User Guide
Table Of Contents
- Cisco Wireless ISR and HWIC Access Point Configuration Guide
- Contents
- Preface
- Overview
- Configuring Radio Settings
- Enabling the Radio Interface
- Roles in Radio Network
- Configuring Network or Fallback Role
- Universal Client Mode
- Configuring Universal Client Mode
- Configuring Radio Data Rates
- Configuring Radio Transmit Power
- Configuring Radio Channel Settings
- Enabling and Disabling World Mode
- Enabling and Disabling Short Radio Preambles
- Configuring Transmit and Receive Antennas
- Disabling and Enabling Access Point Extensions
- Configuring the Ethernet Encapsulation Transformation Method
- Enabling and Disabling Reliable Multicast to Workgroup Bridges
- Enabling and Disabling Public Secure Packet Forwarding
- Configuring Beacon Period and DTIM
- Configuring RTS Threshold and Retries
- Configuring Maximum Data Retries
- Configuring Fragmentation Threshold
- Enabling Short Slot Time for 802.11g Radios
- Performing a Carrier Busy Test
- Configuring Multiple SSIDs
- Configuring an Access Point as a Local Authenticator
- Understand Local Authentication
- Configure a Local Authenticator
- Guidelines for Local Authenticators
- Configuration Overview
- Configuring the Local Authenticator Access Point
- Configuring Other Access Points to Use the Local Authenticator
- Configuring EAP-FAST Settings
- Limiting the Local Authenticator to One Authentication Type
- Unblocking Locked Usernames
- Viewing Local Authenticator Statistics
- Using Debug Messages
- Configuring Encryption Types
- Configuring Authentication Types
- Configuring RADIUS Servers
- Configuring and Enabling RADIUS
- Understanding RADIUS
- RADIUS Operation
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring RADIUS Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Selecting the CSID Format
- Configuring Settings for All RADIUS Servers
- Configuring the Access Point to Use Vendor-Specific RADIUS Attributes
- Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication
- Configuring WISPr RADIUS Attributes
- Displaying the RADIUS Configuration
- RADIUS Attributes Sent by the Access Point
- Configuring and Enabling RADIUS
- Configuring VLANs
- Configuring QoS
- Channel Settings
- Protocol Filters
- Supported MIBs
- Error and Event Messages
- Glossary
- Index
4-2
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 4 Configuring an Access Point as a Local Authenticator
Understand Local Authentication
Understand Local Authentication
Many small wireless LANs that could be made more secure with 802.1x authentication do not have
access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely
on RADIUS servers housed in a distant location to authenticate client devices, and the authentication
traffic must cross a WAN link. If the WAN link fails, or if the access points cannot access the RADIUS
servers for any reason, client devices cannot access the wireless network even if the work they wish to
do is entirely local.
To provide local authentication service or backup authentication service in case of a WAN link or a
server failure, you can configure an access point to act as a local authentication server. The access point
can authenticate up to 50 wireless client devices using LEAP, EAP-FAST, or MAC-based authentication.
The access point performs up to 5 authentications per second.
You c on fi gu re t he l o cal a uth en ti ca to r a cc es s po in t m anu all y wi th c li en t u se rn am es a nd pa sswo rd s
because it does not synchronize its database with the main RADIUS servers. You can also specify a
VLAN and a list of SSIDs that a client is allowed to use.
Note If your wireless LAN contains only one access point, you can configure the access point as both
the 802.1x authenticator and the local authenticator. However, users associated to the local
authenticator access point might notice a drop in performance when the access point
authenticates client devices.
You c an c on fig u re y our ac ces s po in ts to u se t he l oca l authenticator when they cannot reach the main
servers, or you can configure your access points to use the local authenticator or as the main
authenticator if you do not have a RADIUS server. When you configure the local authenticator as a
backup to your main servers, the access points periodically check the link to the main servers and stop
using the local authenticator automatically when the link to the main servers is restored.
Caution The access point you use as an authenticator contains detailed authentication information for your
wireless LAN, so you should secure it physically to protect its configuration.
Configure a Local Authenticator
This section provides instructions for setting up an access point as a local authenticator and includes
these sections:
• Guidelines for Local Authenticators, page 4-3
• Configuration Overview, page 4-3
• Configuring the Local Authenticator Access Point, page 4-3
• Configuring Other Access Points to Use the Local Authenticator, page 4-8
• Configuring EAP-FAST Settings, page 4-9
• Unblocking Locked Usernames, page 4-11
• Viewing Local Authenticator Statistics, page 4-11
• Using Debug Messages, page 4-12