Home » Cisco Manuals » Bridges & Routers » Cisco CISCO1401 » Manual Viewer

Cisco CISCO1401 Software Guide - Page 133

RADIUS Operation

UPC - 746320202785

Add to My Manuals
Save this manual to your list of manuals

Page 133 highlights

Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Operation When a non-root bridge attempts to authenticate to a bridge whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 11-1: Figure 11-1 Sequence for EAP Authentication OL-4059-01 Switch on LAN 1 Non-Root Bridge Root Bridge Authentication server 1. Authentication request 2. Identity request 3. Username (Relay to server) (Relay to non-root bridge) 4. Authentication challenge 5. Authentication response (Relay to server) (Relay to non-root bridge) 6. Authentication success 7. Authentication challenge (Relay to server) (Relay to non-root bridge) 8. Authentication response 9. Authentication success (Relay to server) 88901 In Steps 1 through 9 in Figure 11-1, a non-root bridge and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the root bridge. The RADIUS server sends an authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the non-root bridge. When the RADIUS server authenticates the non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS server. When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP key that is unique to the non-root bridge and provides the non-root bridge with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The non-root bridge loads this key and prepares to use it for the logon session. During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the root bridge. The root bridge encrypts its broadcast key with the session key and sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The non-root bridge and the root bridge activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session. There is more than one type of EAP authentication, but the root bridge behaves the same way for each type: it relays authentication messages from the non-root bridge to the RADIUS server and from the RADIUS server to the non-root bridge. See the "Assigning Authentication Types to an SSID" section on page 10-5 for instructions on setting up authentication using a RADIUS server. Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide 11-3

