Filter
Top Products
7-14
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 7 Configuring RADIUS Servers
Configuring and Enabling RADIUS
To return to the default setting for retransmit, timeout, and deadtime, use the no forms of these
commands.
Configuring the Access Point to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the access point and the RADIUS server by using the
vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their
own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one
vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9,
and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this
format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and
value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for
mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features
available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP
authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“
The following example shows how to provide a user logging in from an access point with immediate
access to privileged EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information
about vendor IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service
(RADIUS).”
Beginning in privileged EXEC mode, follow these steps to configure the access point to recognize and
use VSAs:
Step 6
radius-server attribute 32
include-in-access-req format %h
Configure the access point to send its system name in the NAS_ID attribute
for authentication.
Step 7
end Return to privileged EXEC mode.
Step 8
show running-config Verify your settings.
Step 9
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose