Home » Cisco Manuals » Network Security & Firewall Devices » Cisco C3201FESMIC-TP= » Manual Viewer

Cisco C3201FESMIC-TP= Software Guide - Page 93

Configuring the Bridge to Use Vendor-Specific RADIUS Attributes, radius-server deadtime

UPC - 882658032479

View all Cisco C3201FESMIC-TP= manuals

Add to My Manuals
Save this manual to your list of manuals

Page 93 highlights

Administering the WMIC Configuring and Enabling RADIUS Step 5 Step 6 Step 7 Step 8 Step 9 Command radius-server deadtime minutes radius-server attribute 32 include-in-access-req format %h end show running-config copy running-config startup-config Purpose Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as dead is skipped by additional requests for the duration of minutes that you specify. Note If you set up more than one RADIUS server, you must configure the RADIUS server deadtime for optimal performance. Configures the bridge to send its system name in the NAS_ID attribute for authentication. Returns to privileged EXEC mode. Verifies your settings. (Optional) Saves your entries in the configuration file. To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands. Configuring the Bridge to Use Vendor-Specific RADIUS Attributes The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the bridge and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco's vendor ID is 9, and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair activates Cisco's multiple named ip address pools feature during IP authorization (during Point-to-Point Protocol IP Control Protocol (PPP IPCP) address assignment): cisco-avpair= "ip:addr-pool=first" The following example shows how to provide a user logging in from a bridge with immediate access to privileged EXEC commands: cisco-avpair= "shell:priv-lvl=15" Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, see RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)." Cisco 3200 Series Wireless MIC Software Configuration Guide 29

