-
User Guide for the CiscoWorks WLSE and WLSE Express, 2.15
-
Preface
-
Getting Started
-
Using the Deployment Wizard
-
Fault Monitoring
-
Device Discovery and Management
-
Using IOS Templates
-
Using WLSM Templates
-
Using Wizard Templates
-
Managing Device Configurations
-
Upgrading Device Firmware
-
Using Reports
-
Configuring Your WLAN Radio Environment
-
Managing Your WLAN Radio Environment
-
Managing Your WLAN Radio Environment by Sites
-
Using the Intrusion Detection System
-
Managing Your Voice Network
-
Managing the WLSE System
-
Managing the WLSE System via the CLI
-
Using the Internal AAA Server (WLSE Express Only)
-
Command Line Interface (CLI) Commands
-
Naming Guidelines
-
Ports and Protocols
-
Glossary
-
Index
-
Table Of Contents
Using the Internal AAA Server (WLSE Express Only)
Basic Authentication and Authorization
RADIUS Attributes of the AAA Server
Methods of Storing User Information
Lightweight Directory Access Protocol (LDAP)
Extensible Authentication Services
Methods of Configuring the AAA Server
Backup/Restore and Software Upgrades
Fault Monitoring and Trend Reports
Configuring the AAA Server—Overview
AAA Server Administration Subtab Functions
Setting AAA Server Trace Level and Viewing Trace Logs
Trace Levels and Information Logged
Managing the LDAP Central Server
Managing the LDAP Local Server
Configuring Windows Domain Authentication
Configuring Cisco-PEAP Settings
Viewing and Releasing Sessions
RADIUS Attributes for the AAA Server
Using the Internal AAA Server (WLSE Express Only)
WLSE 2.15 includes an integrated authentication and authorization server that provides LEAP, Cisco-PEAP, MS-PEAP, EAP-FAST, and EAP-TLS authentication for access points.
The internal AAA server is available on the Wireless LAN Solution Engine Express (WLSE 1030) only.
The AAA server Web interface is accessible by selecting Admin > AAA Administration.
This chapter provides overview information and procedures for using the internal AAA server:
•
Configuring the AAA Server—Overview
•
•
About the AAA Server
The AAA server is a RADIUS (Remote Authentication Dial-In User Service) server that allows multiple devices to use a common authentication and authorization database.
The server receives requests from users attempting to access clients and authenticates and/or authorizes users.
This section includes the following descriptions of AAA server features:
•
•
•
•
•
•
•
Basic Authentication and Authorization
The WLSE AAA server allows you to better manage access to your network, as it allows you to store all security information in centralized databases instead of distributing the information around the network.
The AAA server is based on a client/server model. The client passes information to the AAA server and acts on the response from the server. The server receives user access requests, authenticating the user and returning any available configuration information for the client to pass on to the user.
The AAA server handles the following tasks:
•
•
•
The protocol is a simple packet exchange in which the client sends a request packet to the AAA server with a name and password. The AAA server looks up the name and password to verify that it is correct and returns an accept packet. The AAA server can also reject the request packet. To ensure network security, the client and server use a shared secret, which is known to both. Also, user passwords are encrypted between the client and the server.
Three participants (user, client, and AAA server) are involved in this interaction as follows:
1.
2.
a.
b.
c.
3.
4.
5.
6.
7.
RADIUS Attributes of the AAA Server
The AAA server comes with the standard RADIUS attributes (as defined by RFC 2865). For more information about AAA server attributes, see RADIUS Attributes for the AAA Server.
Supported Services
The AAA server supports the following services:
•
•
•
Methods of Storing User Information
When configuring an authentication service, you need to specify the user service; that is, where the user profile information is stored. This information can be stored locally on the AAA server or on an LDAP server. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
As an alternative to LDAP or the local service, you can use the Domain Authentication method and store user information in Windows Active Directory.
This section briefly describes these services:
•
Local User Database
When using this service, you must enter each user and password on the AAA server. You can assign RADIUS attributes to each user. With the local service, you can have the AAA server perform authentication and/or authorization using a specific user list. For more information, see Managing AAA Users.
Lightweight Directory Access Protocol (LDAP)
LDAP servers store directory information about users in order to authenticate them.
You can designate both a central LDAP server and local LDAP servers. The local LDAP server is primary, and the centralized server is secondary.
For more information about LDAP, see Managing the LDAP Central Server and Managing the LDAP Local Server.
Domain Authentication
The AAA server can authenticate against the user database in Windows Active Directory on a Windows domain controller (WDC). Using this service requires that you download and configure a remote agent from Cisco.com and install the remote agent on the domain controller system.
To use domain authentication, you must install a remote agent on the WDC. You can download the remote agent from Cisco.com.
For information on downloading the remote agent and using domain authentication, see Configuring Windows Domain Authentication.
Extensible Authentication Services
You can configure and use more than one of the following authentication services at the same time. If more than one service is configured, the WLSE negotiates which one to use.
The AAA server supports Extensible Authentication Protocol (EAP) to provide a common protocol for differing authentication mechanisms. EAP enables the dynamic selection of the authentication mechanism at authentication time based on information transmitted in the Access-Request. The AAA server supports the following EAP authentication methods.
The supported EAP methods are described in Table 18-1. You enable each EAP method by configuring it, using the WLSE UI or WLSE CLI commands.
Table 18-1 Supported EAP Methods
LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary protocol that was defined and implemented for Cisco's Aironet product family.
PEAP
Protected EAP (PEAP) is an authentication method that was designed to mitigate several weaknesses of EAP. PEAP leverages TLS to achieve certificate-based authentication of the server (and optionally the client) and creation of a secure session that can then be used to authenticate the client.The AAA server supports the following versions of PEAP:
•
•
PEAP can be used for authentication between wireless clients, such as inventory devices, and access points (either WDS access points or infrastructure access points).
EAP-FAST
•
•
The PAC is a security credential that is used to establish a shared secret between clients and the server. For EAP-FAST on the WLSE's AAA server, the PAC is created automatically.
EAP-TLS
EAP Transport Level Security (EAP-TLS) is an authentication method that was designed to mitigate several weaknesses of EAP. EAP-TLS leverages TLS, described in RFC 2246, to achieve certificate-based authentication of the server and (optionally) the client. EAP-TLS provides many of the same benefits as PEAP but differs from it in the lack of support for legacy authentication methods.
