Home » Cisco Manuals » Bridges & Routers » Cisco CISCO1401 » Manual Viewer

Cisco CISCO1401 Software Guide - Page 63

Configuring RADIUS Authorization for User Privileged Access and Network, Services

UPC - 746320202785

Add to My Manuals
Save this manual to your list of manuals

Page 63 highlights

Chapter 5 Administering the Bridge Controlling Bridge Access with RADIUS Step 6 Step 7 Step 8 Step 9 Command end show running-config copy running-config startup-config Purpose Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. Enable RADIUS login authentication. See the "Configuring RADIUS Login Authentication" section on page 5-8. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command. In this example, the bridge is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry. bridge(config)# aaa new-model bridge(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 bridge(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 bridge(config)# aaa group server radius group1 bridge(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 bridge(config-sg-radius)# exit bridge(config)# aaa group server radius group2 bridge(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001 bridge(config-sg-radius)# exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user. When AAA authorization is enabled, the bridge uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters: • Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS. • Use the local database if authentication was not performed by using RADIUS. Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. OL-4059-01 Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide 5-11

Section	Page
Cisco Aironet 1400 Series Wireless Bridge Software Configuration Guide	1
Contents	3
Preface	13
Audience	13
Purpose	13
Organization	13
Conventions	15
Related Publications	17
Overview	19
Features	20
Management Options	20
Network Configuration Examples	21
Point-to-Point Bridging	21
Point-to-Multipoint Bridging	22
Redundant Bridging	22
Configuring the Bridge for the First Time	25
Before You Start	26
Resetting the Bridge to Default Settings	26
Obtaining and Assigning an IP Address	27
Connecting to the Bridge Locally	27
Assigning Basic Settings	28
Default Settings on the Express Setup Page	32
Protecting Your Wireless LAN	32
Using the IP Setup Utility	32
Obtaining and Installing IPSU	33
Using IPSU to Find the Bridge’s IP Address	33
Using IPSU to Set the Bridge’s IP Address and SSID	34
Assigning an IP Address Using the CLI	35
Using a Telnet Session to Access the CLI	36
Using the Web-Browser Interface	37
Using the Web-Browser Interface for the First Time	38
Using the Management Pages in the Web-Browser Interface	38
Using Action Buttons	39
Character Restrictions in Entry Fields	40
Using Online Help	41
Using the Command-Line Interface	43
IOS Command Modes	44
Getting Help	45
Abbreviating Commands	45
Using no and default Forms of Commands	45
Understanding CLI Messages	46
Using Command History	46
Changing the Command History Buffer Size	46
Recalling Commands	47
Disabling the Command History Feature	47
Using Editing Features	47
Enabling and Disabling Editing Features	48
Editing Commands Through Keystrokes	48
Editing Command Lines that Wrap	49
Searching and Filtering Output of show and more Commands	50
Accessing the CLI	50
Opening the CLI with Telnet	50
Opening the CLI with Secure Shell	51
Administering the Bridge	53
Preventing Unauthorized Access to Your Bridge	54
Protecting Access to Privileged EXEC Commands	54
Default Password and Privilege Level Configuration	54
Setting or Changing a Static Enable Password	55
Protecting Enable and Enable Secret Passwords with Encryption	56
Configuring Username and Password Pairs	57
Configuring Multiple Privilege Levels	58
Setting the Privilege Level for a Command	58
Logging Into and Exiting a Privilege Level	59
Controlling Bridge Access with RADIUS	59
Default RADIUS Configuration	60
Configuring RADIUS Login Authentication	60
Defining AAA Server Groups	61
Configuring RADIUS Authorization for User Privileged Access and Network Services	63
Displaying the RADIUS Configuration	64
Controlling Bridge Access with TACACS+	64
Default TACACS+ Configuration	65
Configuring TACACS+ Login Authentication	65
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	66
Displaying the TACACS+ Configuration	67
Configuring the Bridge for Local Authentication and Authorization	67
Configuring the Bridge for Secure Shell	68
Understanding SSH	68
Configuring SSH	69
Managing the System Time and Date	69
Understanding the System Clock	69
Understanding Network Time Protocol	70
Configuring NTP	71
Default NTP Configuration	72
Configuring NTP Authentication	72
Configuring NTP Associations	73
Configuring NTP Broadcast Service	74
