Chapter 4 Configuring an Access Point as a Local Authenticator

Understand Local Authentication

Understand Local Authentication

Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link. If the WAN link fails, or if the access points cannot access the RADIUS servers for any reason, client devices cannot access the wireless network even if the work they wish to do is entirely local.

To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an access point to act as a local authentication server. The access point can authenticate up to 50 wireless client devices using LEAP, EAP-FAST, or MAC-based authentication. The access point performs up to 5 authentications per second.

You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with the main RADIUS servers. You can also specify a VLAN and a list of SSIDs that a client is allowed to use.

Note If your wireless LAN contains only one access point, you can configure the access point as both the 802.1x authenticator and the local authenticator. However, users associated to the local authenticator access point might notice a drop in performance when the access point authenticates client devices.

You can configure your access points to use the local authenticator when they cannot reach the main servers, or you can configure your access points to use the local authenticator or as the main authenticator if you do not have a RADIUS server. When you configure the local authenticator as a backup to your main servers, the access points periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.

Caution The access point you use as an authenticator contains detailed authentication information for your wireless LAN, so you should secure it physically to protect its configuration.

Configure a Local Authenticator

This section provides instructions for setting up an access point as a local authenticator and includes these sections:

Guidelines for Local Authenticators, page 4-3

Configuration Overview, page 4-3

Configuring the Local Authenticator Access Point, page 4-3

Configuring Other Access Points to Use the Local Authenticator, page 4-8

Configuring EAP-FAST Settings, page 4-9

Unblocking Locked Usernames, page 4-11

Viewing Local Authenticator Statistics, page 4-11

Using Debug Messages, page 4-12

Cisco Wireless ISR and HWIC Access Point Configuration Guide

4-2

OL-6415-04

 

 

Page 66
Image 66
Cisco Systems OL-6415-04 manual Understand Local Authentication, Configure a Local Authenticator