Methods of Configuring the AAA Server
For this release, the AAA server is pre-configured with appropriate parameters, so initial configuration is minimal. A WLSE user with system administration privileges can configure the AAA server. The configuration methods for the AAA server are WLSE CLI commands and the WLSE web interface. For information on the AAA Web interface, see Using AAA Server Screens.
Most of the functions of the AAA server's Web interface can be performed by using command-line interface (CLI) commands. Additional functions that are not in the Web interface are provided through CLI commands: generating certificates, configuring logging method, reinitializing the database, and starting or stopping daemons. For details on CLI commands, see Using AAA Server CLI Commands.
Backup/Restore and Software Upgrades
Backup and restore of the AAA server database is handled by the normal WLSE backup and restore functions—See Backing Up and Restoring Data. Upgrade of the AAA server is performed during a normal WLSE software upgrade—See Managing WLSE System Software.
Ports Used by the AAA Server
The AAA server requires sole use of the following ports on the WLSE:
•
•
Fault Monitoring and Trend Reports
The RADIUS, LEAP, and Cisco-PEAP protocols are monitored by the WLSE's fault mechanism. MS-PEAP and EAP-FAST are not monitored.
After configuring the AAA server and setting up AAA server monitoring, you can view faults, configure fault monitoring, and run reports for the authentication protocol that you select. A given WLSE can only monitor one protocol per AAA server. For information on configuring the WLSE to monitor the AAA server, see Monitoring the AAA Server.
Related Topics
•
Certificates and RSA Keys
A self-signed certificate is automatically generated by the WLSE during initial startup and is placed in a location where it can be used by the AAA server. A self-signed certificate is required; the AAA server will not operate without a self-signed certificate.
If you need to obtain a more secure certificate from a certificate authority, obtain an RSA key, or regenerate the self-signed certificate in order to make changes in it, you will need to enter the pathnames of the certificates and the key in the relevant AAA server screens.
When you request a certificate from the certificate authority you receive an RSA key and two certificates: your certificate for your site and a certificate that certifies the issuing authority.
The self-signed certificate is not as secure as a certificate issued by a certificate authority, but may be adequate if your network is not accessible from the outside. Also, you may wish to generate your own self-signed certificate that contains the name of your organization and other identifying information.
Note
Configuring the AAA Server—Overview
This section contains the following topics:
Naming Guidelines
For AAA server usernames, group names, and client names, you can use up to 255 characters and any character except for the forward slash (/).
Configuration Methods
You can configure the AAA server by using the screens in the Web interface (Using AAA Server Screens) or the CLI commands (Using AAA Server CLI Commands).
Configuration Tasks
To configure the AAA server, perform the tasks in Table 18-2.
Table 18-2 Tasks for Configuring the AAA Server
Configure the authentication services you are going to use.
Configuring Cisco-PEAP Settings
If you are using the local user database, add users.
If you are using LDAP as the user database, configure LDAP parameters on the WLSE. 1 2
Managing the LDAP Central Server
If you are using domain authentication (Windows Active Directory) for the user database, configure domain authentication parameters on the WLSE.
If you are using domain authentication groups, you can create local groups and map them to groups on the WDC.
Add clients. 3
(Optional) Configure the WLSE to monitor the internal AAA server.
(Optional) Configure logging (syslog or local)
1 You can use LDAP or domain authentication for one service and use the local database for another.
2 If you are using LDAP, you need to add a WLSE user on the LDAP server.
3 The WLSE appliance must be added as a client of the AAA server.
Reconfiguration Tasks
If you change any of the information listed in Table 18-3 after initial configuration, you will need to make corresponding changes on the WLSE.
Table 18-3 Reconfiguring the AAA Server
LDAP server characteristics
Managing the LDAP Central Server
IP address of a client device
RADIUS shared secret of a client device
Addition of devices or users
Using AAA Server Screens
Note
This section contains procedures for configuring the AAA server and includes the following topics:
•
•
•
•
•
•
•
•
AAA Server Administration Subtab Functions
Note
The options under the AAA Administration subtab are:
Table 18-4 AAA Server Subtab Functions
AAA Server Status
Display status of server processes—Displaying AAA Server Status
AAA Server Trace Level
Set level of trace logging—Setting AAA Server Trace Level and Viewing Trace Logs
LDAP Central Server
LDAP Local Server
Configure LDAP if using LDAP for user database:
Managing the LDAP Central Server
Windows Domain Auth Server
Configure domain authentication—Configuring Windows Domain Authentication
LEAP Settings
Cisco-PEAP Settings
MS-PEAP Settings
EAP-TLS Settings
EAP-FAST Settings
Configure the AAA protocols you are using:
Configuring Cisco-PEAP Settings
Clients
Add, modify, and delete clients—Managing AAA Clients
Users
Add modify and delete users if you are using the local user database—Managing AAA Users
Groups
Manage groups for domain authentication—Managing Groups
Sessions
Display and release sessions—Viewing and Releasing Sessions
Displaying AAA Server Status
To display information on AAA server processes, select Admin > AAA Admin > AAA Server Status. The status of the following processes (running or not) and the PID of each process is displayed.
In addition, the health of the AAA server is displayed. The message Server is Running, its health is 10 out of 10 means that the AAA server is running optimally. If this health indicator decreases, you should inspect the AAA server logs for any anomalous behavior. For example, if the percent of rejected requests grows significantly over time, the health indicator will decrease. For information on these logs, see Using AAA Server Log Files.
For information on any outstanding AAA server faults, select Faults > Display Faults. Faults and reports on the AAA server are only displayed after the WLSE has been configured to monitor the AAA server. For more information, see Monitoring the AAA Server.
Table 18-5 AAA Server Processes
AAA server
Processes AAA packets, listening for RADIUS requests, deciding what to do with them (may include making an LDAP query), and then sending RADIUS responses.
AAA daemon manager
Similar to the WLSE daemon manager. Restarts any of the other processes when necessary and coordinates orderly startup and shutdown of the other processes.
