User Guide
Table Of Contents
- Cisco Wireless ISR and HWIC Access Point Configuration Guide
- Contents
- Preface
- Overview
- Configuring Radio Settings
- Enabling the Radio Interface
- Roles in Radio Network
- Configuring Network or Fallback Role
- Universal Client Mode
- Configuring Universal Client Mode
- Configuring Radio Data Rates
- Configuring Radio Transmit Power
- Configuring Radio Channel Settings
- Enabling and Disabling World Mode
- Enabling and Disabling Short Radio Preambles
- Configuring Transmit and Receive Antennas
- Disabling and Enabling Access Point Extensions
- Configuring the Ethernet Encapsulation Transformation Method
- Enabling and Disabling Reliable Multicast to Workgroup Bridges
- Enabling and Disabling Public Secure Packet Forwarding
- Configuring Beacon Period and DTIM
- Configuring RTS Threshold and Retries
- Configuring Maximum Data Retries
- Configuring Fragmentation Threshold
- Enabling Short Slot Time for 802.11g Radios
- Performing a Carrier Busy Test
- Configuring Multiple SSIDs
- Configuring an Access Point as a Local Authenticator
- Understand Local Authentication
- Configure a Local Authenticator
- Guidelines for Local Authenticators
- Configuration Overview
- Configuring the Local Authenticator Access Point
- Configuring Other Access Points to Use the Local Authenticator
- Configuring EAP-FAST Settings
- Limiting the Local Authenticator to One Authentication Type
- Unblocking Locked Usernames
- Viewing Local Authenticator Statistics
- Using Debug Messages
- Configuring Encryption Types
- Configuring Authentication Types
- Configuring RADIUS Servers
- Configuring and Enabling RADIUS
- Understanding RADIUS
- RADIUS Operation
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring RADIUS Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Selecting the CSID Format
- Configuring Settings for All RADIUS Servers
- Configuring the Access Point to Use Vendor-Specific RADIUS Attributes
- Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication
- Configuring WISPr RADIUS Attributes
- Displaying the RADIUS Configuration
- RADIUS Attributes Sent by the Access Point
- Configuring and Enabling RADIUS
- Configuring VLANs
- Configuring QoS
- Channel Settings
- Protocol Filters
- Supported MIBs
- Error and Event Messages
- Glossary
- Index
6-5
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 6 Configuring Authentication Types
Understand Authentication Types
There is more than one type of EAP authentication, but the access point behaves the same way for each
type: it relays authentication messages from the wireless client device to the RADIUS server and from
the RADIUS server to the wireless client device. See the
“Assigning Authentication Types to an SSID”
section on page 6-9 for instructions on setting up EAP on the access point.
Note If you use EAP authentication, you can select open or shared key authentication, but you don’t have to.
EAP authentication controls authentication both to your access point and to your network.
MAC Address Authentication to the Network
The access point relays the MAC address of the wireless client device to a RADIUS server on your
network, and the server checks the address against a list of allowed MAC addresses. Intruders can create
counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication.
However, MAC-based authentication provides an alternate authentication method for client devices that
do not have EAP capability. See the
“Assigning Authentication Types to an SSID” section on page 6-9
for instructions on enabling MAC-based authentication.
Tip If you don’t have a RADIUS server on your network, you can create a list of allowed MAC addresses on
the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC addresses
not on the list are not allowed to authenticate.
Tip If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC
authentication cache on your access points. MAC authentication caching reduces overhead because the
access point authenticates devices in its MAC-address cache without sending the request to your
authentication server. See the
“Configuring MAC Authentication Caching” section on page 6-14 for
instructions on enabling this feature.
Figure 6-4 shows the authentication sequence for MAC-based authentication.