Section	Page
Cisco 3200 Series Wireless MIC Software Configuration Guide	1
Contents	3
Preface	15
Audience	15
Purpose	15
Organization	15
Conventions	17
Related Documentation	19
Obtaining Documentation	20
Cisco.com	20
Product Documentation DVD	20
Ordering Documentation	20
Documentation Feedback	20
Cisco Product Security Overview	21
Reporting Security Problems in Cisco Products	21
Obtaining Technical Assistance	22
Cisco Technical Support & Documentation Website	22
Submitting a Service Request	23
Definitions of Service Request Severity	23
Obtaining Additional Publications and Information	23
Overview of the Cisco WMIC	25
Understanding the Cisco Mobile Wireless Network	25
Public Safety Wireless Network Example	25
Intersection Example	27
Vehicle Network Example	28
Data Path Example	29
Call Setup Process	29
Data Flow to and from the Home Network	30
Features	31
Management Options	34
Configuring the WMIC for the First Time	35
Before You Start	35
Connecting to the WMIC	35
Using the Console Port to Access the Privileged Exec Mode	36
Using a Telnet Session to Access the Privileged Exec Mode	36
Opening the CLI with Secure Shell	36
Obtaining and Assigning an IP Address	37
Assigning an IP Address By Using the Exec	37
Protecting Your Wireless LAN	38
Configuring Basic Security Settings	38
Using VLANs	38
Express Security Types	39
CLI Security Configuration Examples	40
Example: No Security	40
Example: Static WEP	40
Example: EAP Authentication	41
Example: WPA	42
Roles and the Associations of Wireless Devices	45
Understanding Wireless Device Network Roles	45
Access Point Role	46
Bridge Role	46
Point-to-Point Bridging	47
Point-to-Multipoint Bridging	48
Redundant Bridging	49
Workgroup Bridge Role	50
Universal Workgroup Bridge (2.4-GHz Radios Only)	52
Configuring Universal Workgroup Bridge on a Cisco 3200	55
Assigning Dynamic MAC address for Universal Workgroup Bridge	56
World Mode (2.4 GHz Radio Only)	56
Supported Country Codes	57
Additional Information	62
Administering the WMIC	65
Configuring a System Name and Prompt	65
Configuring a System Name	65
Managing DNS	66
Default DNS Configuration	66
Setting Up DNS	66
Displaying the DNS Configuration	67
Creating a Banner	67
Default Banner Configuration	68
Configuring a Message-of-the-Day Login Banner	68
Configuring a Login Banner	69
Protecting Access to Privileged EXEC Commands	69
Default Password and Privilege Level Configuration	70
Setting or Changing a Static Enable Password	70
Protecting Enable and Enable Secret Passwords with Encryption	71
Configuring Username and Password Pairs	73
Configuring Multiple Privilege Levels	74
Setting the Privilege Level for a Command	74
Logging Into and Exiting a Privilege Level	75
Protecting the Wireless LAN	75
Using VLANs	75
Express Security Types	76
Security Configuration Examples	78
Configuring and Enabling RADIUS	83
Understanding RADIUS	83
RADIUS Operation	84
Controlling WMIC Access with RADIUS	85
Identifying the RADIUS Server Host	85
Configuring RADIUS Login Authentication	88
Defining AAA Server Groups	89
Configuring RADIUS Authorization for User Privileged Access and Network Services	91
Starting RADIUS Accounting	92
Configuring Settings for All RADIUS Servers	92
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes	93
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication	94
Displaying the RADIUS Configuration	95
Controlling WMIC Access with TACACS+	96
Understanding TACACS+	96
TACACS+ Operation	97
Default TACACS+ Configuration	97
Configuring TACACS+ Login Authentication	98
Identifying the TACACS+ Server Host and Setting the Authentication Key	98
Configuring TACACS+ Login Authentication	99
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	100
Starting TACACS+ Accounting	101
Displaying the TACACS+ Configuration	102
Configuring the WMIC for Local Authentication and Authorization	102
Configuring the WMIC for Secure Shell	103
Understanding SSH	103
Configuring SSH	104
Managing Aironet Extensions	104
Managing the System Time and Date	105
Understanding the System Clock	105
Understanding Network Time Protocol	105
Configuring Time and Date Manually	108
Setting the System Clock	108
Displaying the Time and Date Configuration	108
Configuring the Time Zone	109
Configuring Summer Time (Daylight Saving Time)	110
Configuring NTP	111
Default NTP Configuration	111
Configuring NTP Authentication	111
Configuring NTP Associations	113
Configuring NTP Broadcast Service	114
Configuring NTP Access Restrictions	116
Disabling NTP Services on a Specific Interface	117
Configuring the Source IP Address for NTP Packets	118
Displaying the NTP Configuration	118
Radio Channel and Transmit Frequency Configuration	121
Understanding Radio Channels and Frequencies	121
Determining the Radio Type	122
Configuring a Channel or Frequency	122
Configuring the Radio Channel or Frequency	122
Configuring the Radio Channel Spacing	123
Additional Information	123
Radio Channel Frequencies	125
IEEE 802.11n (2.4-GHz Band)	125
IEEE 802.11n (5-GHz Band)	126
IEEE 802.11b (2.4-GHz Band)	127
IEEE 802.11g (2.4-GHz Band)	128
IEEE 802.11a (5-GHz Band)	129
4.9 GHz (public safety) Channels and Frequencies	130
Dynamic Frequency Selection	131
Understanding Dynamic Frequency Selection	131
DFS Actions	132
Dynamic Frequency Selection Channels	132
Configuring a Preferred Channel	133
Configuring Radar Detection By Clients	134
Configuring an SNMP Trap for Radar Detection	134
Additional Information	135
Radio Transmit Power	137
Understanding Radio Transmit Power	137
Determine the Radio Type	138
Configuring Radio Transmit Power	138
Configuring Client Radio Transmit Power	139
Maximum Power Levels and Antenna Gains	140
IEEE 802.11g (2.4 GHz Band)	140
Configuring Radio Data Rates	141
speed Command	142
speed Command Examples	143
Verify Settings	144
Multiple Client Profiles	145
MCP Support in the 12.3(8)JK Release	145
MCP Support in 12.4(3)JK and Later Releases	145
Setting Priority in 12.4(3)JK and Later Releases	146
Dynamic Channel Width (4.9GHz WMIC only)	146
Configuring a WMIC for MCP (12.4(3)JK or Later Releases)	147
Configuration Examples	148
Configuring a WMIC for MCP (12.3(8)JK Only)	149
Configuration Examples	150
Service Set Identifiers	153
Understanding SSIDs	153
