Step 1
| Choose
.
|
Step 2
| Perform one of the following:
Note
|
The pages used to configure
authentication and accounting contain mostly the same text boxes. Therefore,
these instructions walk through the configuration only once, using the
Authentication pages as examples. You would follow the same steps to configure
multiple services and/or multiple servers.
|
The RADIUS Authentication (or Accounting) Servers page
appears.
This page lists any RADIUS
servers that have already been configured.
-
If you want to delete an
existing server, hover your cursor over the blue drop-down arrow for that
server and choose
Remove.
-
If you want to make sure that
the controller can reach a particular server, hover your cursor over the blue
drop-down arrow for that server and choose
Ping.
|
Step 3
| From the
Call Station ID Type drop-down list,
choose the option that is sent to the RADIUS server in the Access-Request
message. The following options are available:
- IP Address
- System MAC Address
- AP MAC Address
- AP MAC Address:SSID
- AP Name:SSID
- AP Name
- AP Group
- Flex Group
- AP Location
- VLAN ID
Note
|
The AP
Name:SSID, AP Name, AP Group, Flex Group, AP Location, and VLAN ID options are
added in the 7.4 release.
|
|
Step 4
| Enable RADIUS-to-controller key transport using AES key
wrap protection by checking the
Use AES Key Wrap
check box. The default value is unchecked. This feature is required for FIPS
customers.
|
Step 5
| From the
MAC
Delimiter drop-down list, choose the option that is sent to the
RADIUS server in the Access-Request message. The following options are
available:
- Colon
- Hyphen
- Single-hyphen
- None
|
Step 6
| Click
Apply. Perform
one of the following:
-
To edit an existing RADIUS
server, click the server index number for that server. The
RADIUS Authentication (or Accounting) Servers >
Edit page appears.
-
To add a RADIUS server, click
New. The
RADIUS Authentication (or Accounting) Servers >
New page appears.
|
Step 7
| If you are adding a new server, choose a number from the
Server
Index (Priority) drop-down list to specify the priority order of
this server in relation to any other configured RADIUS servers providing the
same service.
|
Step 8
| If you are adding a new server, enter the
IP address of the RADIUS server in the
Server
IP Address text box.
Note
| Auto IPv6
is not supported on RADIUS server. The RADIUS server must not be configured
with Auto IPv6 address. Use fixed IPv6 address instead.
|
|
Step 9
| From the
Shared
Secret Format drop-down list, choose
ASCII or
Hex to specify
the format of the shared secret key to be used between the controller and the
RADIUS server. The default value is ASCII.
|
Step 10
| In the
Shared
Secret and
Confirm
Shared Secret text boxes, enter the shared secret key to be used
for authentication between the controller and the server.
Note
|
The shared secret key must be
the same on both the server and the controller.
|
|
Step 11
| If you are
configuring a new RADIUS authentication server and want to enable AES key wrap,
which makes the shared secret between the controller and the RADIUS server more
secure, follow these steps:
Note
|
AES key wrap is designed for
Federal Information Processing Standards (FIPS) customers and requires a
key-wrap compliant RADIUS authentication server.
|
- Check the
Key Wrap check
box.
- From the
Key Wrap Format drop-down list, choose
ASCII or
HEX to specify the format of the AES key wrap keys:
Key Encryption Key (KEK) and Message Authentication Code Key (MACK).
- In the
Key Encryption Key (KEK) text box, enter the 16-byte
KEK.
- In the
Message Authentication Code Key (MACK) text box,
enter the 20-byte KEK.
|
Step 12
| If you are adding a new server, enter the
RADIUS server’s UDP port number for the interface protocols in the
Port Number
text box. The valid range is 1 to 65535, and the default value is
1812 for authentication and 1813 for accounting.
|
Step 13
| From the
Server
Status text box, choose
Enabled to enable
this RADIUS server or choose
Disabled to
disable it. The default value is enabled.
|
Step 14
| If you are
configuring a new RADIUS authentication server, choose
Enabled from the
Support for RFC
3576 drop-down list to enable RFC 3576, which is an extension to
the RADIUS protocol that allows dynamic changes to a user session, or choose
Disabled to
disable this feature. The default value is Enabled. RFC 3576 includes support
for disconnecting users and changing authorizations applicable to a user
session and supports disconnect and change-of-authorization (CoA) messages.
Disconnect messages cause a user session to be terminated immediately where CoA
messages modify session authorization attributes such as data filters.
|
Step 15
| In the
Server
Timeout text box, enter the number of seconds between
retransmissions. The valid range is 2 to 30 seconds, and the default value is 2
seconds.
Check the
Key Wrap check
box.
Note
| We
recommend that you increase the timeout value if you experience repeated
reauthentication attempts or the controller falls back to the backup server
when the primary server is active and reachable.
|
|
Step 16
| Check the
Network User
check box to enable network user authentication (or accounting), or uncheck it
to disable this feature. The default value is unchecked. If you enable this
feature, this entry is considered the RADIUS authentication (or accounting)
server for network users. If you did not configure a RADIUS server entry on the
WLAN, you must enable this option for network users.
|
Step 17
| If you are
configuring a RADIUS authentication server, check the
Management check
box to enable management authentication, or uncheck the check box to disable
this feature. The default value is checked. If you enable this feature, this
entry is considered the RADIUS authentication server for management users, and
authentication requests go to the RADIUS server.
|
Step 18
| Enter the
Management Retransmit Timeout value, which denotes
the network login retransmission timeout for the server.
|
Step 19
| Check the
IPSec check box
to enable the IP security mechanism, or uncheck the check box to disable this
feature. The default value is unchecked.
