305
Cisco 3900 Series, Cisco 2900 Series, and Cisco 1900 Series Integrated Services Routers Generation 2 Software Configuration Guide
Chapter Administering the Wireless Device
Controlling Access Point Access with RADIUS
Controlling Access Point Access with RADIUS
This section describes how to control administrator access to the wireless device by using Remote
Authentication Dial-In User Service (RADIUS). For complete instructions on configuring the wireless
device to support RADIUS, see the “Configuring Radius and TACACS+ Servers” chapter in Cisco IOS
Software Configuration Guide for Cisco Aironet Access Points.
RADIUS provides detailed accounting information and flexible administrative control over
authentication and authorization processes. RADIUS is facilitated through authentication, authorization,
and accounting (AAA) and can be enabled only through AAA commands.
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS
Security Command Reference.
These sections describe RADIUS configuration:
• Default RADIUS Configuration, page 305
• Configuring RADIUS Login Authentication, page 305 (required)
• Defining AAA Server Groups, page 307 (optional)
• Configuring RADIUS Authorization for User Privileged Access and Network Services, page 309
(optional)
• Displaying the RADIUS Configuration, page 310
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management
application. When enabled, RADIUS can authenticate users who are accessing the wireless device
through the command-line interface (CLI).
Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply the
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any defined
authentication methods are performed. The only exception is the default method list (which is named
default). The default method list is automatically applied to all interfaces except those that have a named
method list explicitly defined.
A method list describes the sequence and authentication methods to be used to authenticate a user. You
can designate one or more security protocols for authentication, thus ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate
users. If that method fails to respond, the software selects the next authentication method in the method
list. This process continues until there is successful communication with a listed authentication method
or until all defined methods are exhausted. If authentication fails at any point in this cycle—that is, the
security server or local username database responds by denying the user access—the authentication
process stops, and no other authentication methods are attempted.
To Next Page
Loading...
