13-13
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling RADIUS
Note When WDS is configured, PoD requests should be directed to the WDS. The WDS forwards the
disassociation request to the parent access point and then purges the session from its own internal tables.
Note PoD is supported on the Cisco CNS Access Registrar (CAR) RADIUS server, but not on the Cisco
Secure ACS Server, v4.0 and earlier.
Beginning in privileged EXEC mode, follow these steps to configure a PoD:
Starting RADIUS Accounting m
The AAA accounting feature tracks the services that users are accessing and the amount of network
resources that they are consuming. When AAA accounting is enabled, the access point reports user
activity to the RADIUS security server in the form of accounting records. Each accounting record
contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then
be analyzed for network management, client billing, or auditing. See the “RADIUS Attributes Sent by
the Access Point” section on page 13-20 for a complete list of attributes sent and honored by the access
point.
Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco
IOS privilege level and for network services:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 aaa pod server [port port number]
[auth-type {any | all | session-key}]
[clients client 1...] [ignore {server-key
string...| session-key }] | server-key
string...]}
Enables user sessions to be disconnected by requests from a RADIUS
server when specific session attributes are presented.
port port number—(Optional) The UDP port on which the access point
listens for PoD requests. The default value is 1700.
auth-type—This parameter is not supported for 802.11 sessions.
clients (Optional)—Up to four RADIUS servers may be nominated as
clients. If this configuration is present and a PoD request originates from
a device that is not on the list, it is rejected.
ignore (Optional)—When set to server_key, the shared secret is not
validated when a PoD request is received.
session-key—Not supported for 802.11 sessions.
server-key—Configures the shared-secret text string.
string—The shared-secret text string that is shared between the network
access server and the client workstation. This shared-secret must be the
same on both systems.
Note Any data entered after this parameter is treated as the shared
secret string.
Step3 end Return to privileged EXEC mode.
Step4 show running-config Verify your entries.
Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.