AAA database lock manager
Controls access to the database process by multiple clients. In particular, the server, CLI, and Web interface all need to access the database and must be coordinated.
AAA database
Maintains AAA configuration data, including any internal users that have been defined.
Related Topics
Setting AAA Server Trace Level and Viewing Trace Logs
The AAA Server Trace Level page displays the current trace level for the AAA server. Trace information can be used for debugging or validating the behavior of the AAA server. The trace level governs how much information is logged about the contents of a packet. The higher the trace level, the more information is logged. Trace levels are inclusive, so if you set trace level to 3, you log all of the information for trace levels 1 and 2.
Tracing is meant to be temporary, and you should not leave tracing turned on for more than a brief period of time. If tracing is left on, it will quickly fill up available disk space. The rate of consumption of disk space depends on the trace level selected and the current traffic rate (that is, the number of access points authenticating per second).
For information on the trace levels and the information logged at each level, see Trace Levels and Information Logged.
Note
The AAA-server-trace.log file contains the results of tracing; the file contains data only when tracing is turned on. To use this file, select Admin > Appliance > Status > View Log File.
Procedure
Step 1
Step 2
Step 3
Related Topics
Trace Levels and Information Logged
lists the trace levels and the information logged at each level. This information is logged in the AAA-server-trace.log, accessible by Admin > AAA Administration > View Log File. Trace levels are inclusive; for example, if trace level is set at 3, the information from trace levels 2 and 3 are also logged.
Managing the LDAP Central Server
Note
The Lightweight Directory Access Protocol (LDAP) screens allow you to enter information about local and central LDAP servers. LDAP servers store directory information about users in order to authenticate them.
The WLSE must also be added to the LDAP server.
Procedure
To modify the properties of the LDAP central server:
Step 1
The Configure LDAP Central Server screen has two parts: the top part is for setting general parameters, and the bottom part is for creating LDAP-to-RADIUS attribute mappings.
Step 2
Step 3
Note
To add a mapping:
a.
Result: The LDAP Attribute and Maps to RADIUS Attribute text boxes appear, along with an Apply button.
b.
c.
To delete a mapping:
a.
b.
Step 4
Step 5
Related Topics
•
•
Managing the LDAP Local Server
Note
Use the Lightweight Directory Access Protocol (LDAP) screens to enter information about local and central LDAP servers. LDAP servers store authentication and authorization information.
The WLSE must also be added to the LDAP server.
Procedure
To modify the attributes of a LDAP local server:
Step 1
The Configure LDAP Local Server screen has two parts: the top part is for setting general parameters, and the bottom part is for creating LDAP-to-RADIUS attribute mappings.
Step 2
Step 3
Note
To add a mapping:
a.
Result: The LDAP Attribute and RADIUS Attribute text boxes appear, along with an Apply button.
b.
c.
To delete a mapping:
a.
b.
Step 4
Step 5
Related Topics
•
•
About LDAP Parameters
This section contains:
•
•
LDAP Parameter Details
The LDAP parameters you can set in the AAA server LDAP server screens are described in Table 18-7. All parameters are required, except as indicated. The values you enter are used as described in How LDAP Settings are Used.
Table 18-7 LDAP Parameters
Host Name
Host name or IP address of the LDAP server.
Port
Port on the LDAP server for the bind (usually, port 389). The port number must be an integer between 1 and 65536.
Bind Name (optional)
The distinguished name (DN) (administrator name) to use when establishing a connection between the LDAP and AAA servers.
Bind Password (optional)
Password associated with the Bind Name.
Search Path
Path that indicates where in the LDAP database to start the search for user information. The path is specified is a distinguished name (DN). LDAP references an LDAP object by its distinguished name.
Specifying a DN (such as ou=Engineering, o=cisco.com) as the Search Path restricts user queries to objects that match those property values.
Search Filter
Search filter used by the AAA server when querying the LDAP server for user information. Use the notation %s to indicate where the user ID should be inserted. For example, a typical value for this property is (uid=%s), which means that when querying for information about user joe, use the filter uid=joe. uid is the name of the LDAP property that contains the same values as the RADIUS User Name attributes that are being authenticated.
User Password
LDAP property that contains the passwords to use for authentication. This property must be a property of all objects that match the Search Path.
Password Encryption
Select an encryption method for the user password:
•
•
•
•
Timeout
Timeout for bind attempts. How long (in seconds) the AAA server will wait for a response from the LDAP server. The default is 15 seconds.
LDAP to RADIUS mappings (optional)
List of name/value pairs. The name is an LDAP attribute to retrieve from the user record, and the value is the RADIUS attribute to set to the value of the LDAP attribute.
An error message is displayed:
•
•
See the relevant vendor documentation for information about which attributes you may need to enter. The AAA server will operate properly with no authorization attributes; however, the client device may not provide the appropriate service because of the lack of certain authorization attributes. For a list of the RADIUS attributes native to the AAA server, see RADIUS Attributes for the AAA Server.
How LDAP Settings are Used
The LDAP settings that you configure in the LDAP screens are used as follows.
The AAA server connects as an LDAPv3 client to the LDAP server on the named Port. The AAA server uses the Bind Name and Bind Password to connect. If the LDAP server does not respond within the number of seconds specified as the Timeout, the server times out. This connection is made once at startup and again if the connection is dropped.
Each time an Access-Request is received, the AAA server queries the subtree rooted at the Search Path, using the Search Filter (substituting the RADIUS User-Name for %s) to specify an object in the subtree. If such an object is found, the User Password Attribute and specified LDAP Attribute values are returned.
On the AAA server, the RADIUS User-Password attribute value is encrypted, using the Password Encryption technique, and is then compared to the returned User Password Attribute value (which must be encrypted using the same technique). If these values match, the other LDAP Attribute values that are returned are mapped as specified to RADIUS attributes. These composed attribute-value pairs are added to the Access-Accept packet.
Related Topics
•
•
Configuring Windows Domain Authentication
Use this option to configure the AAA server to use Windows domain authentication service as the user database. This service uses a user database stored in Windows Active Directory on a Windows Domain Controller. Use of this service requires that you download and configure a remote agent and install it on the Windows Domain Controller.
