13-12
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling RADIUS
Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged
EXEC access and network services:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
Configuring Packet of Disconnect
Packet of Disconnect (PoD) is also known as Disconnect Message. Additional information on PoD can
be found in the Internet Engineering Task Force (IETF) Internet Standard RFC 3576
Packet of Disconnect consists of a method of terminating a session that has already been connected. The
PoD is a RADIUS Disconnect_Request packet and is intended to be used in situations where the
authenticating agent server wants to disconnect the user after the session has been accepted by the
RADIUS access_accept packet. This may be needed in at least two situations:
Detection of fraudulent use, which cannot be performed before accepting the call.
Disconnecting hot spot users when their prepaid access time has expired.
When a session is terminated, the RADIUS server sends a disconnect message to the Network Access
Server (NAS); an access point or WDS. For 802.11 sessions, the Calling-Station-ID [31] RADIUS
attribute (the MAC address of the client) must be supplied in the Pod request. The access point or WDS
attempts to disassociate the relevant session and then sends a disconnect response message back to the
RADIUS server. The message types are as follows:
40—Disconnect-Request
41—Disconnect—ACK
42—Disconnect—NAK
Note Refer to your RADIUS server application documentation for instructions on how to configure PoD
requests.
Note The access point does not block subsequent attempts by the client to reassociate. It is the responsibility
of the security administrator to disable the client account before issuing a PoD request.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 aaa authorization network radius Configure the access point for user RADIUS authorization for all
network-related service requests.
Step3 aaa authorization exec radius Configure the access point for user RADIUS authorization to determine if
the user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Step4 end Return to privileged EXEC mode.
Step5 show running-config Verify your entries.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.