Cisco Router 860, 880 Series User Manual

17-3
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Preventing Unauthorized Access to Your Access Point
Preventing Unauthorized Access to Your Access Point
You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration 
information. Typically, you want network administrators to have access to the wireless device while you 
restrict access to users who connect through a terminal or workstation from within the local network.
To prevent...

17-4
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
Default Password and Privilege Level Configuration
Ta b l e 17-1 shows the default password and privilege level configuration.
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. 
NoteThe no enable password global configuration command removes the enable password, but you should 
use extreme care when using this command. If...

17-5
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted 
and provides access to level 15 (traditional privileged EXEC mode access):
AP(config)# enable password l1u2c3k4y5
Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are...

17-6
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and 
set a password, give the password only to users who need to have access at this level. Use the privilege 
level command in global configuration mode to specify commands...

17-7
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
Configuring Username and Password Pairs
You can configure username and password pairs, which are locally stored on the wireless device. These 
pairs are assigned to lines or interfaces, and they authenticate each user before that user can access the 
wireless device. If you have defined privilege levels, you can also assign a specific privilege level (with 
associated rights and...

17-8
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Protecting Access to Privileged EXEC Commands
For example, if you want many users to have access to the clear line command, you can assign it 
level
 2 security and distribute the level 2 password fairly widely. But if you want more restricted access 
to the configure command, you can assign it level 3 security and distribute that password to a more 
restricted group of users.
This section includes this configuration...

17-9
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 
as the password users must enter to use level 14 commands:
AP(config)# privilege exec level 14 configure
AP(config)# enable password level 14 SecretPswd14
Logging Into and Exiting a Privilege Level
To log in to a specified privilege level or to exit to a specified privilege level,...

17-10
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that 
list to various interfaces. The method list defines the types of authentication to be performed and the 
sequence in which they are performed; it must be applied to a specific interface before any defined 
authentication methods are...

17-11
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
To disable AAA, use the no aaa new-model command in global command mode. To disable AAA 
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] 
command in global command mode. To either disable RADIUS authentication for logins or to return to 
the default value, use the no login authentication {default | list-name} command in line...

17-12
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
Step 3radius-server host {hostname | 
ip-address} [auth-port port-number] 
[acct-port port-number] [timeout 
seconds] [retransmit retries] [key 
string]Specifies the IP address or hostname of the remote RADIUS server host.
 (Optional) For auth-port port-number, specify the UDP destination 
port for authentication requests.
 (Optional) For acct-port port-number, specify the UDP...