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.

       
      Step 5ap name Cisco_AP dot1x-user username username_value password password_value


      Example:
      Switch# ap name AP03 dot1x-user
 username apuser1 password appass
       

      Overrides the global authentication settings and assigns a unique username and password to a specific access point. This command contains the following keywords and arguments:

      • username—Specifies to add a username.
      • user-id—Username.
      • password—Specifies to add a password.
      • 0—Specifies an unencrypted password.
      • 8—Specifies an AES encrypted password.
      • passwd—Password.
      Note   

      You must enter a strong password for the password parameter. See the note in Step 2 for the characteristics of strong passwords.

      The authentication settings that you enter in this command are retained across switch and access point reboots and whenever the access point joins a new switch.

       
      Step 6 configure terminal


      Example: 
      Switch# configure terminal
       

      Enters global configuration mode.

       
      Step 7no ap dot1x username user_name_value password 0 password_value


      Example:
      Switch(config)# no ap dot1x username
 dot1xusr password 0 dot1xpass
       

      Disables 802.1X authentication for all access points or for a specific access point.

      The following message appears after you execute this command: “AP reverted to global username configuration.”
      Note   

      You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.

       
      Step 8end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.

       
      Step 9show ap summary


      Example:
      Switch# show ap summary
       

      Displays the authentication settings for all access points that join the switch.

      Note   

      If global authentication settings are not configured, the Global AP Dot1x User Name text box shows “Not Configured.”

       
      Step 10show ap name Cisco_AP config general


      Example:
      Switch# show ap name AP02 config general
       

      Displays the authentication settings for a specific access point.

      Note   

      If this access point is configured for global authentication, the AP Dot1x User Mode text boxes shows “Automatic.” If the global authentication settings have been overwritten for this access point, the AP Dot1x User Mode text box shows “Customized.”

       

      Configuring the Switch for Authentication (CLI)


      Note

      The procedure to perform this task using the switch GUI is not currently available.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    dot1x system-auth-control

        4.    aaa new-model

        5.    aaa authentication dot1x default group radius

        6.    radius-server host host_ip_adress acct-port port_number auth-port port_number key 0 unencryptied_server_key

        7.    interface TenGigabitEthernet1/0/1

        8.    switch mode access

        9.    dot1x pae authenticator

        10.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example: 
        Switch# enable
         

        Enters privileged EXEC mode.

         
        Step 2 configure terminal


        Example: 
        Switch# configure terminal
         

        Enters global configuration mode.

         
        Step 3 dot1x system-auth-control


        Example: 
        Switch(config)# dot1x system-auth-control
         

        Enables system authentication control.

         
        Step 4aaa new-model


        Example:
        Switch(config)# aaa new-model
         

        Enables new access control commands and functions.

         
        Step 5aaa authentication dot1x default group radius


        Example:
        Switch(config)# aaa authentication
 dot1x default group radius
         

        Sets the default authentications lists for IEEE 802.1X by using all the radius hosts in a server group.

         
        Step 6radius-server host host_ip_adress acct-port port_number auth-port port_number key 0 unencryptied_server_key


        Example:
        Switch(config)# radius-server host
 10.1.1.1 acct-port 1813 auth-port 6225 key 0 encryptkey
         

        Sets a clear text encryption key for the RADIUS authentication server.

         
        Step 7interface TenGigabitEthernet1/0/1


        Example:
        Switch(config)# interface
 TenGigabitEthernet1/0/1
         

        Sets the 10-Gigbit Ethernet interface.

        The command prompt changes from Controller(config)# to Controller(config-if)#.

         
        Step 8switch mode access


        Example:
        Switch(config-if)# switch mode access
         

        Sets the unconditional truncking mode access to the interface.

         
        Step 9dot1x pae authenticator


        Example:
        Switch(config-if)# dot1x pae
 authenticator
         

        Sets the 802.1X interface PAE type as the authenticator.

         
        Step 10end


        Example:
        Switch(config)# end
         

        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.

         

        Configuration Examples for Configuring Authentication for Access Points

        Displaying the Authentication Settings for Access Points: Examples

        This example shows how to display the authentication settings for all access points that join the switch:

        Switch# show ap summary
Number of APs.................................... 1
Global AP User Name.............................. globalap
Global AP Dot1x User Name........................ globalDot1x

        This example shows how to display the authentication settings for a specific access point:

        Switch# show ap name AP02 config dot11 24ghz general
Cisco AP Identifier.............................. 0
Cisco AP Name.................................... TSIM_AP2
...
AP Dot1x User Mode............................... AUTOMATIC
AP Dot1x User Name............................... globalDot1x