Note
A user can optionally specify the domain name along with a user ID while logging on. The domain name is used for authentication:
•
•
If you want to map RADIUS attributes to values in Active Directory, you can create AAA server groups and map them to Active Directory groups.
Optionally, users can be authorized using WDC/AD. The list of groups to which the user belongs in the WDC/AD is used.You map this list of groups to an internal group in the AAA server by means of a group map. The group map is a map between a list of external groups in WDC/AD and an internal AAA user group. You can configure an optional default group, which is used when there is no mapping found or when there is no hit in the maps. When a hit is encountered, the corresponding group is used. For example, if the user is in groups A, B, C, and D and a map for ABC is found before the map for ABCD, the ABC map is used.
Procedure
Step 1
Step 2
Host Name
Set the hostname for the local WDC/AD.
Default is localhost.
Port
Set the port number.
Default is 2004.
Default Domain
(Optional) Sets the default domain name.
The default domain is used to locate the user if the user does not specify a domain when logging in.
Group mapping:
Default AAA Server Group
Select an AAA server group to be mapped to WDC/AD groups. A default AAA server group is provided (domain-auth-usergroup), or you can create your own default group to be mapped to all WDC/AD groups.
If you are not mapping groups, select None.
Note
AAA User Group to Windows Group Mappings
(Optional) If you are using group maps, map the AAA groups to WDC/AD groups as needed:
1.
2.
3.
Note
Step 3
Installing the Remote Server for Domain Authentication
Use the following instructions to download and install the mandatory remote server on a Windows Domain Controller (WDC). The remote server should be installed on a WDC that has access to your Active Directory server.
Procedure
Step 1
http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des
Step 2
Step 3
•
•
Step 4
Related Topics
•
•
Configuring LEAP Settings
The AAA server uses LEAP to authenticate repeater access points via a WDS access point. By default, user information is stored locally in the AAA server.
Procedure
Step 1
Step 2
•
•
•
Step 3
Related Topics
•
•
•
•
Configuring Cisco-PEAP Settings
The AAA server uses PEAPV1 tunneling EAP-GTC for authentication and authorization of wireless supplicants via access points. User profile information is stored in LDAP by default.
Procedure
Step 1
Step 2
Private Key Password
The server's private key password for PEAPV1.
Confirm Private Key Password
Certificate Upload
Enter the absolute pathname of the file that contains your enterprise's certificate or browse for the file.
You will need to upload these certificates and the RSA key if you obtain an official certificate from a certificate authority. For information on obtaining an official certificate, see Managing SSL (HTTPS).
RSA Key Upload
Enter or browse for the absolute pathname of the file that contains the RSA private key.
CA Certificate Upload
Enter or browse for the absolute pathname of the file that contains the certificate authority's certificate.
Inner Service
Select the source of user information for authentication and authorization.
•
•
•
Step 3
Related Topics
•
•
•
•
Configuring MS-PEAP Settings
This option allows you to set PEAP V0 parameters for AAA. User profile information is stored in LDAP by default.
Note
Procedure
Step 1
Step 2
Private Key Password
The server's private key password for PEAPv0. The password must match the ServerRSAKeyFile certificate file.
Confirm Private Key Password
Certificate Upload
Enter absolute pathname of file that contains your enterprise's certificate or browse for the file.
You will need to upload these certificates and the RSA key if you obtain an official certificate from a certificate authority. For information on obtaining an official certificate, see Managing SSL (HTTPS).
RSA Key Upload
Enter or browse for absolute pathname of file that contains the RSA private key.
CA Certificate Path
Enter or browse for absolute pathname of file that contains the certificate authority's certificate.
Inner Service
Select the source of user information for authentication and authorization. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
•
•
•
Step 3
Related Topics
•
•
•
•
Configuring EAP-TLS Settings
This option allows you to set PEAP V0 parameters for AAA. User profile information is stored in LDAP.
Procedure
Step 1
Step 2
Step 3
Configuring EAP-FAST Settings
Use this option to configure EAP-FAST settings for the AAA server.
Note
Procedure
Step 1
Step 2
Note
Table 18-8 EAP-FAST Parameters
Always Authenticate
If selected, provisioning always rolls over into authentication without relying on a separate setting. Wireless performs better when this is selected.
Authority Identifier
Set the authority identifier. Must be a single string that uniquely identifies this server; spaces and quotation marks are not allowed.
Authority Information
Enter the authority information, which provides human-readable descriptive text for the credential issuer; for example the enterprise and/or server name. The value might be displayed to the client for identification purposes. Uniquely identifies the PAC issuer. Can contain spaces.
Credential Lifetime
Set the lifetime of the credential:
•
•
–
–
–
–
Provisioning Mode
Set the provisioning mode. Only Anonymous is supported.
Inner Service
Select the service to use after LEAP negotiation. This specifies the location of user information for authentication and authorization. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
•
•
•
Step 3
Related Topics
•
•
•
•
Managing AAA Clients
In the context of the AAA server, a client is a device that submits a request for authorization on behalf of infrastructure access points. Clients that should be added under this option are:
•
•
•
To set up the WLSE to monitor the internal AAA server, see Monitoring the AAA Server.
•
By using address ranges or wildcards (*), you can add multiple clients at the same time.
Procedure
Step 1
Step 2
Writer question: For the redundant pair, do you use the VIPs?
a.
b.
c.
Note
Step 3
a.
b.
c.
d.
Step 4
a.
b.
c.
d.
Step 5
a.
b.
Related Topics
Managing AAA Users
In the context of the AAA server, a user is any entity that is being authenticated by a client; for example, a person, an infrastructure access point, or a MAC address.
Enter all users in this screen unless you are using LDAP or Windows domain authentication as the source of user information.
If you have chosen "local" as the Inner Service for a protocol, enter all users to be authenticated in this screen.
Possible users include:
•
•
•
You can Add a User, Modify a User, and Delete a User.
Add a User
Step 1
Step 2
Step 3
These are the values that will be assigned to the RADIUS User-Name and User-Password attributes when the access point authenticates with WDS.
A user name can have up to 255 characters. You can use any character except the forward slash (/).
Step 4
Note
a.
Result: The RADIUS Attribute and Attribute Value text boxes appear.
b.
c.
