Cisco Cisco Aironet 350 Access Points
8
Release Notes for Cisco Aironet 340 and 350 Series Access Points and 350 Series Bridges Running Firmware Version 12.02T1
OL-3868-01
Important Notes
–
Default UDP or TCP port ID used for authentication
–
Timeout value while waiting for a server response
The administrator attempts to log in to the access point using any HTML capable browser on a wireless
or wired network. The access point receives the authentication request and checks the local database of
users to verify that the request is accompanied by a valid username and password.
or wired network. The access point receives the authentication request and checks the local database of
users to verify that the request is accompanied by a valid username and password.
If the user is not found on the local list, or if local authentication fails (user found, but incorrect
password), the access point determines whether a remote authentication server is configured to handle
authentication requests. If it is, the access point sends an authentication request to the first remote
authentication server and waits for the server to reply or timeout. This asynchronous request is sent to
either a TACACS + or RADIUS server using a client interface and protocol appropriate for the target
server. The password for the administrator requesting authentication is encrypted using an MD5 hash
function and sent to the server. The password is never sent to the server in clear text.
password), the access point determines whether a remote authentication server is configured to handle
authentication requests. If it is, the access point sends an authentication request to the first remote
authentication server and waits for the server to reply or timeout. This asynchronous request is sent to
either a TACACS + or RADIUS server using a client interface and protocol appropriate for the target
server. The password for the administrator requesting authentication is encrypted using an MD5 hash
function and sent to the server. The password is never sent to the server in clear text.
If the server does not respond, a timeout occurs prompting the access point to check for an additional
configured authentication server. If it finds a server, the access point sends an authentication request to
that server. Additional servers are contacted until one of the following events occurs:
configured authentication server. If it finds a server, the access point sends an authentication request to
that server. Additional servers are contacted until one of the following events occurs:
•
A configured server responds accepting or rejecting the request.
•
A final timeout occurs on the last configured server.
When the authentication server responds to a successful request, the authorization parameters (described
in the Authorization Parameters section below) are extracted and processed to a local database cache
entry. This entry is kept in the cache for five minutes and is used to authenticate the user for subsequent
authentication requests.
in the Authorization Parameters section below) are extracted and processed to a local database cache
entry. This entry is kept in the cache for five minutes and is used to authenticate the user for subsequent
authentication requests.
The cache speeds up the administrative configuration process by not forcing the subsequent requests to
require a transaction with an authentication server within the five-minute time period. The following
applies:
require a transaction with an authentication server within the five-minute time period. The following
applies:
•
If the user is accessed using an authentication request within the 5-minute period, the cache timer
resets to 5 minutes.
resets to 5 minutes.
•
If the user entry is not accessed within 5 minutes, the next access causes a new server request to be
sent to the authentication server so the user and new privileges are cached again.
sent to the authentication server so the user and new privileges are cached again.
If the authentication response is a rejection, the server issues a reject response just as if the local database
entry was not found. The administrator is also rejected if they exist on the authentication server but do
not have administrative capabilities configured.
entry was not found. The administrator is also rejected if they exist on the authentication server but do
not have administrative capabilities configured.
Authorization Parameters
The following authentication server attribute value (AV) pair is returned to the access point for an
administrator login request:
administrator login request:
This is RADIUS attribute #26, Cisco Vendor ID #9, type #1 --- string.
Cisco:Avpair = aironet:admin-capability=write+snmp+ident+firmware+admin
Any combination of capabilities are returned with this attribute; for example:
Cisco:Avpair = aironet:admin-capability=ident+admin
Cisco:Avpair = aironet:admin-capability=admin