9-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter9 Configuring an Access Point as a Local Authenticator
Configuring a Local Authenticator
AP(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers
AP(config-radsrv)# user 00079431f04a password 00079431f04a group cashiers
AP(config-radsrv)# user carl password 272165 group managers
AP(config-radsrv)# user vic password lid178 group managers
AP(config-radsrv)# end
Configuring Other Access Points to Use the Local AuthenticatorYou add the local authenticator to the list of servers on the access point the same way that you add other
servers. For detailed instructions on setting up RADIUS servers on your access points, see Chapter13,
“Configuring RADIUS and TACACS+ Servers.”
Note If your local authenticator access point also serves client devices, you must configure the local
authenticator to use itself to authenticate client devices.
On the access points that use the local authenticator, use the radius-server host command to enter the
local authenticator as a RADIUS server. The order in which the access point attempts to use the servers
matches the order in which you enter the servers in the access point configuration. If you are configuring
the access point to use RADIUS for the first time, enter the main RADIUS servers first, and enter the
local authenticator last.
Note You m us t e nt er 1812 or 1645 as the authentication port and 1813 or 1646 as the accounting port.
The local authenticator listens on UDP port 1813 for RADIUS accounting packets. It discards
the accounting packets but sends acknowledge packets back to RADIUS clients to prevent
clients from assuming that the server is down.
Use the radius-server deadtime command to set an interval during which the access point does not
attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying
the next configured server. A server marked as dead is skipped by additional requests for the duration of
minutes that you specify, up to 1440 (24 hours).
This example shows how to set up two main servers and a local authenticator with a server deadtime of
10 minutes:
AP(config)# aaa new-model
AP(config)# radius server radserv
AP(config-radius-server)# address ipv4 172.10.0.1 auth-port 1000 acct-port 1001
AP(config-radius-server)# key 77654
AP(config)# radius-server deadtime 10
In this example, if the WAN link to the main servers fails, the access point completes these steps when
a LEAP-enabled client device associates:
1. It tries the first server, times out multiple times, and marks the first server as dead.
2. It tries the second server, times out multiple times, and marks the second server as dead.
3. It tries and succeeds using the local authenticator.
If another client device needs to authenticate during the 10-minute dead-time interval, the access point
skips the first two servers and tries the local authenticator first. After the dead-time interval, the access
point tries to use the main servers for authentication. When setting a dead time, you must balance the
need to skip dead servers with the need to check the WAN link and begin using the main servers again
as soon as possible.