Section	Page
Cisco Aironet 1400 Series Wireless Bridge Software Configuration Guide	1
Contents	3
Preface	13
Audience	13
Purpose	13
Organization	13
Conventions	15
Related Publications	17
Overview	19
Features	20
Management Options	20
Network Configuration Examples	21
Point-to-Point Bridging	21
Point-to-Multipoint Bridging	22
Redundant Bridging	22
Configuring the Bridge for the First Time	25
Before You Start	26
Resetting the Bridge to Default Settings	26
Obtaining and Assigning an IP Address	27
Connecting to the Bridge Locally	27
Assigning Basic Settings	28
Default Settings on the Express Setup Page	32
Protecting Your Wireless LAN	32
Using the IP Setup Utility	32
Obtaining and Installing IPSU	33
Using IPSU to Find the Bridge’s IP Address	33
Using IPSU to Set the Bridge’s IP Address and SSID	34
Assigning an IP Address Using the CLI	35
Using a Telnet Session to Access the CLI	36
Using the Web-Browser Interface	37
Using the Web-Browser Interface for the First Time	38
Using the Management Pages in the Web-Browser Interface	38
Using Action Buttons	39
Character Restrictions in Entry Fields	40
Using Online Help	41
Using the Command-Line Interface	43
IOS Command Modes	44
Getting Help	45
Abbreviating Commands	45
Using no and default Forms of Commands	45
Understanding CLI Messages	46
Using Command History	46
Changing the Command History Buffer Size	46
Recalling Commands	47
Disabling the Command History Feature	47
Using Editing Features	47
Enabling and Disabling Editing Features	48
Editing Commands Through Keystrokes	48
Editing Command Lines that Wrap	49
Searching and Filtering Output of show and more Commands	50
Accessing the CLI	50
Opening the CLI with Telnet	50
Opening the CLI with Secure Shell	51
Administering the Bridge	53
Preventing Unauthorized Access to Your Bridge	54
Protecting Access to Privileged EXEC Commands	54
Default Password and Privilege Level Configuration	54
Setting or Changing a Static Enable Password	55
Protecting Enable and Enable Secret Passwords with Encryption	56
Configuring Username and Password Pairs	57
Configuring Multiple Privilege Levels	58
Setting the Privilege Level for a Command	58
Logging Into and Exiting a Privilege Level	59
Controlling Bridge Access with RADIUS	59
Default RADIUS Configuration	60
Configuring RADIUS Login Authentication	60
Defining AAA Server Groups	61
Configuring RADIUS Authorization for User Privileged Access and Network Services	63
Displaying the RADIUS Configuration	64
Controlling Bridge Access with TACACS+	64
Default TACACS+ Configuration	65
Configuring TACACS+ Login Authentication	65
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	66
Displaying the TACACS+ Configuration	67
Configuring the Bridge for Local Authentication and Authorization	67
Configuring the Bridge for Secure Shell	68
Understanding SSH	68
Configuring SSH	69
Managing the System Time and Date	69
Understanding the System Clock	69
Understanding Network Time Protocol	70
Configuring NTP	71
Default NTP Configuration	72
Configuring NTP Authentication	72
Configuring NTP Associations	73
Configuring NTP Broadcast Service	74
Configuring NTP Access Restrictions	75
Creating an Access Group and Assigning a Basic IP Access List	76
Disabling NTP Services on a Specific Interface	77
Configuring the Source IP Address for NTP Packets	77
Displaying the NTP Configuration	78
Configuring Time and Date Manually	78
Setting the System Clock	79
Displaying the Time and Date Configuration	79
Configuring the Time Zone	80
Configuring Summer Time (Daylight Saving Time)	81
Configuring a System Name and Prompt	83
Default System Name and Prompt Configuration	83
Configuring a System Name	83
Understanding DNS	84
Default DNS Configuration	84
Setting Up DNS	84
Displaying the DNS Configuration	85
Creating a Banner	85
Default Banner Configuration	86
Configuring a Message-of-the-Day Login Banner	86
Configuring a Login Banner	87
Configuring Radio Settings	89
Disabling and Enabling the Radio Interface	90
Configuring the Role in Radio Network	90
Configuring the Radio Distance Setting	91
Configuring Radio Data Rates	91
Configuring Radio Transmit Power	92
Configuring Radio Channel Settings	93
Disabling and Enabling Aironet Extensions	94
Configuring the Ethernet Encapsulation Transformation Method	94
Configuring the Beacon Period	94
Configuring RTS Threshold and Retries	95
Configuring the Maximum Data Retries	95
Configuring the Fragmentation Threshold	96
Configuring Packet Concatenation	96
Performing a Carrier Busy Test	97
Configuring SSIDs	99
Understanding SSIDs	100
Configuring the SSID	100
Default SSID Configuration	100
Creating an SSID	101
Configuring Spanning Tree Protocol	103
Understanding Spanning Tree Protocol	104
STP Overview	104
Bridge Protocol Data Units	105
Election of the Spanning-Tree Root	106
Spanning-Tree Timers	106
Creating the Spanning-Tree Topology	106
Spanning-Tree Interface States	107
Blocking State	108
Listening State	109
Learning State	109
Forwarding State	109
Disabled State	109
Configuring STP Features	110
Default STP Configuration	110
Configuring STP Settings	110
STP Configuration Examples	111
Root Bridge Without VLANs	111
Non-Root Bridge Without VLANs	112
Root Bridge with VLANs	113
Non-Root Bridge with VLANs	114
Displaying Spanning-Tree Status	116
Configuring WEP and WEP Features	117
Understanding WEP	118
Configuring WEP and WEP Features	118
Creating WEP Keys	118
Enabling and Disabling WEP and Enabling TKIP and MIC	119
Configuring Authentication Types	121
Understanding Authentication Types	122
Open Authentication to the Bridge	122
Shared Key Authentication to the Bridge	122
EAP Authentication to the Network	123
Configuring Authentication Types	125
Default Authentication Settings	125
Assigning Authentication Types to an SSID	125
Configuring Authentication Holdoffs, Timeouts, and Intervals	127
Setting Up a Non-Root Bridge as a LEAP Client	128
Matching Authentication Types on Root and Non-Root Bridges	129
Configuring RADIUS and TACACS+ Servers	131
Configuring and Enabling RADIUS	132
Understanding RADIUS	132
RADIUS Operation	133
Configuring RADIUS	134
Default RADIUS Configuration	134
Identifying the RADIUS Server Host	134
Configuring RADIUS Login Authentication	137
Defining AAA Server Groups	139
Configuring RADIUS Authorization for User Privileged Access and Network Services	141