Configuring NTP Access Restrictions	75
Creating an Access Group and Assigning a Basic IP Access List	76
Disabling NTP Services on a Specific Interface	77
Configuring the Source IP Address for NTP Packets	77
Displaying the NTP Configuration	78
Configuring Time and Date Manually	78
Setting the System Clock	79
Displaying the Time and Date Configuration	79
Configuring the Time Zone	80
Configuring Summer Time (Daylight Saving Time)	81
Configuring a System Name and Prompt	83
Default System Name and Prompt Configuration	83
Configuring a System Name	83
Understanding DNS	84
Default DNS Configuration	84
Setting Up DNS	84
Displaying the DNS Configuration	85
Creating a Banner	85
Default Banner Configuration	86
Configuring a Message-of-the-Day Login Banner	86
Configuring a Login Banner	87
Configuring Radio Settings	89
Disabling and Enabling the Radio Interface	90
Configuring the Role in Radio Network	90
Configuring the Radio Distance Setting	91
Configuring Radio Data Rates	91
Configuring Radio Transmit Power	92
Configuring Radio Channel Settings	93
Disabling and Enabling Aironet Extensions	94
Configuring the Ethernet Encapsulation Transformation Method	94
Configuring the Beacon Period	94
Configuring RTS Threshold and Retries	95
Configuring the Maximum Data Retries	95
Configuring the Fragmentation Threshold	96
Configuring Packet Concatenation	96
Performing a Carrier Busy Test	97
Configuring SSIDs	99
Understanding SSIDs	100
Configuring the SSID	100
Default SSID Configuration	100
Creating an SSID	101
Configuring Spanning Tree Protocol	103
Understanding Spanning Tree Protocol	104
STP Overview	104
Bridge Protocol Data Units	105
Election of the Spanning-Tree Root	106
Spanning-Tree Timers	106
Creating the Spanning-Tree Topology	106
Spanning-Tree Interface States	107
Blocking State	108
Listening State	109
Learning State	109
Forwarding State	109
Disabled State	109
Configuring STP Features	110
Default STP Configuration	110
Configuring STP Settings	110
STP Configuration Examples	111
Root Bridge Without VLANs	111
Non-Root Bridge Without VLANs	112
Root Bridge with VLANs	113
Non-Root Bridge with VLANs	114
Displaying Spanning-Tree Status	116
Configuring WEP and WEP Features	117
Understanding WEP	118
Configuring WEP and WEP Features	118
Creating WEP Keys	118
Enabling and Disabling WEP and Enabling TKIP and MIC	119
Configuring Authentication Types	121
Understanding Authentication Types	122
Open Authentication to the Bridge	122
Shared Key Authentication to the Bridge	122
EAP Authentication to the Network	123
Configuring Authentication Types	125
Default Authentication Settings	125
Assigning Authentication Types to an SSID	125
Configuring Authentication Holdoffs, Timeouts, and Intervals	127
Setting Up a Non-Root Bridge as a LEAP Client	128
Matching Authentication Types on Root and Non-Root Bridges	129
Configuring RADIUS and TACACS+ Servers	131
Configuring and Enabling RADIUS	132
Understanding RADIUS	132
RADIUS Operation	133
Configuring RADIUS	134
Default RADIUS Configuration	134
Identifying the RADIUS Server Host	134
Configuring RADIUS Login Authentication	137
Defining AAA Server Groups	139
Configuring RADIUS Authorization for User Privileged Access and Network Services	141
Starting RADIUS Accounting	142
Configuring Settings for All RADIUS Servers	143
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes	143
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication	144
Displaying the RADIUS Configuration	145
Configuring and Enabling TACACS+	146
Understanding TACACS+	146
TACACS+ Operation	147
Configuring TACACS+	147
Default TACACS+ Configuration	148
Identifying the TACACS+ Server Host and Setting the Authentication Key	148
Configuring TACACS+ Login Authentication	149
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	150
Starting TACACS+ Accounting	151
Displaying the TACACS+ Configuration	152
Configuring VLANs	153
Understanding VLANs	154
Related Documents	155
Incorporating Wireless Bridges into VLANs	156
Configuring VLANs	156
Configuring a VLAN	156
Viewing VLANs Configured on the Bridge	159
Configuring QoS	161
Understanding QoS for Wireless LANs	162
QoS for Wireless LANs Versus QoS on Wired LANs	162
Impact of QoS on a Wireless LAN	162
Precedence of QoS Settings	163
Configuring QoS	163
Configuration Guidelines	163
Configuring QoS Using the Web-Browser Interface	164
Adjusting Radio Traffic Class Definitions	168
CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links	169
QoS Configuration Examples	170
Giving Priority to Voice Traffic	170
Giving Priority to Video Traffic	172
Configuring Filters	173
Understanding Filters	174
Configuring Filters Using the CLI	174
Configuring Filters Using the Web-Browser Interface	174
Configuring and Enabling MAC Address Filters	175
