13-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling RADIUS
Understanding RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access.
RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS
server, which contains all user authentication and network service access information. The RADIUS host
is normally a multiuser system running RADIUS server software from Cisco (Cisco Identity Services
Engine), FreeRADIUS, Microsoft, or another software provider. For more information, refer to the
RADIUS server documentation.
Use RADIUS in these network environments, which require access security:
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that is customized to work with the Kerberos security system.
Turnkey network security environments in which applications support the RADIUS protocol, such
as an access environment that uses a smart card access control system.
Networks already using RADIUS. You can add a Cisco access point containing a RADIUS client to
the network.
Networks that require resource accounting. You can use RADIUS accounting independently of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, showing the amount of resources (such as time, packets, bytes, and
so forth) used during the session. An Internet service provider might use a freeware-based version
of RADIUS access control and accounting software to meet special security and billing needs.
RADIUS is not suitable in these network security situations:
Multiprotocol access environments– RADIUS does not support, for example, AppleTalk Remote
Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services
Interface (NASI), or X.25 PAD connections.
Networks using a variety of services. RADIUS generally binds a user to one service model.
RADIUS Operation
When a wireless user attempts to log in and authenticate to an access point whose access is controlled
by a RADIUS server, authentication to the network occurs in the steps shown in Figure13-1: