- Preface
- Using the Command-Line Interface
- Using the Web Graphical User Interface
- Configuring the Switch for Access Point Discovery
- Configuring Data Encryption
- Configuring Retransmission Interval and Retry Count
- Configuring Adaptive Wireless Intrusion Prevention System
- Configuring Authentication for Access Points
- Converting Autonomous Access Points to Lightweight Mode
- Using Cisco Workgroup Bridges
- Configuring Probe Request Forwarding
- Optimizing RFID Tracking
- Configuring Country Codes
- Configuring Link Latency
- Configuring Power over Ethernet
- Index
- Finding Feature Information
- Prerequisites for Configuring Authentication for Access Points
- Restrictions for Configuring Authentication for Access Points
- Information about Configuring Authentication for Access Points
- How to Configure Authentication for Access Points
- Configuration Examples for Configuring Authentication for Access Points
Configuring Authentication for Access Points
Finding Feature Information
Prerequisites for Configuring Authentication for Access Points
You can set a global username, password, and enable password for all access points that are currently joined to the switch and any that join in the future inherit as they join the switch. If desired, you can override the global credentials and assign a unique username, password, and enable password for a specific access point.
After an access point joins the switch, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point’s console port. When you log in, you are in nonprivileged mode, and you must enter the enable password in order to use the privileged mode.
The global credentials that you configure on the switch are retained across switch and access point reboots. They are overwritten only if the access point joins a new switch that is configured with a global username and password. If the new switch is not configured with global credentials, the access point retains the global username and password configured for the first switch.
You must track the credentials used by the access points. Otherwise, you might not be able to log into an access point’s console port. If you need to return the access points to the default Cisco/Cisco username and password, you must clear the switch’s configuration and the access point’s configuration to return them to factory-default settings. To reset the default access point configuration, enter the ap name Cisco_AP mgmtuser username Cisco password Cisco command. Entering the command does not clear the static IP address of the access point. Once the access point rejoins a switch, it adopts the default Cisco/Cisco username and password.
You can configure global authentication settings for all access points that are currently joined to the switch and any that join in the future. If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.
Restrictions for Configuring Authentication for Access Points
Information about Configuring Authentication for Access Points
Cisco IOS access points are shipped from the factory with Cisco as the default enable password. This password allows users to log into the nonprivileged mode and enter the show and debug commands that pose a security threat to your network. You must change the default enable password to prevent unauthorized access and to enable users to enter configuration commands from the access point’s console port.
You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The access point acts as an 802.1X supplicant and is authenticated by the switch where it uses EAP-FAST with anonymous PAC provisioning.
How to Configure Authentication for Access Points
Configuring Global Credentials for Access Points (CLI)
1.
enable
2.
configure terminal
3.
ap
mgmtuser
username
user_name
password
0
passsword
secret
0
secret_value
4.
end
5.
ap
name
Cisco_AP
mgmtuser
username
user_name
password
password
secret
secret
6.
show
ap
summary
7.
show
ap
name
Cisco_AP
config
general
DETAILED STEPS
Configuring Global Credentials for Access Points (GUI)
Step 1 | Choose . The Global Configuration page is displayed. |
Step 2 | In the Login Credentials area, enter the following parameters:
The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters. No character in the password can be repeated more than three times consecutively. The password should not contain the management username or the reverse of the username. The password should not contain words like Cisco, oscic, admin, nimda or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s. |
Step 3 | Click Apply. The global username and password are applied to all the access points that are associated with the switches |
Step 4 | Click Save Configuration. |
Step 5 | (Optional) You can override the global credentials for a specific access point and assign a unique username and password by following these steps: |
Configuring Authentication for Access Points (CLI)
1.
enable
2.
configure terminal
3.
ap dot1x username user_name_value password 0 password_value
4.
end
5.
ap name Cisco_AP dot1x-user username username_value password password_value
6.
configure terminal
7.
no ap dot1x username user_name_value password 0 password_value
8.
end
9.
show ap summary
10.
