Authentication and Authorization Between Multiple RADIUS Servers

Authentication and authorization between multiple RADIUS servers

A RADIUS authentication and authorization role is a function within a RADIUS-based wireless controller configuration that:

  • allows authentication and authorization duties to be carried out by a single RADIUS server or split between different servers

  • enables the controller to relay authentication attributes to a separate authorization server, and

  • in a split configuration, requires both servers to return ACCESS-ACCEPT for a client session to be established.

Cisco Catalyst 9800 Series Wireless Controller use a request and response transaction with a single RADIUS server that combines both authentication and authorization.

A RADIUS server can assume the role of either an authentication server, authorization server, or both. In cases where there are separate RADIUS servers for authentication and authorization, the Session Aware Networking (SANet) component on the controller allows authentication on one server and authorization on another when a client joins controller .

Authentication can be performed using Cisco ISE, Cisco Catalyst Center, Free RADIUS, or any third-party RADIUS Server. After the authentication server successfully authenticates a user, the controller relays attributes received from the authentication server to another RADIUS server designated as the authorization server.

The authorization server then performs these:

  • Processes received attributes with the other policies or rules defined on the server.

  • Derives attributes as part of the authorization response and returns them to the controller .


Note

The Authentication/Authorization list created through Cisco Catalyst Center provisioning supports a maximum of 100 entries. Entries beyond 100 can be created, but they do not function.

Configuring 802.1X security for WLAN with split authentication and authorization servers

Configure explicit authentication and authorization server list (GUI)

Set up and customize authentication and authorization server lists to control network access and user verification methods using the GUI.
Designate specific authentication and authorization servers, such as RADIUS, TACACS+, or LDAP, to handle AAA (Authentication, Authorization, and Accounting) operations on your device.

Procedure

Step 1

Choose Configuration > Security > AAA. On the Authentication Authorization and Accounting page, click the Servers/Groups tab. Click the type of AAA server you want to configure from these options:

  • RADIUS
  • TACACS+
  • LDAP

In this procedure, the RADIUS server configuration is described.

Step 2

With the RADIUS option selected, click Add and enter a name for the RADIUS server and the IPv4 or IPV6 address of the server.

Step 3

Enter the authentication and encryption key to be used between the device and the key string RADIUS daemon running on the RADIUS server. You can choose to use either a PAC key or a non-PAC key.

Step 4

Enter the server timeout value; the valid range is 1 to 1000 seconds. Enter a retry count; the valid range is 0 to 100.

Step 5

Leave the Support for CoA field in Enabled state and click Save & Apply to Device.

Step 6

On the Authentication Authorization and Accounting page, with RADIUS option selected, click the Server Groups tab. In the Create AAA RADIUS Server Group window that is displayed, enter a name for the RADIUS server group.

Step 7

From the MAC-Delimiter drop-down list, select the delimiter to be used in the MAC addresses that are sent to the RADIUS servers. From the MAC Filtering drop-down list, select a value based on which to filter MAC addresses.

Step 8

To configure dead time for the server group and direct AAA traffic to alternative groups of servers that have different operational characteristics, in the Dead-Time field, enter the amount of time, in minutes, after which a server is assumed to be dead.

Step 9

Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list. Click Save & Apply to Device.

Configure explicit authentication server list (GUI)

Set up and manage RADIUS authentication servers and server groups to control authentication and accounting within your network environment using the GUI.
Use this task when you need to explicitly designate which RADIUS servers and groups are available for authentication in your AAA configuration, using the device's graphical interface.

Procedure

Step 1

Choose Configuration > Security > AAA > Servers/Groups.

Step 2

Choose RADIUS > Servers tab.

Step 3

Click Add to add a new server or click an existing server.

Step 4

Enter the Name, the Server Address, Key, Confirm Key, Auth Port and Acct Port. Check the PAC Key checkbox and enter the PAC key and Confirm PAC Key.

Step 5

Click Apply to Device.

Step 6

Choose RADIUS > Server Groups and click Add to add a new server group or click an existing server group.

