||Choose . |
||Perform one of the following:
If you want to configure a RADIUS server for authentication, choose Authentication.
If you want to configure a RADIUS server for accounting, choose Accounting.
The RADIUS Authentication (or Accounting) Servers page appears.
The pages used to configure authentication and accounting contain mostly the same text boxes. Therefore, these instructions walk through the configuration only once, using the Authentication pages as examples. You would follow the same steps to configure multiple services and/or multiple servers.
This page lists any RADIUS servers that have already been configured.
If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that server and choose Remove.
If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down arrow for that server and choose Ping.
||From the Call Station ID Type drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available: |
- IP Address
- System MAC Address
- AP MAC Address
- AP MAC Address:SSID
- AP Name:SSID
- AP Name
- AP Group
- Flex Group
- AP Location
- VLAN ID
The AP Name:SSID, AP Name, AP Group, Flex Group, AP Location, and VLAN ID options are added in the 7.4 release.
||Enable RADIUS-to-controller key transport using AES key wrap protection by checking the Use AES Key Wrap check box. The default value is unchecked. This feature is required for FIPS customers. |
||From the MAC Delimiter drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available: |
||Click Apply. Perform one of the following:
To edit an existing RADIUS server, click the server index number for that server. The RADIUS Authentication (or Accounting) Servers > Edit page appears.
To add a RADIUS server, click New. The RADIUS Authentication (or Accounting) Servers > New page appears.
||If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured RADIUS servers providing the same service. |
||If you are adding a new server, enter the IP address of the RADIUS server in the Server IP Address text box.
||Auto IPv6 is not supported on RADIUS server. The RADIUS server must not be configured with Auto IPv6 address. Use fixed IPv6 address instead. |
||From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key to be used between the controller and the RADIUS server. The default value is ASCII. |
||In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for authentication between the controller and the server.
||The shared secret key must be the same on both the server and the controller. |
||If you are configuring a new RADIUS authentication server and want to enable AES key wrap, which makes the shared secret between the controller and the RADIUS server more secure, follow these steps:
||AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server. |
- Check the Key Wrap check box.
- From the Key Wrap Format drop-down list, choose ASCII or HEX to specify the format of the AES key wrap keys: Key Encryption Key (KEK) and Message Authentication Code Key (MACK).
- In the Key Encryption Key (KEK) text box, enter the 16-byte KEK.
- In the Message Authentication Code Key (MACK) text box, enter the 20-byte KEK.
||If you are adding a new server, enter the RADIUS server’s UDP port number for the interface protocols in the Port Number text box. The valid range is 1 to 65535, and the default value is 1812 for authentication and 1813 for accounting. |
||From the Server Status text box, choose Enabled to enable this RADIUS server or choose Disabled to disable it. The default value is enabled. |
||If you are configuring a new RADIUS authentication server, from the Support for RFC 3576 drop-down list, choose Enabled to enable change of authorization, which is an extension to the RADIUS protocol that allows dynamic changes to a user session, or choose Disabled to disable this feature. By default, this is set to Disabled state. Support for RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change of authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters. |
||In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Check the Key Wrap check box.
|| We recommend that you increase the timeout value if you experience repeated reauthentication attempts or the controller falls back to the backup server when the primary server is active and reachable. |
||Check the Network User check box to enable network user authentication (or accounting), or uncheck it to disable this feature. The default value is unchecked. If you enable this feature, this entry is considered the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users. |
||If you are configuring a RADIUS authentication server, check the Management check box to enable management authentication, or uncheck the check box to disable this feature. The default value is checked. If you enable this feature, this entry is considered the RADIUS authentication server for management users, and authentication requests go to the RADIUS server. |
||Enter the Management Retransmit Timeout value, which denotes the network login retransmission timeout for the server. |
||Check the IPSec check box to enable the IP security mechanism, or uncheck the check box to disable this feature. The default value is unchecked.
IPSec is not supported for IPv6. Use this only if you have used IPv4 for Server IP Address.
||If you enabled IPsec in Step 17, follow these steps to configure additional IPsec parameters: |
- From the IPSec drop-down list, choose one of the following options as the authentication protocol to be used for IP security: HMAC MD5 or HMAC SHA1. The default value is HMAC SHA1.
A message authentication code (MAC) is used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is based on cryptographic hash functions. It can be used in combination with any iterated cryptographic hash function. HMAC MD5 and HMAC SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.
- From the IPSec Encryption drop-down list, choose one of the following options to specify the IP security encryption mechanism:
DES—Data Encryption Standard that is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
3DES—Data Encryption Standard that applies three keys in succession. This is the default value.
AES CBC—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt data blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Block Chaining (CBC) mode.
256-AES—Advanced Encryption Standard that uses keys with a length of 256 bits.
- From the IKE Phase 1 drop-down list, choose one of the following options to specify the Internet Key Exchange (IKE) protocol: Aggressive or Main. The default value is Aggressive.
IKE Phase 1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer packets with the benefit of slightly faster connection establishment at the cost of transmitting the identities of the security gateways in the clear.
- In the Lifetime text box, enter a value (in seconds) to specify the timeout interval for the session. The valid range is 1800 to 57600 seconds, and the default value is 1800 seconds.
- From the IKE Diffie Hellman Group drop-down list, choose one of the following options to specify the IKE Diffie Hellman group: Group 1 (768 bits), Group 2 (1024 bits), or Group 5 (1536 bits). The default value is Group 1 (768 bits).
Diffie-Hellman techniques are used by two devices to generate a symmetric key through which they can publicly exchange values and generate the same symmetric key. Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
||If the shared secret for IPSec is not configured, the default radius shared secret is used. If the authentication method is PSK, WLANCC should be enabled to use the IPSec shared secret, default value is used otherwise. You can view the status for the WLANCC and UCAPL prerequisite modes in Controller > Inventory. |
||Click Apply. |
||Click Save Configuration. |
||Repeat the previous steps if you want to configure any additional services on the same server or any additional RADIUS servers. |
||Specify the RADIUS server fallback behavior, as follows: |
- Choose Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters to open the fallback parameters page.
- From the Fallback Mode drop-down list, choose one of the following options:
Off—Disables RADIUS server fallback. This is the default value.
Passive—Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
Active—Causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.
- If you enabled Active fallback mode in Step b, enter the name to be sent in the inactive server probes in the Username text box. You can enter up to 16 alphanumeric characters. The default value is “cisco-probe.”
- If you enabled Active fallback mode in Step b, enter the probe interval value (in seconds) in the Interval in Sec text box. The interval serves as inactive time in passive mode and probe interval in active mode. The valid range is 180 to 3600 seconds, and the default value is 300 seconds.
||Specify the order of authentication when multiple databases are configured by choosing Security > Priority Order > Management User. The Priority Order > Management User page appears. |
||In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to authenticate management users. Use the > and < buttons to move servers between the Not Used and Order Used for Authentication text boxes. After the desired servers appear in the Order Used for Authentication text box, use the Up and Down buttons to move the priority server to the top of the list.
By default, the local database is always queried first. If the username is not found, the controller switches to the RADIUS server if configured for RADIUS or to the TACACS+ server if configured for TACACS+. The default setting is local and then RADIUS.
||Click Apply. |
||Click Save Configuration. |