Cisco Systems 0L-11350-01 Configuring and Enabling RADIUS

13-2

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter13 Configuring RADIUS and TACACS+ Servers

Configuring and Enabling RADIUS

Configuring and Enabling RADIUS

This section describes how to configure and enable RADIUS. These sections describe RADIUS

configuration:

•Understanding RADIUS, page 13-2

•RADIUS Operation, page 13-3

•Configuring RADIUS, page13-4

•Displaying the RADIUS Configuration, page13-19

•RADIUS Attributes Sent by the Access Point, page13-20

RADIUS is a distributed client/server system that secures networks against unauthorized access.

RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS

server, which contains all user authentication and network service access information. The RADIUS

host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access

Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider. For more

information, refer to the RADIUS server documentation.

Use RADIUS in these network environments, which require access security:

•Networks with multiple-vendor access servers, each supporting RADIUS. For example, access

servers from several vendors use a single RADIUS server-based security database. In an IP-based

network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS

server that is customized to work with the Kerberos security system.

•Turnkey network security environments in which applications support the RADIUS protocol, such

as an access environment that uses a smart card access control system. In one case, RADIUS has

been used with Enigma’s security cards to validate users and to grant access to network resources.

•Networks already using RADIUS. You can add a Cisco access point containing a RADIUS client to

the network.

•Networks that require resource accounting. You can use RADIUS accounting independently of

RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent

at the start and end of services, showing the amount of resources (such as time, packets, bytes, and

so forth) used during the session. An Internet service provider might use a freeware-based version

of RADIUS access control and accounting software to meet special security and billing needs.

RADIUS is not suitable in these network security situations:

•Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),

NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or

X.25 PAD connections.

•Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.

RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device

requires authentication.

•Networks using a variety of services. RADIUS generally binds a user to one service model.