Note
Step 5
Note
Modify a User
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Delete a User
Step 1
Step 2
Step 3
Related Topics
•
Managing Groups
When you select Admin > AAA Administration > Groups, the Groups List screen displays.
In this screen, you define the user groups to be mapped to WDC/AD groups in the Windows Domain Auth screen. You can define a default group to be mapped to all WDC/AD groups.
You must define AAA server groups in this screen before you can map AAA server groups to WDC/AD groups (unless you are using the default AAA server group). The group mapping feature is used to assign RADIUS attributes to groups of users stored in an Active Directory database on a Windows Domain Controller. For more information on mapping groups, see Configuring Windows Domain Authentication.
You can add groups, edit existing groups, or delete existing groups.
Procedure
Step 1
Step 2
A group name can have up to 255 characters. You can use any character except the forward slash (/).
Step 3
Note
a.
Result: The RADIUS Attribute and Value text boxes appear.
b.
c.
d.
Step 4
Note
Step 5
a.
b.
c.
d.
e.
Step 6
a.
b.
Step 7
Related Topics
Configuring Windows Domain Authentication
Viewing and Releasing Sessions
The Sessions screen allows you to:
•
•
Procedure
Step 1
Result: A list of all the currently active sessions is displayed.
Step 2
•
•
•
Step 3
Related Topics
•
Using AAA Server Log Files
The AAA server log files, and log files for other WLSE functions can be accessed through Admin > Appliance > Status > View Log File. For detailed information on how to download, search, and email log files (and information about other WLSE log files), see Using WLSE Log Files.
Monitoring the AAA Server
You can use the WLSE's fault-monitoring feature to monitor a single protocol on the AAA server (either RADIUS, Cisco-PEAP, or LEAP).
The WLSE does not monitor MS-PEAP or EAP-FAST on the WLSE's built-in AAA server.
A given WLSE can only monitor one protocol per AAA server.
The WLSE monitors the following for the selected protocol:
•
•
•
After configuring the AAA server and the WLSE as described in the following procedure, you can monitor the performance of the internal AAA server by selecting Faults > Display Faults and view reports about the AAA server by selecting Reports > Trends. For more information on faults and reports, see "Fault Monitoring" and "Using Reports."
Note
Procedure
Step 1
Step 2
Add the WLSE as a client.
Step 3
•
•
Step 4
a.
b.
c.
d.
e.
This is the shared secret that you entered when adding the WLSE as a client of the AAA server.
f.
Step 5
Step 6
a.
b.
c.
d.
e.
Note
f.
Related Topics
•
Using AAA Server CLI Commands
This section provides details on the AAA server CLI commands. Table 18-10 lists all of the commands. Most of the features provided in the Web interface are also available via CLI commands. Some functions that are not provided in the Web interface are provided through CLI commands; such as generating self-signed certificates, configuring logging method, reinitializing the database, and starting or stopping daemons.
For general information about using WLSE CLI commands, see "Command Line Interface (CLI) Commands."
When AAA server CLI are executed, these events are logged in the AAA-cli.log. You can access this log from Admin > Appliance > Status > View Log File.
Table 18-10 AAA Server CLI Commands
aaa-server cisco-peap
15
Configures PEAP server on the AAA server.
aaa-server client
15
Manages AAA server clients.
aaa-server domain-auth
15
Configures WDC domain authentication.
aaa-server eap-fast
15
Configures EAP-FAST.
aaa-server eap-tls
15
Configures EAP-TLS.
aaa-server ldap
15
Configures LDAP server parameters on the AAA server.
aaa-server leap
15
Specifies AAA service to use after LEAP negotiation.
aaa-server logging
15
Configures AAA server logging (local or syslog).
aaa-server ms-peap
15
Configures MS-PEAP.
aaa-server reinit
15
Reinitializes AAA server database.
aaa-server session
15
Deletes or displays current AAA server sessions.
aaa-server start
15
Starts or stops AAA server daemons.
aaa-server status
15
Displays status of AAA server.
aaa-server trace
15
Sets or displays the AAA server trace level.
aaa-server user
15
Manages AAA server users (access points).
aaa-server usergroup
15
Manages user groups for Windows domain authentication.
aaa-server cisco-peap
This command displays and configures Cisco PEAP parameters: the server's password, certificates and RSA private key, and AAA service to use after PEAP negotiation.
Syntax Description
aaa-server cisco-peap private-key-password password
aaa-server cisco-peap private-key-password
Sets or displays server's private key password for PEAPv1.
aaa-server cisco-peap inner-service
aaa-server cisco-peap inner-service { ldap | local | domain-auth }
Displays or specifies the service to use after LEAP negotiation. This command specifies the location of user information for authentication and authorization. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
•
•
•
aaa-server cisco-peap mkcert
Generates a self-signed certificate. A self-signed certificate is automatically generated by the WLSE, but you can use this command to generate another one if you need to make changes. This command is interactive, and requests the following optional information: country, organization and organizational unit, and server or installation name.
Related Commands
aaa-server client
This command adds, deletes, and displays clients or resets a client's parameters. The clients of the AAA server might be infrastructure access points (if not using WDS) or WDS devices. The WLSE itself should be added as a client of the AAA server if you will use the WLSE to monitor the AAA server.
Syntax Description
Examples
This command adds a client. All arguments are required.
aaa-server client ap001 ip-address 10.10.10.1 secret booaaa-server client ap001 ip-address 10.10.10.1 secret booThis command displays information about a client:aaa-server clientaaa-server client ap001 ip-address 10.10.10.1 secret booaaa-server domain-auth
This command configures the domain authentication/authorization service. Configure this service if you are using Windows Domain Controller/Active Directory (WDC/AD) as your user database for the AAA server.
Syntax Description
aaa-server domain-auth host-name ad-host-name
aaa-server domain-auth host-name
Sets or displays the hostname of the WDC/AD server. ad-host-name must be a single string, without spaces or surrounding quotation marks.
aaa-server domain-auth port portnumber
Sets the port number. Must be a valid number between 1 and 65535.
aaa-server domain-auth port
Displays the port number.
aaa-server domain-auth defaultusergroup group-name
aaa-server domain-auth defaultusergroup
no aaa-server domain-auth defaultusergroup
Sets the default user group name (must be the name of an existing group), displays the default user group name, or clears the default user group.
