Cisco Aironet 1100 Series - Configuring RADIUS Authorization for User Privileged Access and Network Services

To Next Page

To Previous Page

11-11

Cisco Aironet 1100 Series Access Point Installation and Configuration Guide

OL-2851-01

Chapter 11 Configuring RADIUS Servers

Configuring RADIUS

To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global

configuration command. To remove a server group from the configuration list, use the no aaa group

server radius group-name global configuration command. To remove the IP address of a RADIUS

server, use the no server ip-address server group configuration command.

In this example, the access point is configured to recognize two different RADIUS group servers (group1

and group2). Group1 has two different host entries on the same RADIUS server configured for the same

services. The second host entry acts as a fail-over backup to the first entry.

AP(config)# aaa new-model

AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

AP(config)# aaa group server radius group1

AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001

AP(config-sg-radius)# exit

AP(config)# aaa group server radius group2

AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001

AP(config-sg-radius)# exit

Configuring RADIUS Authorization for User Privileged Access and Network

Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the

access point uses information retrieved from the user’s profile, which is in the local user database or on

the security server, to configure the user’s session. The user is granted access to a requested service only

if the information in the user profile allows it.

Note This section describes setting up authorization for access point adminsitrators, not for wireless client

devices.

You can use the aaa authorization global configuration command with the radius keyword to set

parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec radius local command sets these authorization parameters:

• Use RADIUS for privileged EXEC access authorization if authentication was performed by using

RADIUS.

• Use the local database if authentication was not performed by using RADIUS.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has

been configured.

Related product manuals