Step 7

Enter the Name of the server group and choose the servers that you want to include in the server group, from the Available Servers list and move them to the Assigned Servers list.

Step 8

Click Apply to Device.

Configure explicit authentication server list (CLI)

Set up an authentication server list by explicitly defining RADIUS server parameters using commands.
Use this procedure on Cisco devices when you require explicit configuration of authentication server parameters for AAA.

Procedure

Step 1

Enable the privileged EXEC mode.

Example:

Device# enable

Enter your password if prompted.

Step 2

Enter the global configuration mode.

Example:

Device# configure terminal

Step 3

Specify the RADIUS server name.

Example:

Device(config)# radius server server name

Step 4

Specify the RADIUS server parameters.

Example:

Device(config-radius-server)# address ipv4 192.0.2.56 auth-port 1812 acct-port 1813

Step 5

Specify the authentication and encryption key used between the device and the key string RADIUS daemon running on the RADIUS server.

Example:

Device(config-radius-server)# pac key key

Step 6

Return to the configuration mode.

Example:

Device(config-radius-server)# exit

Step 7

Create a radius server-group identification.

Example:

Device(config)# aaa group server radius server-group

server-group refers to the server group name. The valid range is from 1 to 32 alphanumeric characters.

If the IP address of the RADIUS server is not added to the routes defined for the controller, the default route is used. We recommend that you define a specific route to source the traffic from the defined SVI in the AAA server group.

Step 8

Configure the server name.

Example:

Device(config)# server name server-name

Step 9

Return to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Example:

Device(config)# end

For more information, see Configuring AAA for External Authentication.

Configure explicit authorization server list (GUI)

Set up and organize RADIUS authorization servers and groups for secure network authentication and accounting using the GUI.
Configuring an explicit authorization server list ensures that devices can authenticate users and account activity through specified RADIUS servers. This centralized management helps enforce access policies and simplifies administration.

Procedure

Step 1

Choose Configuration > Security > AAA > Servers/Groups.

Step 2

Choose RADIUS > Servers tab.

Step 3

Click Add to add a new server or click an existing server.

Step 4

Enter the Name, the Server Address, Key, Confirm Key, Auth Port and Acct Port. Check the PAC Key checkbox and enter the PAC key and Confirm PAC Key.

Step 5

Click Apply to Device.

Step 6

Choose RADIUS > Server Groups and click Add to add a new server group or click an existing server group.

Step 7

Enter the Name of the server group and choose the servers that you want to include in the server group, from the Available Servers list and move them to the Assigned Servers list.

Step 8

Click Apply to Device.

Configure explicit authorization server list (CLI)

You must direct AAA validation access requests to a specific server. Otherwise, the wireless controller selects any available AAA server from the configured pool to validate access requests. Because the controller cannot target a specific server for validation, you may face inefficiencies and potential security vulnerabilities.

To address this, an authorization method list is created to allow administrators to explicitly direct the controller to use a specific AAA server or the local database for validation. This configuration ensures a streamlined and secure validation process by eliminating randomness in server selection.

Benefits of this approach are:

  • Improved Control: You can explicitly define which AAA server handles validation requests and ensure precise control over server selection.

  • Flexibility: You can configure either an external AAA server or a local database based on the network's requirements.

  • Enhanced Security: By specifying the AAA server, you can ensure that only trusted servers are used for validation, reducing the risk of unauthorized access.

Follow these steps to configure an explicit authorization server list using commands:

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device# enable

Enter your password if prompted.

Step 2

Enter the global configuration mode.

Example:

Device# configure terminal

Step 3

Set up the security framework by enabling AAA features for authentication, authorization, and accounting.

Example:

Device# aaa new-model

Step 4

Configure a RADIUS server to enable centralized authentication, authorization, and accounting for secure and scalable network access control.

  1. Specify the RADIUS server name.

  2. Specify the RADIUS server parameters.

  3. Specify the authorization and encryption key used between the device and the RADIUS daemon running on the RADIUS server by key string encryption.

