9-9
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter9 Configuring an Access Point as a Local Authenticator
Configuring a Local Authenticator
Limiting the Local Authenticator to One Authentication Type
By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based
authentication for client devices. However, you can limit the local authenticator to perform only one or
two authentication types. Use the no form of the authentication command to restrict the authenticator to
an authentication type:
AP(config-radsrv)# [no] authentication [eapfast] [leap] [mac]
Because all authentication types are enabled by default, you enter the no form of the command to disable
authentication types. For example, if you want the authenticator to perform only LEAP authentication,
you enter these commands:
AP(config-radsrv)# no authentication eapfast
AP(config-radsrv)# no authentication mac
Unblocking Locked Usernames
You can unblock usernames before the lockout time expires, or when the lockout time is set to infinite.
In Privileged Exec mode on the local authenticator, enter this command to unblock a locked username:
AP# clear radius local-server user username
Viewing Local Authenticator Statistics
In privileged exec mode, enter this command to view statistics collected by the local authenticator:
AP# show radius local-server statistics
This example shows local authenticator statistics:
Successes : 0 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Unknown NAS : 0 Invalid packet from NAS: 0
NAS : 10.91.6.158
Successes : 0 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 0
Auto provision success : 0 Auto provision failure : 0
PAC refresh : 0 Invalid PAC received : 0