Cisco Systems 0L-11350-01 Identifying the RADIUS Server Host

13-5

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter13 Configuring RADIUS and TACACS+ Servers

Configuring and Enabling RADIUS

Identifying the RADIUS Server Host

Access point-to-RADIUS-server communication involves several components:

•Host name or IP address

•Authentication destination port

•Accounting destination port

•Key string

•Timeout period

•Retransmission value

You identify RADIUS security servers by their host name or IP address, host name and specific UDP

port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and

the UDP port number creates a unique identifier allowing different ports to be individually defined as

RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be

sent to multiple UDP ports on a server at the same IP address.

Note For Cisco IOS Releases 12.2(8)JA and later, the access point uses a randomly chosen UDP

source port number in the range of 21645 to 21844 for communication with RADIUS servers.

If two different host entries on the same RADIUS server are configured for the same service—such as

accounting—the second host entry configured acts as a fail-over backup to the first one. Using this

example, if the first host entry fails to provide accounting services, the access point tries the second host

entry configured on the same device for accounting services. (The RADIUS host entries are tried in the

order that they are configured.)

A RADIUS server and the access point use a shared secret text string to encrypt passwords and exchange

responses. To configure RADIUS to use the AAA security commands, you must specify the host running

the RADIUS server daemon and a secret text (key) string that it shares with the access point.

The timeout, retransmission, and encryption key values can be configured globally per server for all

RADIUS servers or in some combination of global and per-server settings. To apply these settings

globally to all RADIUS servers communicating with the access point, use the three unique global

configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To

apply these values on a specific RADIUS server, use the radius-server host global configuration

command.

Note If you configure both global and per-server functions (timeout, retransmission, and key commands) on

the access point, the per-server timer, retransmission, and key value commands override global timer,

retransmission, and key value commands. For information on configuring these setting on all RADIUS

servers, see the “Configuring Settings for All RADIUS Servers” section on page13-15.

You can configure the access point to use AAA server groups to group existing server hosts for

authentication. For more information, see the “Defining AAA Server Groups” section on page13-9.

Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server

communication. This procedure is required.