To create a default AAA user group, use the aaa-server usergroup command.
aaa-server domain-auth groupmap group-name=windows-group-names
Maps a single AAA group to one or more WDC/AD groups. The group name must be an existing group. If you are listing more than one WDC/AD group, separate the group names by commas.
The group mapping feature is used to assign RADIUS attributes to groups of users stored in an Active Directory database on a Windows Domain Controller.
To create AAA groups, use the aaa-server usergroup command.
no aaa-server domain-auth groupmap groupnum
Removes a group mapping. groupnum must be valid group number. To obtain group numbers, use the following command to display all of the group mappings.
aaa-server domain-auth groupmap
Displays group mappings.
Usage Guidelines
Use the aaa-server usergroup command to define AAA user groups.
Examples
To display the hostname of the active directory server:
aaa-server domain-auth host-nameaaa-server domain-auth host-name adhostTo add group mappings:
aaa-server domain-auth groupmap aaagroup1=wingroup2,wingroup3To display group mappings:
aaa-server domain-auth groupmap1. aaagroup1=wingroup2,wingroup32. aaagroup2-wingroup3,wingroup4To remove a group mapping:
no aaa-server domain-auth groupmap 1Related Commands
aaa-server eap-fast
This command configures EAP-FAST parameters.
Syntax Description
aaa-server eap-fast always-authenticate { true | false }
aaa-server eap-fast always-authenticate
Sets or displays the flag indicating whether provisioning should always roll over into authentication without relying on a separate session. Most environments (including wireless) perform better when this parameter is set to true.
aaa-server eap-fast authority-identifier name
aaa-server eap-fast authority-identifier
Sets or displays the authority identifier. name must be a single string, without spaces or quotation marks.
aaa-server eap-fast authority information description
aaa-server eap-fast authority information
Sets or displays the authority information. description is human-readable descriptive text for this credential issuer and may be displayed to the client for identification purposes. If the description contains spaces, it must be surrounded by double-quotes.
aaa-server eap-fast credential lifetime lifetime
aaa-server eap-fast credential lifetime
Sets or displays the credential lifetime. lifetime is specified as a string consisting of pairs of numbers and units. Units may be one of the following:
•
•
•
•
If the credential never expires, specify lifetime as forever. If lifetime contains spaces, it must be surrounded by double-quotes.
aaa-server eap-fast inner service [ ldap | local | domain-auth ]
aaa-server eap-fast inner service
Sets or displays the service to use after LEAP negotiation. This determines the location of user information for authentication and authorization. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
•
•
•
aaa-server eap-fast adhp-mode [ anonymous | signed ]
Sets or displays the ADHP (provisioning) mode. Only anonymous is supported.
Examples
To set the authority information:
aaa-server eap-fast authority-information "some descriptive text"aaa-server eap-fast authority-information "some descriptive text"To set the credential lifetime:
aaa-server eap-fast credential-lifetime "8 days 4 hours"aaa-server eap-fast credential-lifetime "8 days 4 hours"aa-server eap-fast credential-lifetime foreveraaa-server eap-fast credential-lifetime foreverRelated Commands
aaa-server eap-tls
This command sets EAP-TLS parameters.
Syntax Description
.
aaa-server ldap
This command configures LDAP server parameters.
Syntax Description
In the following commands, specify local for the LDAP local server or central for the LDAP central server.
aaa-server ldap
Displays LDAP settings for both the central and local LDAP servers.
aaa-server ldap { local | central }
Displays LDAP settings for either the local or central server.
aaa-server ldap { local | central } timeout timeout
aaa-server ldap { local | central } timeout
Sets or displays the timeout (in seconds) for bind attempts or displays current timeout setting, how long the AAA server waits for a response from the LDAP server.
aaa-server ldap { local | central } host-name [ ipaddr | hostname ]
aaa-server ldap { local | central } host-name
Sets or displays hostname or IP address of the LDAP server. The hostname must be all lower-case. The hostname is not checked to make sure it is a valid hostname.
aaa-server ldap { local | central } port portnumber
aaa-server ldap { local | central } port
Sets or displays port of the LDAP server. The port number must be an integer between 1 and 65536. The validity of the number is not checked.
aaa-server ldap { local | central } bind-name bindname
aaa-server ldap { local | central } bind-name
Sets or displays administrator name with which to bind. The bindname must be a single string, without spaces or surrounding quotation marks.
aaa-server ldap { local | central } bind-password password
aaa-server ldap { local | central } bind-password
Sets or displays (in clear text) administrator password with which to bind. The password must be a single string, without spaces or surrounding quotation marks.
aaa-server ldap { local | central } search-path path
aaa-server ldap { local | central } search-path
Sets or displays root of the search tree in LDAP. The path must be a single string, without spaces or surrounding quotation marks.
aaa-server ldap { local | central } search-filter [ filter ]
aaa-server ldap { local | central } search-filter
Sets or displays the search filter (uid=%s), where uid is the name of the LDAP property that contains the same values as the RADIUS User Name attributes that are being authenticated.
The search filter must be in the form "(somename=%s)". The value must be surrounded by double quotes, and spaces are not allowed. The LHS (somename) is not validated.
aaa-server ldap { local | central } user-password [ property-name ]
aaa-server ldap { local | central } user-password
Sets or displays LDAP property name that contains user passwords. The property name must be a single string, without spaces or surrounding quotation marks. Must be a property of all objects that match the search path.
aaa-server ldap { local | central } use-ssl [ true | false ]
aaa-server ldap { local | central } use-ssl
This option has not been implemented and will be removed in a future release.
aaa-server ldap { local | central } user-password-encryption { dynamic | none | crypt | sha-1 | ssha-1}
aaa-server ldap { local | central } user-password-encryption
Sets or displays the encryption style for the user password property:
dynamic—instructs the AAA server to choose the encryption mechanism on a case-by-case basis after the server determines the presence of a known prefix, which the server prepends to the password attribute.
none—no encryption (the default).
crypt—AAA server encryption using the Unix crypt algorithm.
sha-1 or ssha-1—Secure Hash Algorithm; a hashing algorithm that produces a 160-bit digest based upon the input. The algorithm produces SHA passwords that are irreversible or prohibitively expensive to reverse. Enables the AAA server to authorize users whose passwords are stored in an LDAP server and hashed by using the SHA-1 encoding scheme. SSHA-1 is Netscape's (iPlanet) enhancement of the SHA-1 algorithm which includes salted password data.
aaa-server ldap { local | central } attribute-mapping
aaa-server ldap { local | central } attribute-mapping ldap-property [ radius-attribute ]
no aaa-server ldap { local | central } attribute-mapping ldap-property
Adds, resets, or displays mapping between an LDAP property and a RADIUS authorization attribute.
