Cisco Systems DL-2159-05 manual System Flow Notes

Chapter 8 Security Setup

Setting up Centralized Administrator Authentication

System Flow Notes

The following notes help to identify and describe the flow between the access point and its authentication server.

•The authentication server is initialized to listen for socket requests on the pre-determined UDP or TCP ports specified on the Authenticator Configuration page (UDP 1812 for RADIUS servers or TCP 49 for TACACS+ servers).

•The authentication server must be pre-configured with valid user names and passwords along and the shared secret key the server uses for secure authentication between it and the access point.

•No remote server authentication is possible with a new access point unless it has been configured by the user.

•The access point requires the following parameters to access the remote authentication servers, which were described in the procedure above:

–Remote server authentication—accomplished by configuring or not configuring the authentication server to send requests

–IP address of the authentication server(s)

–Secret key to be shared with the authentication server(s)

–Selection of RADIUS or TACACS+ server indication

–Default UDP or TCP port ID used for authentication

–Timeout value while waiting for a server response

The administrator attempts to log in to the access point using any HTML capable browser on a wireless or wired network. The access point receives the authentication request and checks the local database of users to verify that the request is accompanied by a valid user name and password.

If the user is not found on the local list, or if local authentication fails (User found, but incorrect password), the access point determines if a remote authentication server has been configured to handle authentication requests. If it has, the access point sends an authentication request to the the first remote authentication server and waits for the server to reply or timeout. This asynchronous request is sent to either a TACACS+ or RADIUS server using a client interface and protocol appropriate for the target server. The password for the administrator requesting authentication is encrypted using an MD5 hash function and sent to the server. The password is never sent to the server in clear text.

If the server does not respond, a timeout occurs, prompting the access point to check for the an additional configured authentication server. If it finds a server, the access point sends an authentication request to that server. Additional servers are attempted until one of the following events occur:

•A configured server responds accepting or rejecting the request.

•A final timeout occurs on the last configured server.

When the authentication server responds to a successful request, the authorization parameters (described in the Authorization Parameters section below) are extracted and processed to a local database cache entry. This entry is kept in the cache for five minutes and is used to authenticate the user for subsequent authentication requests.

The cache speeds up the administrative configuration process by not forcing the subsequent requests to require a transaction with an authentication server within the five minute time period. The following applies:

•If the user is accessed using an authentication request within the 5 minute period, the cache timer resets to 5 minutes.

Cisco Aironet 1200 Series Access Point Software Configuration Guide