Example:

Device(config)# radius server server-name
Device(config)# address ipv4 address auth-port auth_port_number acct-port acct_port_number
Device(config)# pac key key
Device(config)# end

Step 5

Configure the RADIUS group.

  1. Create a radius server-group identification.

    Note

     

    server-group refers to the server group name. The valid range is from one to 32 alphanumeric characters.

Example:

Device(config)# aaa group server radius server-name
Device(config-sg-radius)# server name server-name
Device(config-sg-radius)# exit

Step 6

Define a network-level authorization policy for access control using the previously specified server group.

Example:

Device(config)# aaa authorization network rogued group group-name

Step 7

Create an attribute list to apply custom authentication or authorization attributes.

  1. Create an attribute list to specify policies for rogue AP detection and control and enter the attribute list configuration mode.

  2. Identify the device with a specific rogue state for network policies.

  3. Identify the device with a specific rogue class for network policies.

Example:

Device(config)# aaa attribute list aaa-attribute-list-name
Device(config-attr-list)# attribute type rogue-ap-state {alert | contain | threat }
Device(config-attr-list)# attribute type rogue-ap-class {unclassified | malicious | friendly }
Device(config-attr-list)# exit

Step 8

Define a client with a specific MAC address as a username and associate it with the previously defined AAA attribute list. This allows for controlled access or applies policy decisions for that specific client.

Important

 

For rogue validation, the username must be a MAC address in the semicolon format.

Example:

Define a client with a specific MAC address (00:00:00:00:00:00) as a username and associate it with an AAA attribute list named rogue-attributes. This allows for the use of specific AAA (authentication, authorization, and accounting) attributes to be applied to this MAC address, typically to control access or apply policy decisions for that client. 

Device(config)# username 00:00:00:00:00:00 mac aaa attribute list aaa-attribute-list-name

Step 9

Display the AAA running configuration for review.

Example:

Device(config)# show running-config | include aaa

Setting up these configurations ensure that only authorized clients can access the network, and any suspicious activity is flagged and handled appropriately.

Configure authentication and authorization list for 802.1X security (GUI)

Set up 802.1X security by specifying authentication and authorization lists through the GUI.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name , the SSID , and the WLAN ID.

Step 4

In the Security > AAA tab, select an authentication list from the Authentication List drop-down list.

Step 5

Click Apply to Device.

Configure authentication and authorization list for 802.1X security (CLI)

Configure 802.1X authentication and authorization on a WLAN using commands.
Use this procedure when you need to enforce 802.1X security for a specific wireless network on your device.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device# enable

Enter your password if prompted.

Step 2

Enter the global configuration mode.

Example:

Device# configure terminal

Step 3

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id ssid name

  • wlan-name : is the name of the configured WLAN.

  • wlan-id : is the wireless LAN identifier. The valid range is from 1 to 512.

  • SSID-name : is the SSID name which can contain 32 alphanumeric characters.

Note

 

If you have already configured this command, enter wlan wlan-name command.

Step 4

Enable authentication list for 802.1x security.

Example:

Device(config-wlan)# security dot1x authentication-list authenticate-list-name

Step 5

Specify authorization list for 802.1x security.

Example:

Device(config-wlan)# security dot1x authorization-list authorize-list-name

For more information on the Cisco Catalyst Center, see the Cisco Catalyst Center documentation.

Step 6

Return to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Example:

Device(config-wlan)# end

Configure web authentication for WLAN with split authentication and authorization servers

Configure authentication and authorization list for web authentication (GUI)

Configure authentication and authorization lists to secure web authentication on WLANs using the GUI.
This task ensures only authorized users can access the WLAN, and that access policies are applied during web authentication by assigning the correct authentication and authorization lists.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID, and the WLAN ID.

Step 4

In the Security > Layer2 tab, uncheck the WPAPolicy, AES and 802.1x check boxes.

Step 5

Check the MAC Filtering check box to enable the feature. With MAC Filtering enabled, select the authorization list from the Authorization List drop-down list.

Step 6

In the Security > AAA tab, select the authentication list from the Authentication List drop-down list.

Step 7

Click Apply to Device.

