User Guide
Table Of Contents
- Cisco Wireless ISR and HWIC Access Point Configuration Guide
- Contents
- Preface
- Overview
- Configuring Radio Settings
- Enabling the Radio Interface
- Roles in Radio Network
- Configuring Network or Fallback Role
- Universal Client Mode
- Configuring Universal Client Mode
- Configuring Radio Data Rates
- Configuring Radio Transmit Power
- Configuring Radio Channel Settings
- Enabling and Disabling World Mode
- Enabling and Disabling Short Radio Preambles
- Configuring Transmit and Receive Antennas
- Disabling and Enabling Access Point Extensions
- Configuring the Ethernet Encapsulation Transformation Method
- Enabling and Disabling Reliable Multicast to Workgroup Bridges
- Enabling and Disabling Public Secure Packet Forwarding
- Configuring Beacon Period and DTIM
- Configuring RTS Threshold and Retries
- Configuring Maximum Data Retries
- Configuring Fragmentation Threshold
- Enabling Short Slot Time for 802.11g Radios
- Performing a Carrier Busy Test
- Configuring Multiple SSIDs
- Configuring an Access Point as a Local Authenticator
- Understand Local Authentication
- Configure a Local Authenticator
- Guidelines for Local Authenticators
- Configuration Overview
- Configuring the Local Authenticator Access Point
- Configuring Other Access Points to Use the Local Authenticator
- Configuring EAP-FAST Settings
- Limiting the Local Authenticator to One Authentication Type
- Unblocking Locked Usernames
- Viewing Local Authenticator Statistics
- Using Debug Messages
- Configuring Encryption Types
- Configuring Authentication Types
- Configuring RADIUS Servers
- Configuring and Enabling RADIUS
- Understanding RADIUS
- RADIUS Operation
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring RADIUS Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Selecting the CSID Format
- Configuring Settings for All RADIUS Servers
- Configuring the Access Point to Use Vendor-Specific RADIUS Attributes
- Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication
- Configuring WISPr RADIUS Attributes
- Displaying the RADIUS Configuration
- RADIUS Attributes Sent by the Access Point
- Configuring and Enabling RADIUS
- Configuring VLANs
- Configuring QoS
- Channel Settings
- Protocol Filters
- Supported MIBs
- Error and Event Messages
- Glossary
- Index
4-5
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 4 Configuring an Access Point as a Local Authenticator
Configure a Local Authenticator
This example shows how to set up a local authenticator used by three access points with three user groups
and several users:
router# configure terminal
router(config)# radius-server local
router(config-radsrv)# nas 10.91.6.159 key 110337
router(config-radsrv)# nas 10.91.6.162 key 110337
router(config-radsrv)# nas 10.91.6.181 key 110337
router(config-radsrv)# group clerks
router(config-radsrv-group)# vlan 87
router(config-radsrv-group)# ssid batman
router(config-radsrv-group)# ssid robin
router(config-radsrv-group)# reauthentication time 1800
router(config-radsrv-group)# block count 2 time 600
router(config-radsrv-group)# group cashiers
router(config-radsrv-group)# vlan 97
router(config-radsrv-group)# ssid deer
router(config-radsrv-group)# ssid antelope
router(config-radsrv-group)# ssid elk
router(config-radsrv-group)# reauthentication time 1800
router(config-radsrv-group)# block count 2 time 600
router(config-radsrv-group)# group managers
router(config-radsrv-group)# vlan 77
router(config-radsrv-group)# ssid mouse
router(config-radsrv-group)# ssid chipmunk
router(config-radsrv-group)# reauthentication time 1800
router(config-radsrv-group)# block count 2 time 600
router(config-radsrv-group)# exit
router(config-radsrv)# user jsmith password twain74 group clerks
router(config-radsrv)# user stpatrick password snake100 group clerks
router(config-radsrv)# user nick password uptown group clerks
router(config-radsrv)# user 00095125d02b password 00095125d02b group clerks mac-auth-only
Step 11
user username
{ password | nthash } password
[ group group-name ]
[mac-auth-only]
Enter the LEAP and EAP-FAST users allowed to authenticate
using the local authenticator. You must enter a username and
password for each user. If you only know the NT value of the
password, which you can often find in the authentication server
database, you can enter the NT hash as a string of hexadecimal
digits.
To add a client device for MAC-based authentication, enter the
client’s MAC address as both the username and password. Enter
12 hexadecimal digits without a dot or dash between the numbers
as the username and the password. For example, for the MAC
address 0009.5125.d02b, enter 00095125d02b as both the
username and the password.
To limit the user to MAC authentication only, enter
mac-auth-only.
To add the user to a user group, enter the group name. If you do
not specify a group, the user is not assigned to a specific VLAN
and is never forced to reauthenticate.
Step 12
end Return to privileged EXEC mode.
Step 13
copy running-config
startup-config
(Optional) Save your entries in the configuration file.
Command Purpose