Configuring the SSID	154
Creating an SSID	154
Configuring Any SSID	155
Configuring Multiple Basic SSIDs	155
Requirements for Configuring Multiple BSSIDs	155
Guidelines for Using Multiple BSSIDs	156
CLI Configuration Example	156
Displaying Configured BSSIDs	156
Cipher Suites and WEP	157
Understanding Cipher Suites and WEP	157
Configuring Cipher Suites	158
Configuring WEP	158
Configuring WEP with 12.4(3)JK or Later Releases	158
Configuring WEP with 12.3(8)JK or Earlier Releases	159
WEP Key Restrictions	160
Example WEP Key Setup	160
Enabling Cipher Suite	161
Enabling Cipher Suite with 12.4(3)JK or Later Releases	161
Enabling Cipher Suite with 12.3(8)JK or Earlier Releases	163
Matching Cipher Suites with WPA	164
Spanning Tree Protocol in a Wireless Environment	165
Understanding Spanning Tree Protocol	165
STP Overview	166
STP Support	166
Bridge Protocol Data Units	167
Election of the Spanning-Tree Root	168
Spanning-Tree Timers	168
Creating the Spanning-Tree Topology	168
Spanning-Tree Interface States	169
Blocking State	170
Listening State	171
Learning State	171
Forwarding State	171
Disabled State	171
Configuring STP Features	172
Default STP Configuration	172
Configuring STP Settings	172
STP Configuration Examples	173
Root Bridge Without VLANs	173
Non-Root Bridge Without VLANs	174
Root Bridge with VLANs	175
Non-Root Bridge with VLANs	176
Displaying Spanning-Tree Status	178
Cisco Discovery Protocol	179
Understanding CDP	179
Configuring CDP	179
Default CDP Configuration	180
Configuring the CDP Characteristics	180
Disabling and Enabling CDP	180
Disabling and Enabling CDP on an Interface	181
Monitoring and Maintaining CDP	182
Authentication Types	185
Understanding Authentication Types	185
Open Authentication to the WMIC	186
Shared Key Authentication to the WMIC	186
EAP Authentication to the Network	187
EAP-TLS	189
EAP-FAST	189
EAP-TTLS	189
MAC Address Authentication to the Network	190
Using CCKM Key Management	190
Using WPA Key Management	190
Configuring Certificates Using the crypto pki CLI	191
Configuration Using the Cut and Paste Method	191
Configuration Using the TFTP Method	195
Configuration Using SCEP	196
Adding the Trustpoint to the dot1x Credentials	198
Configuring Authentication Types	199
Default Authentication Settings	199
Assigning Authentication Types to an SSID	200
Configuring Up 2.4 the WMIC Radio as an EAP Client	203
Setting Up a Non-Root Bridge as a LEAP Client for 4.9 WMIC Radios	205
Configuring the Root Device to Interact with the WDS Device	207
Configuring Additional WPA Settings	207
Configuring Authentication Holdoffs, Timeouts, and Intervals	208
Matching Authentication Types on Root Devices and Non-Root Bridges	209
QoS in a Wireless Environment	211
Understanding QoS for Wireless LANs	211
QoS for Wireless LANs Versus QoS on Wired LANs	212
Impact of QoS on a Wireless LAN	212
Precedence of QoS Settings	213
Using Wi-Fi Multimedia Mode	213
Configuring QoS	214
QoS Configuration Examples	214
QoS Example Configuration for VLAN	214
QoS Example of IP DSCP and IP Precedence	215
Configuring VLANs	217
Understanding VLANs	217
Related Documents	218
Incorporating Wireless Bridges into VLANs	219
Configuring VLANs	219
Configuring a VLAN	219
Viewing VLANs Configured on the WMIC	222
System Message Logging	223
Understanding System Message Logging	223
Configuring System Message Logging	224
System Log Message Format	224
Default System Message Logging Configuration	225
Disabling and Enabling Message Logging	226
Setting the Message Display Destination Device	227
Enabling and Disabling Timestamps on Log Messages	228
Enabling and Disabling Sequence Numbers in Log Messages	228
Defining the Message Severity Level	229
Limiting Syslog Messages Sent to the History Table and to SNMP	230
Setting a Logging Rate Limit	231
Configuring UNIX Syslog Servers	231
Logging Messages to a UNIX Syslog Daemon	232
Configuring the UNIX System Logging Facility	232
Displaying the Logging Configuration	233
Tunnel Templates	235
Applying the Tunnel Template on the Home Agent	235
Applying the Tunnel Template on the Mobile Router	236
Example Configuration	237
Applying Tunnel Templates to the IPSec Two-box Solution	238
Related Documents	241
WIMIC Troubleshooting	243
Checking the LED Indicators	243
Checking Basic Settings	245
SSID	245
WEP Keys	245
Security Settings	245
Resetting to the Default Configuration	245
Using the CLI	246
Reloading the Image	247
Obtaining the Image Files	249
Obtaining TFTP Server Software	249
Reloading the Bootloader Image	249
Error and Event Messages	250
Filters	255
Understanding Filters	255
Configuring Filters	256
Simple Network Management Protocol	257
Understanding SNMP	257
SNMP Versions	258
SNMP Manager Functions	258
SNMP Agent Functions	259
SNMP Community Strings	259
Using SNMP to Access MIB Variables	259
Configuring SNMP	260
Default SNMP Configuration	260
Enabling the SNMP Agent	260
Configuring Community Strings	260
Configuring Trap Managers and Enabling Traps	262
Setting the Agent Contact and Location Information	265
Using the snmp-server view Command	265
SNMP Examples	265
Displaying SNMP Status	266
Maximum Power Levels	267
IEEE 802.11g (2.4-GHz Band)	267
Supported MIBs	269
MIB List	269
Using FTP to Access the MIB Files	270
Protocol Filters	273
WDS, Fast Secure Roaming, and Radio Management	279
Understanding WDS	279
Role of the WDS Access Point	280
Role of Access Points Using the WDS Access Point	280
Understanding Fast Secure Roaming	280
Understanding Radio Management	282
Configuring WDS and Fast Secure Roaming	282
Guidelines for WDS	282
Requirements for WDS and Fast Secure Roaming	283
Configuring the WMIC to use the WDS Access Point	283
Configuring the Authentication Server to Support Fast Secure Roaming	283
Using CLI Commands to Enable the WDS Server	287
Using CLI Commands to Enable the Root Device	288
Viewing WDS Information	289
Using Debug Messages	289
Using CLI Commands to Enable Roaming	290
Management Frame Protection	291
Understanding Management Frame Protection	291
Protection of Unicast Management Frames	292
Protection of Broadcast Management Frames	292
Client MFP For Access Points in Root mode	292
Configuring Client MFP	292
Configuring Infrastructure MFP	293
Glossary	295

