User's Manual

ManualsBrandsCisco Systems ManualsWelding SystemCisco Systems IOS Software 0L-11350-01

291

292

293

294

295

296

297

298

299

300

13-16

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter 13 Configuring RADIUS and TACACS+ Servers

Configuring and Enabling RADIUS

This example shows how to set up two main servers and a local authenticator with a server deadtime of

10 minutes:

AP(config)# aaa new-model

AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654

AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654

AP(config)# radius-server host 10.91.6.151 auth-port 1812 acct-port 1813 key 110337

AP(config)# radius-server deadtime 10

To return to the default setting for retransmit, timeout, and deadtime, use the no forms of these

commands.

Configuring the Access Point to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating

vendor-specific information between the access point and the RADIUS server by using the

vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their

own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one

vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9,

and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this

format:

protocol : attribute sep value *

Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and

value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for

mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features

available for TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP

authorization (during PPP’s IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

The following example shows how to provide a user logging in from an access point with immediate

access to privileged EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information

about vendor IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service

(RADIUS).”

Beginning in privileged EXEC mode, follow these steps to configure the access point to recognize and

use VSAs: