Cisco Systems 0L-11350-01

9-4

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter9 Configuring an Access Point as a Local Authenticator

Configuring a Local Authenticator

Step3 radius-server local Enable the access point as a local authenticator and enter

configuration mode for the authenticator.

Step4 nas ip-address key shared-key Add an access point to the list of units that use the local

authenticator. Enter the access point’s IP address and the shared

key used to authenticate communication between the local

authenticator and other access points. You must enter this shared

key on the access points that use the local authenticator. If your

local authenticator also serves client devices, you must enter the

local authenticator access point as a NAS.

Note Leading spaces in the key string are ignored, but spaces

within and at the end of the key are used. If you use spaces

in your key, do not enclose the key in quotation marks

unless the quotation marks are part of the key.

Repeat this step to add each access point that uses the local

authenticator.

Step5 group group-name (Optional) Enter user group configuration mode and configure a

user group to which you can assign shared settings.

Step6 vlan vlan (Optional) Specify a VLAN to be used by members of the user

group. The access point moves group members into that VLAN,

overriding other VLAN assignments. You can assign only one

VLAN to the group.

Step7 ssid ssid (Optional) Enter up to 20 SSIDs to limit members of the user

group to those SSIDs. The access point checks that the SSID that

the client used to associate matches one of the SSIDs in the list.

If the SSID does not match, the client is disassociated.

Step8 reauthentication time seconds (Optional) Enter the number of seconds after which access points

should reauthenticate members of the group. The

reauthentication provides users with a new encryption key. The

default setting is 0, which means that group members are never

required to reauthenticate.

Step9 block count count

time { seconds | infinite }

(Optional) To help protect against password guessing attacks,

you can lock out members of a user group for a length of time

after a set number of incorrect passwords.

•count—The number of failed passwords that triggers a

lockout of the username.

•time—The number of seconds the lockout should last. If you

enter infinite, an administrator must manually unblock the

locked username. See the “Unblocking Locked Usernames”

section on page 9-9 for instructions on unblocking client

devices.

Step10 exit Exit group configuration mode and return to authenticator

configuration mode.

Command Purpose