Filter
Top Products
4-8
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 4 Configuring an Access Point as a Local Authenticator
Configure a Local Authenticator
Configuring Other Access Points to Use the Local Authenticator
You add the local authenticator to the list of servers on the access point the same way that you add other
servers. For detailed instructions on setting up RADIUS servers on your access points, see
Chapter 7,
“Configuring RADIUS Servers.”
Note If your local authenticator access point also serves client devices, you must configure the local
authenticator to use itself to authenticate client devices.
On the access points that use the local authenticator, use the radius-server host command to enter the
local authenticator as a RADIUS server. The order in which the access point attempts to use the servers
matches the order in which you enter the servers in the access point configuration. If you are configuring
the access point to use RADIUS for the first time, enter the main RADIUS servers first, and enter the
local authenticator last.
Note You mus t en ter 1812 as the authentication port and 1813 as the accounting port. The local
authenticator listens on UDP port 1813 for RADIUS accounting packets. It discards the
accounting packets but sends acknowledge packets back to RADIUS clients to prevent clients
from assuming that the server is down.
Use the radius-server deadtime command to set an interval during which the access point does not
attempt to use servers that do not respond, thus avoiding the wait for a request to time out before trying
the next configured server. A server marked as dead is skipped by additional requests for the duration of
minutes that you specify, up to 1440 (24 hours).
This example shows how to set up two main servers and a local authenticator with a server deadtime of
10 minutes:
router(config)# aaa new-model
router(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654
router(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654
router(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337
router(config)# radius-server deadtime 10
In this example, if the WAN link to the main servers fails, the access point completes these steps when
a LEAP-enabled client device associates:
1. It tries the first server, times out multiple times, and marks the first server as dead.
2. It tries the second server, times out multiple times, and marks the second server as dead.
3. It tries and succeeds using the local authenticator.
If another client device needs to authenticate during the 10-minute dead-time interval, the access point
skips the first two servers and tries the local authenticator first. After the dead-time interval, the access
point tries to use the main servers for authentication. When setting a dead time, you must balance the
need to skip dead servers with the need to check the WAN link and begin using the main servers again
as soon as possible.
Each time the access point tries to use the main servers while they are down, the client device trying to
authenticate might report an authentication timeout. The client device retries and succeeds when the
main servers time out and the access point tries the local authenticator. You can extend the timeout value
on Cisco client devices to accommodate expected server timeouts.
To remove the local authenticator from the access point configuration, use the no radius-server host
hostname | ip-address global configuration command.