Cisco Systems 0L-11350-01 Configuring Other Access Points to Use the Local Authenticator

9-6

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter9 Configuring an Access Point as a Local Authenticator

Configuring a Local Authenticator

AP(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers

AP(config-radsrv)# user 00079431f04a password 00079431f04a group cashiers

AP(config-radsrv)# user carl password 272165 group managers

AP(config-radsrv)# user vic password lid178 group managers

AP(config-radsrv)# end

Configuring Other Access Points to Use the Local Authenticator

You add the local authenticator to the list of servers on the access point the same way that you add other

servers. For detailed instructions on setting up RADIUS servers on your access points, see Chapter13,

“Configuring RADIUS and TACACS+ Servers.”

Note If your local authenticator access point also serves client devices, you must configure the local

authenticator to use itself to authenticate client devices.

On the access points that use the local authenticator, use the radius-server host command to enter the

local authenticator as a RADIUS server. The order in which the access point attempts to use the servers

matches the order in which you enter the servers in the access point configuration. If you are configuring

the access point to use RADIUS for the first time, enter the main RADIUS servers first, and enter the

local authenticator last.

Note You m us t en te r 1812 as the authentication port and 1813 as the accounting port. The local

authenticator listens on UDP port 1813 for RADIUS accounting packets. It discards the

accounting packets but sends acknowledge packets back to RADIUS clients to prevent clients

from assuming that the server is down.

Use the radius-server deadtime command to set an interval during which the access point does not

attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying

the next configured server. A server marked as dead is skipped by additional requests for the duration

of minutes that you specify, up to 1440 (24 hours).

This example shows how to set up two main servers and a local authenticator with a server deadtime of

10 minutes:

AP(config)# aaa new-model

AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654

AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654

AP(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337

AP(config)# radius-server deadtime 10

In this example, if the WAN link to the main servers fails, the access point completes these steps when

a LEAP-enabled client device associates:

1. It tries the first server, times out multiple times, and marks the first server as dead.

2. It tries the second server, times out multiple times, and marks the second server as dead.

3. It tries and succeeds using the local authenticator.

If another client device needs to authenticate during the 10-minute dead-time interval, the access point

skips the first two servers and tries the local authenticator first. After the dead-time interval, the access

point tries to use the main servers for authentication. When setting a dead time, you must balance the

need to skip dead servers with the need to check the WAN link and begin using the main servers again

as soon as possible.