Local authentication
using Lightweight Directory Access Protocol (LDAP) allows an endpoint to be
authenticated using 802.1X, MAC authentication bypass (MAB), or web
authentication with LDAP as a backend. Local authentication in Identity-Based
Networking Services also supports associating an authentication, authorization,
and accounting (AAA) attribute list with the local username. This module
provides information about configuring local authentication for Identity-Based
Networking Services.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Local Authentication Using LDAP
Local Authentication Using LDAP
Local authentication using LDAP allows an endpoint to be authenticated using 802.1X, MAB, or web authentication with LDAP as a backend.
Local authentication also supports additional AAA attributes by associating an attribute list with a local username for wireless sessions.
AES Key Wrap
The Advanced Encryption Standard (AES) key wrap feature makes the shared secret between the controller and the RADIUS server more secure. AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server.
How to Configure Local Authentication Using LDAP
Configuring Local Authentication Using LDAP
Perform this task to specify the AAA method list for local authentication and to associate an attribute list with a local username.
SUMMARY STEPS
1.enable
2.configure terminal
3.aaa local authentication {method-list-name | default} authorization {method-list-name | default}
Device(config)# username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1
Allows a MAC address to be used as the username for MAC filtering done locally.
Step 8
exit
Example:
Device(config)# exit
Exits global configuration mode and returns to privileged EXEC mode.
Enabling AES Key Wrap
Advanced Encryption Standard (AES) key wrap makes the shared secret between the controller and the RADIUS server more secure. AES key wrap requires a key-wrap compliant RADIUS authentication server.
The following example shows a configuration for MAC filtering:
username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1
!
aaa group server radius RAD_GROUP1
subscriber mac-filtering security-mode mac
mac-delimiter hyphen
Example: Configuring AES Key Wrap
The following example shows a configuration with key wrap enabled for a RADIUS server:
aaa group server radius RAD_GROUP1
server 10.10.1.2
key-wrap enable
!
radius-server host 10.10.1.2
!
Authentication, authorization, and accounting (AAA)
configuration tasks
Authentication Authorization
and Accounting Configuration Guide
AAA
commands
Cisco IOS Security Command
Reference
Standards and RFCs
Standard/RFC
Title
RFC 5176
Dynamic Authorization
Extensions to RADIUS
Technical Assistance
Description
Link
The Cisco
Support and Documentation website provides online resources to download
documentation, software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID and password.
Feature Information for Local Authentication Using LDAP
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for Local Authentication Using LDAP
Feature Name
Releases
Feature Information
Local Authentication Using LDAP
Cisco IOS XE Release 3.2SE
Introduces support for local authentication using Lightweight Directory Access Protocol (LDAP).
The following commands were introduced or modified: aaa local authentication, key-wrap enable, mac-delimiter, radius-server host, subscriber mac-filtering security-mode, username.