9-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter9 Configuring an Access Point as a Local Authenticator
Understanding Local Authentication
Understanding Local Authentication
Many small wireless LANs that could be made more secure with 802.1x authentication do not have
access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely
on RADIUS servers housed in a distant location to authenticate client devices, and the authentication
traffic must cross a WAN link. If the WAN link fails, or if the access points cannot access the RADIUS
servers for any reason, client devices cannot access the wireless network even if the work they wish to
do is entirely local.
To provide local authentication service or backup authentication service in case of a WAN link or a
server failure, you can configure an access point to act as a local authentication server. The access point
can authenticate up to 50 wireless client devices using LEAP, EAP-FAST, or MAC-based authentication.
The access point performs up to 5 authentications per second.
You configure the local authenticator access point manually with client usernames and passwords
because it does not synchronize its database with the main RADIUS servers. You can also specify a
VLAN and a list of SSIDs that a client is allowed to use.
Note If your wireless LAN contains only one access point, you can configure the access point as both
the 802.1x authenticator and the local authenticator. However, users associated to the local
authenticator access point might notice a drop in performance when the access point
authenticates client devices.
You can configure your access points to use the local authenticator when they cannot reach the main
servers, or you can configure your access points to use the local authenticator or as the main
authenticator if you do not have a RADIUS server. When you configure the local authenticator as a
backup to your main servers, the access points periodically check the link to the main servers and stop
using the local authenticator automatically when the link to the main servers is restored.
Caution The access point you use as an authenticator contains detailed authentication information for your
wireless LAN, so you should secure it physically to protect its configuration.
Configuring a Local Authenticator
This section provides instructions for setting up an access point as a local authenticator and includes
these sections:
Guidelines for Local Authenticators, page 9-3
Configuration Overview, page9-3
Configuring the Local Authenticator Access Point, page9-3
Configuring Other Access Points to Use the Local Authenticator, page9-6
Configuring EAP-FAST Settings, page9-7
Unblocking Locked Usernames, page9-9
Viewing Local Authenticator Statistics, page9-9
Using Debug Messages, page9-10