The no form deletes the mapping.
For information on AAA server attributes, see RADIUS Attributes for the AAA Server
Examples
To display all of the properties of the local LDAP server:
aaa-server ldap localhost-name = 127.0.0.1port = 389bind-name =bind-password =search-path = o=cisco.comsearch-filter = (uid=%s)user-password = userpassworduser-password-encryption = Dynamictimeout = 15use-ssl = FALSEattribute-mapping =To set the timeout for bind attempts (in seconds) on the central LDAP server:
aaa-server ldap central timeout 15aaa-server ldap central timeout 15To display the root of the search tree in LDAP:
aaa-server ldap local search-pathaaa-server ldap local search-path o-cisco.comTo set the search filter:
aaa-server ldap local search-filter "(top=%s)"aaa-server ldap local search-filter (top=%s)aaa-server leap
To specify or display the AAA service to use after LEAP negotiation, use the following command:
aaa-server leap inner-service
aaa-server leap inner-service { ldap | local | domain-auth}
Syntax Description
Specify the service to use after LEAP negotiation. This specifies the location of user information for authentication and authorization. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
•
•
•
Example
To display information about the currently configured AAA service to use after LEAP negotiation, use the following command:
aaa-server leap inner-serviceaaa-server leap inner-service localRelated Commands
aaa-server logging
The following commands configure syslog and local logging for the AAA server. Syslog logging is disabled by default. Local logging is enabled by default.
Syslog logging requires a UNIX host running a syslog daemon as a receiver for the AAA messages.
Syntax Description
Usage Guidelines
Note
Multiple settings cannot be combined into one command.
Syslog logging will not work unless you provide both the server IP address and facility local number.
Syslog logging and local logging are independent of each other.
Example
The following command shows that syslog logging is disabled and local logging is enabled:
aaa-server loggingno aaa-server logging syslogaaa-server logging localThe following command stops local logging and restarts the AAA server:
no aaa-server logging localno aaa-server logging localrestarting the AAA server...The following command changes the syslog facility local number and restarts the AAA server:
aaa-server logging syslog facility-local-number 10aaa-server logging syslog facility-local-number 10restarting the AAA server...aaa-server ms-peap
The following commands configure MS-PEAP.
Syntax Description
aaa-server ms-peap private-key-password password
aaa-server ms-peap private-key-password
Sets or displays the server's private key password for PEAPv0. The password must be a single string without spaces or quotation marks. The password must match the ServerRSAKeyFile certificate file.
aaa-server ms-peap inner service [ ldap | local | domain-auth ]
Specifies the service to use after LEAP negotiation. This determines the location of user information for authentication and authorization. When the AAA server receives a request, it directs the request to the specified service. Then the service looks up the user and authenticates or authorizes the user.
•
•
•
aaa-server ms-peap mkcert
Generates a self-signed certificate. A self-signed certificate is automatically generated by the WLSE, but you can use this command to generate another certificate if you need to make changes. This command is interactive, and requests the following optional information: country, organization and organizational unit, and server or installation name.
Related Commands
aaa-server reinit
The following command reinitializes the AAA server database to its starting configuration:
aaa-server reinit
Example
To reinitialize the AAA server database:
aaa-server reinitRollforward recovery using "/opt/CSCOar/data/db/vista.tjf" started Thu Dec 30 02:00:21 2004Rollforward recovery using "/opt/CSCOar/data/db/vista.tjf" finished Thu Dec 30 02:00:21 2004Waiting for these processes to die (this may take some time):AAA server running (pid: 1374)AAA daemon manager running (pid: 1309)AAA database lock running (pid: 1316)AAA database running (pid: 1315)4 processes left...............k2 processes left.0 processes leftAAA Daemon Manager shutdown complete.# execute /opt/CSCOar/conf/add-on/pre-fixup-symlinkStarting AAA Daemon Manager..completed.Usage Guidelines
This command causes AAA server processes to stop and then restart.
aaa-server session
The following commands delete or display current sessions. If no name or session ID is specified, all sessions are listed.
Syntax Description
Example
To display all current sessions:
aaa-server sessionaaa-server session ap008 id 1 start-time 02/14/1990 15:38.54aaa-server session ap005 id 2 start-time 02/15/1990 05:10:40aaa-server session ap005 id 3 start-time 02/15/1990 05:11:14aaa-server start
The following command starts or stops the AAA server daemons:
aaa-server { start | stop }
Usage Guidelines
If the AAA server is already up and you attempt to start it, the following messages are displayed:
aaa-server startWARNING: Some AAA Server components are already running.AAA server running (pid: 1374)AAA daemon manager running (pid: 1309)AAA database lock running (pid: 1316)AAA database running (pid: 1315)Use "aaa-server stop" to terminate these processes.Nothing started.If you attempt to stop the AAA server and another user is active and running a CLI command, for example, the following is displayed:
aaa-server stopWARNING: You can not shut down AAA server while theCLI is being used. Current list of running CLI with process id is:26342 aregcmdShutdown failed.Related Commands
aaa-server status
The following command displays the status of the AAA server:
aaa-server status
Example
Example output:
aaa-server statusAAA server running (pid: 1127)AAA daemon manager running (pid: 1111)AAA database running (pid: 1117)AAA database lock running (pid: 1118)Related Commands
aaa-server trace
The following command sets or displays the trace level:
aaa-server trace [ 0 | 1 | 2 | 3 | 4 | 5 ]
There are 6 levels of tracing; 0 means no tracing; 5 is complete tracing (most verbose).
For more information about trace levels, see Trace Levels and Information Logged.