Starting RADIUS Accounting	142
Configuring Settings for All RADIUS Servers	143
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes	143
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication	144
Displaying the RADIUS Configuration	145
Configuring and Enabling TACACS+	146
Understanding TACACS+	146
TACACS+ Operation	147
Configuring TACACS+	147
Default TACACS+ Configuration	148
Identifying the TACACS+ Server Host and Setting the Authentication Key	148
Configuring TACACS+ Login Authentication	149
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	150
Starting TACACS+ Accounting	151
Displaying the TACACS+ Configuration	152
Configuring VLANs	153
Understanding VLANs	154
Related Documents	155
Incorporating Wireless Bridges into VLANs	156
Configuring VLANs	156
Configuring a VLAN	156
Viewing VLANs Configured on the Bridge	159
Configuring QoS	161
Understanding QoS for Wireless LANs	162
QoS for Wireless LANs Versus QoS on Wired LANs	162
Impact of QoS on a Wireless LAN	162
Precedence of QoS Settings	163
Configuring QoS	163
Configuration Guidelines	163
Configuring QoS Using the Web-Browser Interface	164
Adjusting Radio Traffic Class Definitions	168
CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links	169
QoS Configuration Examples	170
Giving Priority to Voice Traffic	170
Giving Priority to Video Traffic	172
Configuring Filters	173
Understanding Filters	174
Configuring Filters Using the CLI	174
Configuring Filters Using the Web-Browser Interface	174
Configuring and Enabling MAC Address Filters	175
Creating a MAC Address Filter	176
Configuring and Enabling IP Filters	177
Creating an IP Filter	179
Configuring and Enabling Ethertype Filters	180
Creating an Ethertype Filter	181
Configuring CDP	183
Understanding CDP	184
Configuring CDP	184
Default CDP Configuration	184
Configuring the CDP Characteristics	185
Disabling and Enabling CDP	185
Disabling and Enabling CDP on an Interface	186
Monitoring and Maintaining CDP	187
Configuring SNMP	191
Understanding SNMP	192
SNMP Versions	192
SNMP Manager Functions	193
SNMP Agent Functions	193
SNMP Community Strings	193
Using SNMP to Access MIB Variables	194
Configuring SNMP	194
Default SNMP Configuration	195
Enabling the SNMP Agent	195
Configuring Community Strings	195
Configuring Trap Managers and Enabling Traps	197
Setting the Agent Contact and Location Information	199
Using the snmp-server view Command	199
SNMP Examples	199
Displaying SNMP Status	200
Managing Firmware and Configurations	201
Working with the Flash File System	202
Displaying Available File Systems	202
Setting the Default File System	203
Displaying Information About Files on a File System	203
Changing Directories and Displaying the Working Directory	204
Creating and Removing Directories	204
Copying Files	205
Deleting Files	205
Creating, Displaying, and Extracting tar Files	206
Creating a tar File	206
Displaying the Contents of a tar File	207
Extracting a tar File	207
Displaying the Contents of a File	208
Working with Configuration Files	208
Guidelines for Creating and Using Configuration Files	209
Configuration File Types and Location	209
Creating a Configuration File by Using a Text Editor	210
Copying Configuration Files by Using TFTP	210
Preparing to Download or Upload a Configuration File by Using TFTP	210
Downloading the Configuration File by Using TFTP	211
Uploading the Configuration File by Using TFTP	211
Copying Configuration Files by Using FTP	212
Preparing to Download or Upload a Configuration File by Using FTP	213
Downloading a Configuration File by Using FTP	213
Uploading a Configuration File by Using FTP	214
Copying Configuration Files by Using RCP	215
Preparing to Download or Upload a Configuration File by Using RCP	216
Downloading a Configuration File by Using RCP	216
Uploading a Configuration File by Using RCP	217
Clearing Configuration Information	218
Deleting a Stored Configuration File	218
Working with Software Images	219
Image Location on the Bridge	219
tar File Format of Images on a Server or Cisco.com	219
Copying Image Files by Using TFTP	220
Preparing to Download or Upload an Image File by Using TFTP	220
Downloading an Image File by Using TFTP	221
Uploading an Image File by Using TFTP	222
Copying Image Files by Using FTP	223
Preparing to Download or Upload an Image File by Using FTP	223
Downloading an Image File by Using FTP	224
Uploading an Image File by Using FTP	226
Copying Image Files by Using RCP	227
Preparing to Download or Upload an Image File by Using RCP	227
Downloading an Image File by Using RCP	229
Uploading an Image File by Using RCP	231
Reloading the Image Using the Web Browser Interface	232
Browser HTTP Interface	232
Browser TFTP Interface	232
Reloading the Image Using the Power Injector MODE button	233
Configuring System Message Logging	235
Understanding System Message Logging	236
Configuring System Message Logging	236
System Log Message Format	236
Default System Message Logging Configuration	237
Disabling and Enabling Message Logging	238
Setting the Message Display Destination Device	239
Enabling and Disabling Timestamps on Log Messages	240
Enabling and Disabling Sequence Numbers in Log Messages	240
Defining the Message Severity Level	241
Limiting Syslog Messages Sent to the History Table and to SNMP	242
Setting a Logging Rate Limit	243
Configuring UNIX Syslog Servers	244
Logging Messages to a UNIX Syslog Daemon	244
Configuring the UNIX System Logging Facility	244
Displaying the Logging Configuration	246
Troubleshooting	247
Checking the Bridge LEDs	248
Bridge Normal Mode LED Indications	249
Power Injector LEDs	250
Checking Power	252
Checking Basic Configuration Settings	253
SSID	253
Security Settings	253
Antenna Alignment	254
Resetting to the Default Configuration	254
Using the MODE Button	254
Using the Web Browser Interface	255
Reloading the Bridge Image	255
Using the MODE button	255
Web Browser Interface	256
Browser HTTP Interface	256
Browser TFTP Interface	257
Obtaining the Bridge Image File	257
Obtaining the TFTP Server Software	258
Channels and Antenna Settings	259
Channels	260
IEEE 802.11a (5-GHz Band)	260
Maximum Power Levels	260
5.8-GHz Band	260
Protocol Filters	261
Supported MIBs	267
MIB List	267
Using FTP to Access the MIB Files	268
Error and Event Messages	269
Glossary	273