show ap name Cisco_AP config general
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable Example: Switch# enable
|
Enters privileged EXEC mode. | ||
Step 2 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. | ||
Step 3 | ap dot1x username user_name_value password 0 password_value
Example: Switch(config)# ap dot1x username AP3 password 0
password
|
Configures the global authentication username and password for all access points that are currently joined to the switch and any access points that join the switch in the future. This command contains the following keywords and arguments:
| ||
Step 4 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. | ||
Step 5 | ap name Cisco_AP dot1x-user username username_value password password_value Example: Switch# ap name AP03 dot1x-user
username apuser1 password appass
| Overrides the global authentication settings and assigns a unique username and password to a specific access point. This command contains the following keywords and arguments:
The authentication settings that you enter in this command are retained across switch and access point reboots and whenever the access point joins a new switch. | ||
Step 6 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. | ||
Step 7 | no ap dot1x username user_name_value password 0 password_value Example: Switch(config)# no ap dot1x username
dot1xusr password 0 dot1xpass
| Disables 802.1X authentication for all access points or for a specific access point.
| ||
Step 8 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. | ||
Step 9 | show ap summary Example: Switch# show ap summary
| Displays the authentication settings for all access points that join the switch.
| ||
Step 10 | show ap name Cisco_AP config general Example: Switch# show ap name AP02 config general
| Displays the authentication settings for a specific access point.
|
Configuring Authentication for Access Points (GUI)
Step 1 | Choose . The Global Configuration page is displayed. | ||
Step 2 | In the 802.1x Supplicant Credentials area, select the Credentials Required check box. | ||
Step 3 | Enter the username and password details.
| ||
Step 4 | Click Apply. | ||
Step 5 | Click Save Configuration. | ||
Step 6 | (Optional) You can override the global configuration and assign a unique username and password to a specific access point by following these steps: | ||
Step 7 | Click the name of an access point. The AP > Edit is displayed. | ||
Step 8 | Click the Credentials tab. | ||
Step 9 | In the 802.1x Supplicant Credentials area, select the Over-ride Global Credentials check box. | ||
Step 10 | Enter the username and password details. | ||
Step 11 | Click Apply. | ||
Step 12 | Click Save Configuration. |
Configuring the Switch for Authentication (CLI)
Note | The procedure to perform this task using the switch GUI is not currently available. |
1.
enable
2.
configure terminal
3.
dot1x system-auth-control
4.
aaa new-model
5.
aaa authentication dot1x default group radius
6.
radius-server host host_ip_adress acct-port port_number auth-port port_number key 0 unencryptied_server_key
7.
interface TenGigabitEthernet1/0/1
8.
switch mode access
9.
dot1x pae authenticator
10.
end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example: Switch# enable
|
Enters privileged EXEC mode. |
Step 2 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. |
Step 3 |
dot1x system-auth-control Example: Switch(config)# dot1x system-auth-control
|
Enables system authentication control. |
Step 4 | aaa new-model Example: Switch(config)# aaa new-model
| Enables new access control commands and functions. |
Step 5 | aaa authentication dot1x default group radius Example: Switch(config)# aaa authentication
dot1x default group radius
| Sets the default authentications lists for IEEE 802.1X by using all the radius hosts in a server group. |
Step 6 | radius-server host host_ip_adress acct-port port_number auth-port port_number key 0 unencryptied_server_key Example: Switch(config)# radius-server host
10.1.1.1 acct-port 1813 auth-port 6225 key 0 encryptkey
| Sets a clear text encryption key for the RADIUS authentication server. |
Step 7 | interface TenGigabitEthernet1/0/1 Example: Switch(config)# interface
TenGigabitEthernet1/0/1
| Sets the 10-Gigbit Ethernet interface. The command prompt changes from Controller(config)# to Controller(config-if)#. |
Step 8 | switch mode access Example: Switch(config-if)# switch mode access
| Sets the unconditional truncking mode access to the interface. |
Step 9 | dot1x pae authenticator Example: Switch(config-if)# dot1x pae
authenticator
| Sets the 802.1X interface PAE type as the authenticator. |
Step 10 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Configuration Examples for Configuring Authentication for Access Points
Displaying the Authentication Settings for Access Points: Examples
This example shows how to display the authentication settings for all access points that join the switch:
Switch# show ap summary
Number of APs.................................... 1
Global AP User Name.............................. globalap
Global AP Dot1x User Name........................ globalDot1x
This example shows how to display the authentication settings for a specific access point:
Switch# show ap name AP02 config dot11 24ghz general
Cisco AP Identifier.............................. 0
Cisco AP Name.................................... TSIM_AP2
...
AP Dot1x User Mode............................... AUTOMATIC
AP Dot1x User Name............................... globalDot1x