Usage Guidelines
Trace output can only be viewed in the Web interface. Select Administration > Appliance > View Log Files and view AAA-server-trace.log.
aaa-server user
The following commands configure, delete, or modify AAA server users in the local user database. AAA server users are the infrastructure access points (the access points that register with the WDS access point).
Syntax Description
aaa-server user name password password
Adds user or resets name or password of user. The name and password must be a single string, without spaces or surrounding quotation marks.
User names can be up to 255 characters in length and any character is allowed, except for the forward slash (/).
no aaa-server user name
Deletes a user.
aaa-server user
Displays all properties of all users.
aaa-server user name
Displays properties of named user.
aaa-server user name attribute radius-attr value
Adds or resets a RADIUS authorization attribute of the user. All arguments are required.
•
•
•
no aaa-server user name attribute radius-attr
Deletes RADIUS attribute from an existing user.
Examples
The following command displays all users:
aaa-server useraaa-server user ap008 password <encrypted>aaa-server user ap005 password <encrypted>attributes =Framed-Ip-Address = 1.1.11.1The following example command displays a single user:
aaa-server user ap008aaa-server user ap008 password <encrypted>aaa-server usergroup
The following commands display, add, modify or delete AAA server user groups. These groups are mapped to WDC/AD groups for authorizing users. To map AAA groups to WDC/AD groups, use the aaa-server domain-auth command.
aaa-server usergroup
Displays all properties of all user groups.
aaa-server usergroup name
Creates a user group.
Group names can be up to 255 characters in length and any character is allowed, except for the forward slash (/).
no aaa-server usergroup name
Deletes a user group.
aaa-server usergroup name attribute radius-attr value
Adds a RADIUS authorization attribute to an existing user group.
•
•
•
no aaa-server usergroup name attribute radius-attr value
Deletes RADIUS authorization attribute from a user group.
Examples
To display user groups:
aaa-server usergroupaaa-server usergroup aaagroup1attributes =user-name = bustercalled-station-id = 77aaa-server usergroup aaagroup2To add an attribute to an existing user group:
aaa-server usergroup aaagroup1 attribute called-station-id 77Related Commands
RADIUS Attributes for the AAA Server
This section lists the RADIUS attributes supported by the internal AAA server. RADIUS attributes carry the specific authentication and authorization information, and configuration details for requests and replies.
All RADIUS requests and responses consist of one or more attributes, such as the user's name, user's password, and type of service the client should provide to the user.
The attribute dictionary contains prefigured authentication, authorization, and accounting attributes that can be part of a client's or user's configuration. The dictionary entries translate an attribute into a value the AAA server uses to parse incoming requests and generate responses.
Each vendor has its own list of supported attributes. See the vendor's documentation for information about these attributes.
For more detailed information about specific attributes, refer to the appropriate RFC as listed in Table 18-11. You can find RFCs on the world wide web at www.ietf.org.
This section contains the following information:
•
•
The standard, non vendor-specific RADIUS attributes supported by the AAA server are listed in Table 18-12.
Table 18-12 RADIUS Attributes Supported by the AAA Server
Acct-Authentic
45
Acct-Delay-Time
41
Acct-Input-Gigawords
52
Acct-Input-Octets
42
Acct-Input-Packets
47
Acct-Interim-Interval
85
Acct-Link-Count
51
Acct-Multi-Session-Id
50
Acct-Output-Gigawords
53
Acct-Output-Octets
43
Acct-Output-Packets
48
Acct-Session-Id
44
Acct-Session-Time
46
Acct-Status-Type
40
Acct-Terminate-Cause
49
Acct-Tunnel-Connection
68
Acct-Tunnel-Packets-Lost
86
Acquire-group-session-limit
280
ARAP-Challenge-Response
84
ARAP-Features
71
ARAP-Password
70
ARAP-Security
73
ARAP-Security-Data
74
ARAP-Zone-Access
72
Callback-Id
20
Callback-Number
19
Called-Station-Id
30
Calling-Station-Id
31
Change-Password
17
CHAP-Challenge
60
CHAP-Password
3
Class
25
Configuration-Token
78
Connect-Info
77
Digest-Attributes
207
Digest-Response
206
EAP-Message
79
Error-Cause
101
Event-Timestamp
55
Filter-Id
11
Framed-AppleTalk-Link
37
Framed-AppleTalk-Network
38
Framed-AppleTalk-Zone
39
Framed-Compression
13
Framed-Interface-Id
96
Framed-IP-Address
8
Framed-IP-Netmask
9
Framed-IPv6-Pool
100
Framed-IPv6-Prefix
97
Framed-IPv6-Route
99
Framed-IPX-Network
23
Framed-MTU
12
Framed-Pool
88
Framed-Protocol
7
Framed-Route
22
Framed-Routing
10
Idle-Timeout
28
Login-IP-Host
14
Login-IPv6-Host
98
Login-LAT-Group
36
Login-LAT-Node
35
Login-LAT-Port
63
Login-LAT-Service
34
Login-Service
15
Login-TCP-Port
16
Message-Authenticator
80
NAS-Identifier
32
NAS-IP-Address
4
NAS-IPv6-Address
95
NAS-Port
5
NAS-Port-ID
87
NAS-Port-Type
61
Originating-Line-Info
94
Password-Expiration
21
Password-Retry
75
Port-Limit
62
Prompt
76
Proxy-State
33
Reply-Message
18
Service-Type
6
Session-Timeout
27
State
24
Termination-Action
29
Text-Ascend-Data-Filter
225
For special instructions on setting the following tunnel attributes, see Setting Tunnel Attributes.
Tunnel-Assignment-ID
Tunnel-Client-Auth-ID
Tunnel-Client-Endpoint
Tunnel-Medium-Type
Tunnel-Password
Tunnel-Preference
Tunnel-Private-Group-ID
Tunnel-Server-Auth-ID
Tunnel-Server-Endpoint
Tunnel-Type
82
90
66
65
69
83
81
91
67
64
User-Name
1
User-Password
2
Vendor-Specific Attributes
26
Setting Tunnel Attributes
When using the tunnel attributes listed in Table 18-13, attach a tag consisting of _tag followed by a value from 1 to 31. For example, Tunnel-Client-Endpoint_tag3.
