user manual
8-37
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-05
Chapter 8 Security Setup
Setting up Centralized Administrator Authentication
System Flow Notes
The following notes help to identify and describe the flow between the access point and its authentication
server.
• The authentication server is initialized to listen for socket requests on the pre-determined UDP or
TCP ports specified on the Authenticator Configuration page (UDP 1812 for RADIUS servers or
TCP 49 for TACACS+ servers).
• The authentication server must be pre-configured with valid user names and passwords along and
the shared secret key the server uses for secure authentication between it and the access point.
• No remote server authentication is possible with a new access point unless it has been configured
by the user.
• The access point requires the following parameters to access the remote authentication servers,
which were described in the procedure above:
–
Remote server authentication—accomplished by configuring or not configuring the
authentication server to send requests
–
IP address of the authentication server(s)
–
Secret key to be shared with the authentication server(s)
–
Selection of RADIUS or TACACS+ server indication
–
Default UDP or TCP port ID used for authentication
–
Timeout value while waiting for a server response
The administrator attempts to log in to the access point using any HTML capable browser on a wireless
or wired network. The access point receives the authentication request and checks the local database of
users to verify that the request is accompanied by a valid user name and password.
If the user is not found on the local list, or if local authentication fails (User found, but incorrect
password), the access point determines if a remote authentication server has been configured to handle
authentication requests. If it has, the access point sends an authentication request to the the first remote
authentication server and waits for the server to reply or timeout. This asynchronous request is sent to
either a TACACS+ or RADIUS server using a client interface and protocol appropriate for the target
server. The password for the administrator requesting authentication is encrypted using an MD5 hash
function and sent to the server. The password is never sent to the server in clear text.
If the server does not respond, a timeout occurs, prompting the access point to check for the an additional
configured authentication server. If it finds a server, the access point sends an authentication request to
that server. Additional servers are attempted until one of the following events occur:
• A configured server responds accepting or rejecting the request.
• A final timeout occurs on the last configured server.
When the authentication server responds to a successful request, the authorization parameters (described
in the Authorization Parameters section below) are extracted and processed to a local database cache
entry. This entry is kept in the cache for five minutes and is used to authenticate the user for subsequent
authentication requests.
The cache speeds up the administrative configuration process by not forcing the subsequent requests to
require a transaction with an authentication server within the five minute time period. The following
applies:
• If the user is accessed using an authentication request within the 5 minute period, the cache timer
resets to 5 minutes.