Configuring and Enabling RADIUS
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and
value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for
mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features
available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair activates Cisco's multiple named ip address pools feature during IP
authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"
The following example shows how to provide a user logging in from an bridge with immediate access to
privileged EXEC commands:
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information
about vendor IDs and VSAs, refer to RFC 2138, "Remote Authentication Dial-In User Service
(RADIUS)."
Beginning in privileged EXEC mode, follow these steps to configure the bridge to recognize and use
VSAs:
Command
Step 1
configure terminal
Step 2
radius-server vsa send [accounting |
authentication]
Step 3
end
Step 4
show running-config
Step 5
copy running-config startup-config
For a complete list of RADIUS attributes or more information about VSA 26, refer to the "RADIUS
Attributes" appendix in the Cisco IOS Security Configuration Guide for Release 12.2.
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the bridge and the RADIUS server, some vendors have extended the RADIUS
attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS
attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you
must specify the host running the RADIUS server daemon and the secret text string it shares with the
bridge. You specify the RADIUS host and secret text string by using the radius-server global
configuration commands.
Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide
11-14
Purpose
Enter global configuration mode.
Enable the bridge to recognize and use VSAs as defined by RADIUS IETF
attribute 26.
(Optional) Use the accounting keyword to limit the set of recognized
•
vendor-specific attributes to only accounting attributes.
(Optional) Use the authentication keyword to limit the set of
•
recognized vendor-specific attributes to only authentication attributes.
If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.
Return to privileged EXEC mode.
Verify your settings.
(Optional) Save your entries in the configuration file.
Chapter 11
Configuring RADIUS and TACACS+ Servers
OL-4059-01