Wireless AAA Authentication Survivability Cache

Feature history for wireless AAA authentication survivability cache

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for wireless AAA authentication survivability cache

Release

Feature Information

Cisco IOS XE 17.18.1

The Wireless AAA authentication survivability cache feature enhances the reliability of wireless client authentication by storing successful authentication results locally on the controller.

Cache can be used:

  • When the controller loses connectivity with the AAA server, which may disconnect authenticated clients.

  • As the primary source of authentication, with fallback to AAA, to avoid slow authentication time due to WAN latency.

This feature is supported in both local mode and FlexConnect central authentication mode.

Wireless AAA authentication survivability cache

The Wireless AAA authentication survivability cache feature enhances the reliability of wireless client authentication by storing successful authentication results locally on the controller. This cache includes details such as the client's MAC address, user name, hashed password, and Attribute-Value Pairs (AVPs) received from the RADIUS server.

Wireless AAA authentication survivability cache is a mechanism implemented in the controller that:

  • provides a fallback methodology in wireless systems for AAA authentication servers,

  • implements authentication and policy caching mechanism, and

  • leverages the caching capability of the AAA module of System Management Daemon (SMD) in WNCd.

This feature is supported in both local mode and FlexConnect central authentication mode.

Wireless AAA authentication survivability cache as failover mechanism

If the AAA server becomes unreachable, for example, due to a network outage or server failure, the controller uses the cached credentials to authenticate clients. This ensures that the previously authenticated clients are allowed network access, even if the primary authentication source is unavailable.

Use case for wireless AAA authentication survivability cache

Some use cases for the wireless AAA authentication survivability cache feature are:

  • Cache can be used when the controller loses connectivity with the AAA server, which may disconnect authenticated clients.

  • Cache can be used as the primary source of authentication, with fallback to AAA, to avoid slow authentication time due to WAN latency.

Benefits of using AAA cache for failover

The benefits of using AAA cache for failover are:

  • Seamless client access: If the AAA server fails, previously authenticated clients can still access the network without delays or disruptions.

  • Reduced dependency on AAA server availability: This mechanism reduces the dependency on the availability of the AAA server for re-authentication, providing business continuity even if there is an issue with the server.

  • Improved user experience: Clients do not experience interruptions when reconnecting, as the controller uses the cached authentication information to grant them access immediately.

  • Load reduction on AAA server: During network failures or outages, the controller does not need to query the AAA server repeatedly for authentication. This helps reduce the load on the AAA server.

  • Failover for high availability: If the primary AAA server temporarily fails, such as during maintenance, the AAA cache maintains client access automatically.

Configure wireless AAA authentication survivability cache

Before you begin

Ensure that the following are met:

  • SSID already configured

  • A RADIUS server such as Cisco ISE with authentication and authorization policy and profiles are created

Configure a cache profile and apply the cache profile to the AAA server group used for authentication and authorization.

Procedure

Step 1

Enter configuration mode.

Example:

Device# configure terminal

Step 2

Configure a profile for the local RADIUS server.

Example:

Device# aaa server radius dynamic-author

This command creates the profile for local RADIUS server and enters into the local server dynamic author RADIUS configuration.

Step 3

Configure a RADIUS client.

Example:

Device(config-locsvr-da-radius)# client {A.B.C.D | X:X:X:X::X} server-key {{0 | 6 | 7}server-key | server-key2}

This command specifies the IPv4 or the IPv6 address of the RADIUS client and the RADIUS client server key.

Step 4

Specify the server authorization type.

Example:

Device(config-locsvr-da-radius)# auth-type {all | any | sessionkey}

Step 5

Exit the local server dynamic author configuration mode.

Example:

Device(config-locsvr-da-radius)# exit

AAA dead-server detection

AAA dead-server detection allows you to configure the criteria to be used to mark a RADIUS server as dead. If you have more than one RADIUS server, the following concepts come into picture:

  • Deadtime: Defines the time in minutes a server marked as DEAD is held in that state. Once the deadtime expires, the controller marks the server as UP (ALIVE) and notifies the registered clients about the state change. If the server is still unreachable after the state is marked as UP and if the DEAD criteria is met, then server is marked as DEAD again for the deadtime interval.

    For example, Device(config)# radius-server deadtime 5.


    Note

    You can configure deadtime for each server group or on a global level.

  • Dead-criteria—To declare a server as DEAD, you need to configure dead-criteria and configure the conditions that determine when a RADIUS server is considered unavailable or dead.

    For example, Device(config)# radius-server dead-criteria time 5 tries 5.

Using AAA dead-server detection will result in less deadtime and quicker packet processing.

For more information, see the chapter AAA Dead-Server Detection.

RADIUS configuration for MSCHAPv2

Configure AV-pair attribute on RADIUS

Associate the following Cisco AV-pairs with the authorization profile associated with the client, on the ISE server:

  • cisco-av-pair = AS-Username=Cisco

  • cisco-av-pair = AS-Credential-Hash=F2E787D376CBF6D6DD3600132E9C215D


Note

Every user must configure the AV-pair attribute on RADIUS.

The Password or AS-Credential-Hash should be in the NT-hash format (https://codebeautify.org/ntlm-hash-generator).

Configure EAP-TLS on ISE

  1. Generate a CSR and the import certificate into the controller (PCKS 12 or .pkg would be convenient to import as a single file).

  2. Configure a PKI trustpoint in the EAP profile as described in .

Verify wireless AAA authentication survivability cache

Verify configured cache entries

To verify the configured cache entries, run the show aaa cache group command.


Note

This command is extended to show cache entries for the Wireless Network Controller Daemon (WNCD) process.

 
Device# show aaa cache group aaa-cache-grp all
----------------------------------------------------------
IOSD AAA Auth Cache entries:
Entries in Profile dB aaa-cache-grp for exact match:
No entries found in Profile dB
----------------------------------------------------------
SMD AAA Auth Cache entries:
Total number of Cache entries is 0
WNCD AAA Auth Cache entries:
MAC ADDR: 0000.AAAA.BBBB
Profile Name: NEWCACHE
User Name: user1
Timeout: 3600
Created Timestamp: 03/12/25 17:11:23 UTC
Server IP Address: 1.1.1.1
MAC ADDR: AAAA.BBBB.CCCC
Profile Name: NEWCACHE
User Name: user2
Timeout: 3600
Created Timestamp: 03/12/25 17:04:59 UTC
Server IP Address: 1.1.1.1
Total number of Cache entries is 2
----------------------------------------------------------