Chapter 4 Configuring an Access Point as a Local Authenticator

 

 

 

Configure a Local Authenticator

 

 

 

 

 

 

 

 

 

Command

Purpose

 

Step 11

 

 

 

 

user username

Enter the LEAP and EAP-FAST users allowed to authenticate

 

 

{ password nthash } password

using the local authenticator. You must enter a username and

 

 

[ group group-name ]

password for each user. If you only know the NT value of the

 

 

[mac-auth-only]

password, which you can often find in the authentication server

 

 

 

database, you can enter the NT hash as a string of hexadecimal

 

 

 

digits.

 

 

 

To add a client device for MAC-based authentication, enter the

 

 

 

client’s MAC address as both the username and password. Enter

 

 

 

12 hexadecimal digits without a dot or dash between the numbers

 

 

 

as the username and the password. For example, for the MAC

 

 

 

address 0009.5125.d02b, enter 00095125d02b as both the

 

 

 

username and the password.

 

 

 

To limit the user to MAC authentication only, enter

 

 

 

mac-auth-only.

 

 

 

To add the user to a user group, enter the group name. If you do

 

 

 

not specify a group, the user is not assigned to a specific VLAN

 

 

 

and is never forced to reauthenticate.

 

Step 12

 

 

 

 

end

Return to privileged EXEC mode.

 

Step 13

 

 

 

 

copy running-config

(Optional) Save your entries in the configuration file.

 

 

startup-config

 

 

 

 

 

 

 

 

 

 

 

 

 

This example shows how to set up a local authenticator used by three access points with three user groups

 

 

and several users:

 

 

 

 

 

 

 

 

router# configure terminal

 

 

 

 

 

 

 

 

router(config)# radius-server local

 

 

router(config-radsrv)#nas 10.91.6.159 key 110337

 

 

router(config-radsrv)#nas 10.91.6.162 key 110337

 

 

router(config-radsrv)#nas 10.91.6.181 key 110337

 

 

router(config-radsrv)# group clerks

 

 

router(config-radsrv-group)# vlan 87

 

 

router(config-radsrv-group)# ssid batman

 

 

router(config-radsrv-group)# ssid robin

 

 

router(config-radsrv-group)# reauthentication time 1800

 

 

router(config-radsrv-group)# block count 2 time 600

 

 

router(config-radsrv-group)# group cashiers

 

 

router(config-radsrv-group)# vlan 97

 

 

router(config-radsrv-group)# ssid deer

 

 

router(config-radsrv-group)# ssid antelope

 

 

router(config-radsrv-group)# ssid elk

 

 

router(config-radsrv-group)# reauthentication time 1800

 

 

router(config-radsrv-group)# block count 2 time 600

 

 

router(config-radsrv-group)# group managers

 

 

router(config-radsrv-group)# vlan 77

 

 

router(config-radsrv-group)# ssid mouse

 

 

router(config-radsrv-group)# ssid chipmunk

 

 

router(config-radsrv-group)# reauthentication time 1800

 

 

router(config-radsrv-group)# block count 2 time 600

 

 

router(config-radsrv-group)# exit

 

 

router(config-radsrv)#user jsmith password twain74 group clerks

 

 

router(config-radsrv)#user stpatrick password snake100 group clerks

 

 

router(config-radsrv)#user nick password uptown group clerks

 

 

router(config-radsrv)#user 00095125d02b password 00095125d02b group clerks mac-auth-only

 

 

 

Cisco Wireless ISR and HWIC Access Point Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-6415-04

 

 

 

4-5

 

 

 

 

 

 

 

 

Page 69
Image 69
Cisco Systems OL-6415-04 manual Password nthash password, Mac-auth-only