Note
| IPSec is
not supported for IPv6. Use this only if you have used IPv4 for Server IP
Address.
|
|
Step 20
| If you enabled IPsec in
Step 17,
follow these steps to configure additional IPsec parameters:
- From the
IPSec drop-down list, choose one of the following options as the authentication
protocol to be used for IP security:
HMAC MD5 or
HMAC SHA1. The
default value is HMAC SHA1.
A message authentication
code (MAC) is used between two parties that share a secret key to validate
information transmitted between them. HMAC (Hash MAC) is based on cryptographic
hash functions. It can be used in combination with any iterated cryptographic
hash function. HMAC MD5 and HMAC SHA1 are two constructs of the HMAC using the
MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for
calculation and verification of the message authentication values.
- From the
IPSec Encryption drop-down list, choose one of the following options to specify
the IP security encryption mechanism:
-
DES—Data
Encryption Standard that is a method of data encryption using a private
(secret) key. DES applies a 56-bit key to each 64-bit block of data.
-
3DES—Data
Encryption Standard that applies three keys in succession. This is the default
value.
-
AES
CBC—Advanced Encryption Standard that uses keys with a length of
128, 192, or 256 bits to encrypt data blocks with a length of 128, 192, or 256
bits. AES 128 CBC uses a 128-bit data path in Cipher Block Chaining (CBC) mode.
-
256-AES—Advanced Encryption Standard that uses keys
with a length of 256 bits.
- From the IKE Phase 1 drop-down list, choose one of the
following options to specify the Internet Key Exchange (IKE) protocol:
Aggressive or
Main. The
default value is Aggressive.
IKE Phase 1 is used to
negotiate how IKE should be protected. Aggressive mode passes more information
in fewer packets with the benefit of slightly faster connection establishment
at the cost of transmitting the identities of the security gateways in the
clear.
- In the
Lifetime text box, enter a value (in seconds) to specify the timeout interval
for the session. The valid range is 1800 to 57600 seconds, and the default
value is 1800 seconds.
- From the IKE Diffie Hellman Group drop-down list, choose
one of the following options to specify the IKE Diffie Hellman group:
Group 1 (768
bits),
Group 2 (1024
bits), or
Group 5 (1536
bits). The default value is Group 1 (768 bits).
Diffie-Hellman techniques are used by two devices to generate a
symmetric key through which they can publicly exchange values and generate the
same symmetric key. Although all three groups provide security from
conventional attacks, Group 5 is considered more secure because of its larger
key size. However, computations involving Group 1 and Group 2 based keys might
occur slightly faster because of their smaller prime number size.
Note
| If the
shared secret for IPSec is not configured, the default radius shared secret is
used. If the authentication method is PSK, WLANCC should be enabled to use the
IPSec shared secret, default value is used otherwise. You can view the status
for the WLANCC and UCAPL prerequisite modes in
Controller >
Inventory.
|
|
Step 21
| Click
Apply.
|
Step 22
| Click
Save
Configuration.
|
Step 23
| Repeat the
previous steps if you want to configure any additional services on the same
server or any additional RADIUS servers.
|
Step 24
| Specify the
RADIUS server fallback behavior, as follows:
- Choose
Security >
AAA >
RADIUS > Fallback to
open the RADIUS > Fallback Parameters
to open the fallback parameters page.
- From the
Fallback Mode drop-down list, choose one of the
following options:
-
Off—Disables
RADIUS server fallback. This is the default value.
-
Passive—Causes
the controller to revert to a server with a lower priority from the available
backup servers without using extraneous probe messages. The controller ignores
all inactive servers for a time period and retries later when a RADIUS message
needs to be sent.
-
Active—Causes
the controller to revert to a server with a lower priority from the available
backup servers by using RADIUS probe messages to proactively determine whether
a server that has been marked inactive is back online. The controller ignores
all inactive servers for all active RADIUS requests. Once the primary server
receives a response from the recovered ACS server, the active fallback RADIUS
server no longer sends probe messages to the server requesting the active probe
authentication.
- If you
enabled Active fallback mode in
Step
b, enter the name to be sent in the inactive server probes in the
Username
text box. You can enter up to 16 alphanumeric characters. The default value is
“cisco-probe.”
- If you
enabled Active fallback mode in
Step
b, enter the probe interval value (in seconds) in the Interval in
Sec text box. The interval serves as inactive time
in passive mode and probe interval in active mode. The valid range is 180 to
3600 seconds, and the default value is 300 seconds.
|
Step 25
| Specify the order of authentication when
multiple databases are configured by choosing
Security >
Priority Order
>
Management
User. The Priority Order > Management User page appears.
|
Step 26
| In the Order Used for Authentication text
box, specify which servers have priority when the controller attempts to
authenticate management users. Use the
> and
<
buttons to move servers between the Not Used and Order
Used for Authentication text boxes. After the desired servers appear in the
Order Used for
Authentication text box, use the
Up and
Down buttons to
move the priority server to the top of the list.
By default, the local
database is always queried first. If the username is not found, the controller
switches to the RADIUS server if configured for RADIUS or to the TACACS+ server
if configured for TACACS+. The default setting is local and then RADIUS.
|
Step 27
| Click
Apply.
|
Step 28
| Click
Save
Configuration.
|