Chapter 4 Configuring an Access Point as a Local Authenticator

Configure a Local Authenticator

Configuring Other Access Points to Use the Local Authenticator

You add the local authenticator to the list of servers on the access point the same way that you add other servers. For detailed instructions on setting up RADIUS servers on your access points, see Chapter 7, “Configuring RADIUS Servers.”

Note If your local authenticator access point also serves client devices, you must configure the local authenticator to use itself to authenticate client devices.

On the access points that use the local authenticator, use the radius-server host command to enter the local authenticator as a RADIUS server. The order in which the access point attempts to use the servers matches the order in which you enter the servers in the access point configuration. If you are configuring the access point to use RADIUS for the first time, enter the main RADIUS servers first, and enter the local authenticator last.

Note You must enter 1812 as the authentication port and 1813 as the accounting port. The local authenticator listens on UDP port 1813 for RADIUS accounting packets. It discards the accounting packets but sends acknowledge packets back to RADIUS clients to prevent clients from assuming that the server is down.

Use the radius-server deadtime command to set an interval during which the access point does not attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying the next configured server. A server marked as dead is skipped by additional requests for the duration of minutes that you specify, up to 1440 (24 hours).

This example shows how to set up two main servers and a local authenticator with a server deadtime of

10 minutes:

router(config)# aaa new-model

router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 router(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 router(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337 router(config)# radius-server deadtime 10

In this example, if the WAN link to the main servers fails, the access point completes these steps when a LEAP-enabled client device associates:

1. It tries the first server, times out multiple times, and marks the first server as dead.

2. It tries the second server, times out multiple times, and marks the second server as dead.

3. It tries and succeeds using the local authenticator.

 

 

 

If another client device needs to authenticate during the 10-minute dead-time interval, the access point

 

 

 

skips the first two servers and tries the local authenticator first. After the dead-time interval, the access

 

 

 

point tries to use the main servers for authentication. When setting a dead time, you must balance the

 

 

 

need to skip dead servers with the need to check the WAN link and begin using the main servers again

 

 

 

as soon as possible.

 

 

 

Each time the access point tries to use the main servers while they are down, the client device trying to

 

 

 

authenticate might report an authentication timeout. The client device retries and succeeds when the

 

 

 

main servers time out and the access point tries the local authenticator. You can extend the timeout value

 

 

 

on Cisco client devices to accommodate expected server timeouts.

 

 

 

To remove the local authenticator from the access point configuration, use the no radius-server host

 

 

 

hostname ip-addressglobal configuration command.

 

 

 

Cisco Wireless ISR and HWIC Access Point Configuration Guide

 

 

 

 

 

 

 

 

 

4-8

 

OL-6415-04

 

 

 

 

Page 72
Image 72
Cisco Systems OL-6415-04 manual Routerconfig# aaa new-model