Utilities for Configuring Security
This chapter describes how to configure all the RADIUS server side configuration using the following command:
wireless-default radius server ip key secret
This simplified configuration option provides the following:
-
Configures AAA authorization for network services, authentication for web auth and Dot1x.
-
Enables local authentication with default authorization.
-
Configures the default redirect ACL for CWA.
-
Creates global parameter map with virtual IP and enables captive bypass portal.
-
Configures all the AAA configuration for a default case while configuring the RADIUS server.
-
The method-list configuration is assumed by default on the WLAN.
-
Enables the radius accounting by default.
-
Disables the radius aggressive failovers by default.
-
Sets the radius request timeouts to 5 seconds by default.
-
Enables captive bypass portal.
This command configures the following in the background:
aaa new-model
aaa authentication webauth default group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting identity default start-stop group radius
!
aaa server radius dynamic-author
client <IP> server-key cisco123
!
radius server RAD_SRV_DEF_<IP>
description Configured by wireless-default
address ipv4 <IP> auth-port 1812 acct-port 1813
key <key>
!
aaa local authentication default authorization default
aaa session-id common
!
ip access-list extended CISCO-CWA-URL-REDIRECT-ACL-DEFAULT
remark “ CWA ACL to be referenced from ISE "
deny udp any any eq domain
deny tcp any any eq domain
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
deny ip any host <IP>
permit tcp any any eq www
!
parameter-map type webauth global
captive-bypass-portal
virtual-ip ipv4 192.0.2.1
virtual-ip ipv6 1001::1
!
wireless profile policy default-policy-profile
aaa-override
local-http-profiling
local-dhcp-profiling
accounting
Thus, you need not go through the entire Configuration Guide to configure wireless controller for a simple configuration requirement.
Configuring Multiple Radius Servers
Use the following procedure to configure a RADIUS server.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 2 |
wireless-default radius server ip key secret Example:
|
Configures a radius server.
|
||
Step 3 |
end Example:
|
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Verifying AAA and Radius Server Configurations
To view details of AAA server, use the following command:
Device# show run aaa
!
aaa new-model
aaa authentication webauth default group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting Identity default start-stop group radius
!
aaa server radius dynamic-author
client 9.2.58.90 server-key cisco123
!
radius server RAD_SRV_DEF_9.2.58.90
description Configured by wireless-default
address ipv4 9.2.58.90 auth-port 1812 acct-port 1813
key cisco123
!
aaa local authentication default authorization default
aaa session-id common
!
!
ip access-list extended CISCO-CWA-URL-REDIRECT-ACL-DEFAULT
remark “ CWA ACL to be referenced from ISE "
deny udp any any eq domain
deny tcp any any eq domain
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
deny ip any host 9.2.58.90
permit tcp any any eq www
!
parameter-map type webauth global
captive-bypass-portal
virtual-ip ipv4 192.0.2.1
virtual-ip ipv6 1001::1
!
wireless profile policy default-policy-profile
aaa-override
local-http-profiling
local-dhcp-profiling
accounting
Note |
The show run aaa output may change when new commands are added to this utility. |