Configure authentication and authorization list for web authentication (CLI)

Enable web-based authentication and authorization for users connecting to a specified WLAN using commands.
Web authentication allows users to be authenticated through a web browser before gaining access to network resources.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device# enable

Enter your password if prompted.

Step 2

Enter the global configuration mode.

Example:

Device# configure terminal

Step 3

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id ssid-name

  • wlan-name : is the name of the configured WLAN.

  • wlan-id : is the wireless LAN identifier.

  • SSID-name : is the SSID name which can contain 32 alphanumeric characters.

Note

 

If you have already configured this command, enter wlan wlan-name command.

Step 4

Disable WPA security.

Example:

Device(config-wlan)# no security wpa

Step 5

Disable security AKM for 802.1x.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 6

Disable WPA2 security.

Example:

Device(config-wlan)# no security wpa wpa2

Step 7

Enable authentication or authorization list for 802.1x security.

Example:

Device(config-wlan)# security web-auth { authentication-list authenticate-list-name | authorization-list authorize-list-name }

Note

 

When the WPA security, AKM for 802.1x, and WPA2 security settings are not disabled, the system displays the error:

% switch-1:dbm:wireless:web-auth cannot be enabled. Invalid WPA/WPA2 settings.

Step 8

Return to the privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Example:

Device(config-wlan)# end

Verify split authentication and authorization configuration

To view the WLAN details, use this command:

Device# show run wlan
                
wlan wlan-foo 2 foo-ssid
security dot1x authentication-list authc-server-group
security dot1x authorization-list authz-server-group
wlan wlan-bar 3 bar-ssid
security web-auth authentication-list authc-server-group
security web-auth authorization-list authz-server-group

To view the AAA authentication and server details, use this command:

Device# show run aaa

!
aaa authentication dot1x default group radius
username cisco privilege 15 password 0 cisco
!
!                                                              
radius server free-radius-authc-server                         
 address ipv4 9.2.62.56 auth-port 1812 acct-port 1813          
 key cisco                                                     
!                                                              
radius server cisco-catalyst-center-authz-server                          
 address ipv4 9.4.62.32 auth-port 1812 acct-port 1813           
 pac key cisco                                                 
!                                                              
!                                                              
aaa new-model                                                   
aaa session-id common                                          
!

To view the authentication and authorization list for 802.1X security, use this command:

Device# show wlan name wlan-foo | sec 802.1x

802.1x authentication list name                : authc-server-group
802.1x authorization list name                 : authz-server-group
            802.1x                             : Enabled

To view the authentication and authorization list for web authentication, use this command:

Device# show wlan name wlan-bar | sec Webauth
            
Webauth On-mac-filter Failure              : Disabled
Webauth Authentication List Name           : authc-server-group
Webauth Authorization List Name            : authz-server-group
Webauth Parameter Map                      : Disabled

Configuration examples

Configure Cisco Catalyst 9800 Series Wireless Controller for authentication with a third-party RADIUS server: example

This example shows how to configure Cisco Catalyst 9800 Series Wireless Controller for authentication with a third-party RADIUS server: 

Device(config)# radius server free-radius-authc-server
Device(config-radius-server)# address ipv4 9.2.62.56 auth-port 1812 acct-port 1813
Device(config-radius-server)# key cisco
Device(config-radius-server)# exit
Device(config)# aaa group server radius authc-server-group
Device(config)# server name free-radius-authc-server
Device(config)# end

Configure Cisco Catalyst 9800 Series Wireless Controller for authorization with Cisco ISE or Cisco Catalyst Center: example

This example shows how to configure Cisco Catalyst 9800 Series Wireless Controller for authorization with Cisco ISE or Cisco Catalyst Center: 

Device(config)# radius server cisco-catalyst-center-authz-server
Device (config-radius-server)# address ipv4 9.4.62.32 auth-port 1812 acct-port 1813
Device (config-radius-server)# pac key cisco
Device (config-radius-server)# exit
Device(config)# aaa group server radius authz-server-group
Device(config)# server name cisco-catalyst-center-authz-server
Device(config)# end