Creating a MAC Address Filter	176
Configuring and Enabling IP Filters	177
Creating an IP Filter	179
Configuring and Enabling Ethertype Filters	180
Creating an Ethertype Filter	181
Configuring CDP	183
Understanding CDP	184
Configuring CDP	184
Default CDP Configuration	184
Configuring the CDP Characteristics	185
Disabling and Enabling CDP	185
Disabling and Enabling CDP on an Interface	186
Monitoring and Maintaining CDP	187
Configuring SNMP	191
Understanding SNMP	192
SNMP Versions	192
SNMP Manager Functions	193
SNMP Agent Functions	193
SNMP Community Strings	193
Using SNMP to Access MIB Variables	194
Configuring SNMP	194
Default SNMP Configuration	195
Enabling the SNMP Agent	195
Configuring Community Strings	195
Configuring Trap Managers and Enabling Traps	197
Setting the Agent Contact and Location Information	199
Using the snmp-server view Command	199
SNMP Examples	199
Displaying SNMP Status	200
Managing Firmware and Configurations	201
Working with the Flash File System	202
Displaying Available File Systems	202
Setting the Default File System	203
Displaying Information About Files on a File System	203
Changing Directories and Displaying the Working Directory	204
Creating and Removing Directories	204
Copying Files	205
Deleting Files	205
Creating, Displaying, and Extracting tar Files	206
Creating a tar File	206
Displaying the Contents of a tar File	207
Extracting a tar File	207
Displaying the Contents of a File	208
Working with Configuration Files	208
Guidelines for Creating and Using Configuration Files	209
Configuration File Types and Location	209
Creating a Configuration File by Using a Text Editor	210
Copying Configuration Files by Using TFTP	210
Preparing to Download or Upload a Configuration File by Using TFTP	210
Downloading the Configuration File by Using TFTP	211
Uploading the Configuration File by Using TFTP	211
Copying Configuration Files by Using FTP	212
Preparing to Download or Upload a Configuration File by Using FTP	213
Downloading a Configuration File by Using FTP	213
Uploading a Configuration File by Using FTP	214
Copying Configuration Files by Using RCP	215
Preparing to Download or Upload a Configuration File by Using RCP	216
Downloading a Configuration File by Using RCP	216
Uploading a Configuration File by Using RCP	217
Clearing Configuration Information	218
Deleting a Stored Configuration File	218
Working with Software Images	219
Image Location on the Bridge	219
tar File Format of Images on a Server or Cisco.com	219
Copying Image Files by Using TFTP	220
Preparing to Download or Upload an Image File by Using TFTP	220
Downloading an Image File by Using TFTP	221
Uploading an Image File by Using TFTP	222
Copying Image Files by Using FTP	223
Preparing to Download or Upload an Image File by Using FTP	223
Downloading an Image File by Using FTP	224
Uploading an Image File by Using FTP	226
Copying Image Files by Using RCP	227
Preparing to Download or Upload an Image File by Using RCP	227
Downloading an Image File by Using RCP	229
Uploading an Image File by Using RCP	231
Reloading the Image Using the Web Browser Interface	232
Browser HTTP Interface	232
Browser TFTP Interface	232
Reloading the Image Using the Power Injector MODE button	233
Configuring System Message Logging	235
Understanding System Message Logging	236
Configuring System Message Logging	236
System Log Message Format	236
Default System Message Logging Configuration	237
Disabling and Enabling Message Logging	238
Setting the Message Display Destination Device	239
Enabling and Disabling Timestamps on Log Messages	240
Enabling and Disabling Sequence Numbers in Log Messages	240
Defining the Message Severity Level	241
Limiting Syslog Messages Sent to the History Table and to SNMP	242
Setting a Logging Rate Limit	243
Configuring UNIX Syslog Servers	244
Logging Messages to a UNIX Syslog Daemon	244
Configuring the UNIX System Logging Facility	244
Displaying the Logging Configuration	246
Troubleshooting	247
Checking the Bridge LEDs	248
Bridge Normal Mode LED Indications	249
Power Injector LEDs	250
Checking Power	252
Checking Basic Configuration Settings	253
SSID	253
Security Settings	253
Antenna Alignment	254
Resetting to the Default Configuration	254
Using the MODE Button	254
Using the Web Browser Interface	255
Reloading the Bridge Image	255
Using the MODE button	255
Web Browser Interface	256
Browser HTTP Interface	256
Browser TFTP Interface	257
Obtaining the Bridge Image File	257
Obtaining the TFTP Server Software	258
Channels and Antenna Settings	259
Channels	260
IEEE 802.11a (5-GHz Band)	260
Maximum Power Levels	260
5.8-GHz Band	260
Protocol Filters	261
Supported MIBs	267
MIB List	267
Using FTP to Access the MIB Files	268
Error and Event Messages	269
Glossary	273

