Cisco Router 860, 880 Series User Manual
Here you can view all the pages of manual Cisco Router 860, 880 Series User Manual. The Cisco manuals for Router are available online for free. You can easily download all the documents as PDF.
Page 211
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2008 Cisco Systems, Inc. All rights reserved. Using an Access Point as a Local Authenticator This document describes how to use a wireless device in the role of an access point as a local authenticator, serving as a standalone authenticator for a small wireless LAN, or providing backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication...
Page 212
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 2 Using an Access Point as a Local Authenticator OL-15915-01 You can configure your access points to use the local authenticator as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your RADIUS servers, the access points periodically check the link to the authentication servers and stops local authentication automatically when the link to the main...
Page 213
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 3 Using an Access Point as a Local Authenticator OL-15915-01 2.On the local authenticator, create user groups and configure parameters to be applied to each group (optional). 3.On the local authenticator, create a list of up to 50 LEAP users, EAP-FAST users, or MAC addresses that the local authenticator is authorized to authenticate. NoteYou do not have to specify which type of authentication that you want the local...
Page 214
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 4 Using an Access Point as a Local Authenticator OL-15915-01 Step 6vlan vlan(Optional) Specifies a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group. Step 7ssid ssid(Optional) Enters up to 20 SSIDs to limit members of the user group to those SSIDs. The access point checks that the SSID that...
Page 215
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 5 Using an Access Point as a Local Authenticator OL-15915-01 This example shows how to set up a local authenticator used by three access points with three user groups and several users: AP# configure terminal AP(config)# radius-server localAP(config-radsrv)# nas 10.91.6.159 key 110337 AP(config-radsrv)# nas 10.91.6.162 key 110337 AP(config-radsrv)# nas 10.91.6.181 key 110337AP(config-radsrv)# group clerks...
Page 216
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 6 Using an Access Point as a Local Authenticator OL-15915-01 AP(config-radsrv)# user jsmith password twain74 group clerksAP(config-radsrv)# user stpatrick password snake100 group clerks AP(config-radsrv)# user nick password uptown group clerks AP(config-radsrv)# user 00095125d02b password 00095125d02b group clerks mac-auth-onlyAP(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers AP(config-radsrv)# user...
Page 217
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 7 Using an Access Point as a Local Authenticator OL-15915-01 During the 10-minute dead-time interval, the next client device that attempts to authenticate to the access point, the access point skips the first two servers and attempts to authenticate the client by using the local authenticator. After the dead-time interval elapses, the access point tries to use the first two servers for authentication. When setting a...
Page 218
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 8 Using an Access Point as a Local Authenticator OL-15915-01 Generating PACs Manually The local authenticator automatically generates PACs for EAP-FAST clients that request them. However, you might need to generate a PAC manually for some client devices. When you enter the command, the local authenticator generates a PAC file and writes it to the network location that you specify. The user imports the PAC file into the...
Page 219
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 9 Using an Access Point as a Local Authenticator OL-15915-01 Possible PAC Failures Caused by Access Point Clock The local authenticator uses the access point clock to both generate PACs and to determine whether PACs are valid. However, relying on the access point clock can lead to PAC failures. If your local authenticator access point receives its time setting from an NTP server, there is an interval between boot up and...
Page 220
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 10 Using an Access Point as a Local Authenticator OL-15915-01 Viewing Local Authenticator Statistics To view statistics collected by the local authenticator, enter this command in privileged EXEC mode: AP# show radius local-server statistics This example shows local authenticator statistics: Successes : 0 Unknown usernames : 0 Client blocks : 0 Invalid passwords :...