Match case Limit results 1 per page

11-3

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

Chapter 11

Configuring RADIUS and TACACS+ Servers

Configuring and Enabling RADIUS

RADIUS Operation

When a non-root bridge attempts to authenticate to a bridge whose access is controlled by a RADIUS

server, authentication to the network occurs in the steps shown in

Figure 11-1

Sequence for EAP Authentication

In Steps 1 through 9 in

Figure 11-1

, a non-root bridge and a RADIUS server on the wired LAN use

802.1x and EAP to perform a mutual authentication through the root bridge. The RADIUS server sends

an authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of

the user-supplied password to generate a response to the challenge and sends that response to the

RADIUS server. Using information from its user database, the RADIUS server creates its own response

and compares that to the response from the non-root bridge. When the RADIUS server authenticates the

non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS

server.

When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP

key that is unique to the non-root bridge and provides the non-root bridge with the appropriate level of

network access, thereby approximating the level of security in a wired switched segment to an individual

desktop. The non-root bridge loads this key and prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key, called a

session key

, over

the wired LAN to the root bridge. The root bridge encrypts its broadcast key with the session key and

sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The

non-root bridge and the root bridge activate WEP and use the session and broadcast WEP keys for all

communications during the remainder of the session.

There is more than one type of EAP authentication, but the root bridge behaves the same way for each

type: it relays authentication messages from the non-root bridge to the RADIUS server and from the

RADIUS server to the non-root bridge. See the

“Assigning Authentication Types to an SSID” section on

page 10-5

for instructions on setting up authentication using a RADIUS server.

88901

Switch on

LAN 1

1. Authentication request

Authentication

server

Non-Root

Bridge

Root Bridge

2. Identity request

3. Username

(Relay to non-root bridge)

5. Authentication response

(Relay to non-root bridge)

7. Authentication challenge

(Relay to non-root bridge)

9. Authentication success

(Relay to server)

4. Authentication challenge

(Relay to server)

6. Authentication success

(Relay to server)

8. Authentication response

(Relay to server)