Match case Limit results 1 per page

5-11

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

Chapter 5

Administering the Bridge

Controlling Bridge Access with RADIUS

To remove the specified RADIUS server, use the

no radius-server host

hostname

ip-address

global

configuration command. To remove a server group from the configuration list, use the

no aaa group

server radius

group-name

global configuration command. To remove the IP address of a RADIUS

server, use the

no server

ip-address

server group configuration command.

In this example, the bridge is configured to recognize two different RADIUS group servers (

group1

and

group2

). Group1 has two different host entries on the same RADIUS server configured for the same

services. The second host entry acts as a fail-over backup to the first entry.

bridge(config)#

aaa new-model

bridge(config)#

radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

bridge(config)#

radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

bridge(config)#

aaa group server radius group1

bridge(config-sg-radius)#

server 172.20.0.1 auth-port 1000 acct-port 1001

bridge(config-sg-radius)#

exit

bridge(config)#

aaa group server radius group2

bridge(config-sg-radius)#

server 172.20.0.1 auth-port 2000 acct-port 2001

bridge(config-sg-radius)#

exit

Configuring RADIUS Authorization for User Privileged Access and Network

Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the

bridge uses information retrieved from the user’s profile, which is in the local user database or on the

security server, to configure the user’s session. The user is granted access to a requested service only if

the information in the user profile allows it.

You can use the

aaa authorization

global configuration command with the

radius

keyword to set

parameters that restrict a user’s network access to privileged EXEC mode.

The

aaa authorization exec radius local

command sets these authorization parameters:

•

Use RADIUS for privileged EXEC access authorization if authentication was performed by using

RADIUS.

•

Use the local database if authentication was not performed by using RADIUS.

Note

Authorization is bypassed for authenticated users who log in through the CLI even if authorization has

been configured.

Step 6

end

Return to privileged EXEC mode.

Step 7

show running-config

Verify your entries.

Step 8

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Step 9

Enable RADIUS login authentication. See the

“Configuring RADIUS

Command

Purpose