Match case Limit results 1 per page

Administering the WMIC

Configuring and Enabling RADIUS

Cisco 3200 Series Wireless MIC Software Configuration Guide

To return to the default setting for the retransmit, timeout, and deadtime, use the

forms of these

commands.

Configuring the Bridge to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating

vendor-specific information between the bridge and the RADIUS server by using the vendor-specific

attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended

attributes that are not suitable for general use. The Cisco RADIUS implementation supports one

vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9,

and the supported option has vendor type 1, which is named

cisco-avpair

. The value is a string with this

format:

protocol : attribute sep value *

Protocol

is a value of the Cisco protocol attribute for a particular type of authorization.

Attribute

and

value

are an appropriate AV pair defined in the Cisco TACACS+ specification, and

sep

for

mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features

available for TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair activates Cisco’s

multiple named ip address pools

feature during IP

authorization (during Point-to-Point Protocol IP Control Protocol (PPP IPCP) address assignment):

cisco-avpair= ”ip:addr-pool=first“

The following example shows how to provide a user logging in from a bridge with immediate access to

privileged EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information

about vendor IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”

Step 5

radius-server deadtime

minutes

Use this command to cause the Cisco IOS software to mark as “dead” any

RADIUS servers that fail to respond to authentication requests, thus

avoiding the wait for the request to time out before trying the next

configured server. A RADIUS server marked as dead is skipped by

additional requests for the duration of minutes that you specify.

Note

If you set up more than one RADIUS server, you must configure the

RADIUS server deadtime for optimal performance.

Step 6

radius-server attribute 32

include-in-access-req format %h

Configures the bridge to send its system name in the NAS_ID attribute for

authentication.

Step 7

end

Returns to privileged EXEC mode.

Step 8

show running-config

Verifies your settings.

Step 9

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Command

Purpose