Chapter 4 Configuring an Access Point as a Local Authenticator

Configure a Local Authenticator

Limiting the Local Authenticator to One Authentication Type

By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types. Use the no form of the authentication command to restrict the authenticator to an authentication type:

router(config-radsrv)# [no] authentication [eapfast] [leap] [mac]

Because all authentication types are enabled by default, you enter the no form of the command to disable authentication types. For example, if you want the authenticator to perform only LEAP authentication, you enter these commands:

router(config-radsrv)#no authentication eapfast

router(config-radsrv)# no authentication mac

Unblocking Locked Usernames

You can unblock usernames before the lockout time expires, or when the lockout time is set to infinite. In Privileged Exec mode on the local authenticator, enter this command to unblock a locked username:

router# clear radius local-server user username

Viewing Local Authenticator Statistics

In privileged exec mode, enter this command to view statistics collected by the local authenticator:

router# show radius local-server statistics

This example shows local authenticator statistics:

Successes

: 0

 

Unknown usernames

: 0

Client blocks

: 0

 

Invalid passwords

: 0

Unknown NAS

: 0

 

Invalid packet

from NAS: 0

NAS : 10.91.6.158

 

 

 

 

 

Successes

: 0

 

Unknown usernames

: 0

Client blocks

: 0

 

Invalid passwords

: 0

Corrupted packet

: 0

 

Unknown RADIUS

message : 0

No username attribute

: 0

 

Missing auth attribute : 0

Shared key mismatch

: 0

 

Invalid state attribute: 0

Unknown EAP message

: 0

 

Unknown EAP auth type

: 0

Auto provision success : 0

 

Auto provision

failure

: 0

PAC refresh

: 0

 

Invalid PAC received

: 0

Username

 

Successes

Failures Blocks

 

nicky

 

0

0

0

 

jones

 

0

0

0

 

jsmith

 

0

0

0

 

Router#sh radius local-server statistics

 

 

Successes

: 1

 

Unknown usernames

: 0

Client blocks

: 0

 

Invalid passwords

: 0

Unknown NAS

: 0

 

Invalid packet

from NAS: 0

The first section of statistics lists cumulative statistics from the local authenticator.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

 

OL-6415-04

4-11

 

 

 

Page 75
Image 75
Cisco Systems OL-6415-04 manual Limiting the Local Authenticator to One Authentication Type, Unblocking Locked Usernames