Cisco Cisco Aironet 1600i Access Point
5-16
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 5 Administering the Access Point
Controlling Access Point Access with RADIUS
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global
configuration command. To remove a server group from the configuration list, use the no aaa group
server radius group-name global configuration command. To remove the IP address of a RADIUS
server, use the no server ip-address server group configuration command.
configuration command. To remove a server group from the configuration list, use the no aaa group
server radius group-name global configuration command. To remove the IP address of a RADIUS
server, use the no server ip-address server group configuration command.
In this example, the wireless device is configured to recognize two different RADIUS group servers
(group1 and group2). Group1 has two different host entries on the same RADIUS server configured for
the same services. The second host entry acts as a fail-over backup to the first entry.
(group1 and group2). Group1 has two different host entries on the same RADIUS server configured for
the same services. The second host entry acts as a fail-over backup to the first entry.
AP(config)# aaa new-model
AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
AP(config)# aaa group server radius group1
AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
AP(config-sg-radius)# exit
AP(config)# aaa group server radius group2
AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
AP(config-sg-radius)# exit
Configuring RADIUS Authorization for User Privileged Access and
Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the
wireless device uses information retrieved from the user profile, which is in the local user database or
on the security server, to configure the user session. The user is granted access to a requested service
only if the information in the user profile allows it.
wireless device uses information retrieved from the user profile, which is in the local user database or
on the security server, to configure the user session. The user is granted access to a requested service
only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the radius keyword to set
parameters that restrict a user network access to privileged EXEC mode.
parameters that restrict a user network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
•
Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.
RADIUS.
•
Use the local database if authentication was not performed by using RADIUS.
Note
Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
been configured.
Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged
EXEC access and network services:
EXEC access and network services:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa authorization network radius
Configure the wireless device for user RADIUS authorization for all
network-related service requests.
network-related service requests.
Step 3
aaa authorization exec radius
Configure the wireless device for user RADIUS authorization to
determine if the user has privileged EXEC access.
determine if the user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
autocommand information).
Step 4
end
Return to privileged EXEC mode.