Radius-server local, Vlan vlan, Exit | Cisco Systems OL-6415-04

Chapter 4 Configuring an Access Point as a Local Authenticator

Configure a Local Authenticator

	Command	Purpose
Step 3
Step 3	radius-server local	Enable the access point as a local authenticator and enter
		configuration mode for the authenticator.
Step 4
Step 4	nas ip-address key shared-key	Add an access point to the list of units that use the local
		authenticator. Enter the access point’s IP address and the shared
		key used to authenticate communication between the local
		authenticator and other access points. You must enter this shared
		key on the access points that use the local authenticator. If your
		local authenticator also serves client devices, you must enter the
		local authenticator access point as a NAS.
		Note Leading spaces in the key string are ignored, but spaces
		within and at the end of the key are used. If you use spaces
		in your key, do not enclose the key in quotation marks
		unless the quotation marks are part of the key.
		Repeat this step to add each access point that uses the local
		authenticator.
Step 5
Step 5	group group-name	(Optional) Enter user group configuration mode and configure a
		user group to which you can assign shared settings.
Step 6
Step 6	vlan vlan	(Optional) Specify a VLAN to be used by members of the user
		group. The access point moves group members into that VLAN,
		overriding other VLAN assignments. You can assign only one
		VLAN to the group.
Step 7
Step 7	ssid ssid	(Optional) Enter up to 20 SSIDs to limit members of the user
		group to those SSIDs. The access point checks that the SSID that
		the client used to associate matches one of the SSIDs in the list.
		If the SSID does not match, the client is disassociated.
Step 8
Step 8	reauthentication time seconds	(Optional) Enter the number of seconds after which access points
		should reauthenticate members of the group. The
		reauthentication provides users with a new encryption key. The
		default setting is 0, which means that group members are never
		required to reauthenticate.
Step 9
Step 9	block count count	(Optional) To help protect against password guessing attacks, you
	time { seconds infinite }	can lock out members of a user group for a length of time after a
		set number of incorrect passwords.
		• count—The number of failed passwords that triggers a
		lockout of the username.
		• time—The number of seconds the lockout should last. If you
		enter infinite, an administrator must manually unblock the
		locked username. See the “Unblocking Locked Usernames”
		section on page 4-11for instructions on unblocking client
		devices.
Step 10
Step 10	exit	Exit group configuration mode and return to authenticator
		configuration mode.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

4-4	OL-6415-04

Cisco Systems OL-6415-04 Radius-server local, Vlan vlan, Ssid ssid, Reauthentication time seconds

Models: OL-6415-04

Command

radius-server local

nas ip-address key shared-key

group group-name

vlan vlan

ssid ssid

reauthentication time seconds

block count count

time { seconds infinite }

exit

configuration mode.

OL-6415-04