Scribd
Upload
17 views8 pages

San Local Ldap

Ldap configuration

Uploaded by

pape mbow
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views8 pages

San Local Ldap

Ldap configuration

Uploaded by

pape mbow
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Configuring Local Authentication Using LDAP

Local authentication using Lightweight Directory Access Protocol (LDAP) allows an endpoint to be
authenticated using 802.1X, MAC authentication bypass (MAB), or web authentication with LDAP as a
backend. Local authentication in Identity-Based Networking Services also supports associating an
authentication, authorization, and accounting (AAA) attribute list with the local username. This module
provides information about configuring local authentication for Identity-Based Networking Services.

• Finding Feature Information, page 1


• Information About Local Authentication Using LDAP, page 1
• How to Configure Local Authentication Using LDAP, page 2
• Configuration Examples for Local Authentication Using LDAP, page 6
• Additional References , page 7
• Feature Information for Local Authentication Using LDAP, page 8

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Local Authentication Using LDAP


Local Authentication Using LDAP
Local authentication using LDAP allows an endpoint to be authenticated using 802.1X, MAB, or web
authentication with LDAP as a backend. Local authentication also supports additional AAA attributes by
associating an attribute list with a local username for wireless sessions.

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

1
Configuring Local Authentication Using LDAP
AES Key Wrap

AES Key Wrap


The Advanced Encryption Standard (AES) key wrap feature makes the shared secret between the controller
and the RADIUS server more secure. AES key wrap is designed for Federal Information Processing Standards
(FIPS) customers and requires a key-wrap compliant RADIUS authentication server.

How to Configure Local Authentication Using LDAP


Configuring Local Authentication Using LDAP
Perform this task to specify the AAA method list for local authentication and to associate an attribute list with
a local username.

SUMMARY STEPS

1. enable
2. configure terminal
3. aaa new-model
4. aaa local authentication {method-list-name | default} authorization {method-list-name | default}
5. username name aaa attribute list aaa-attribute-list [password password]
6. exit

DETAILED STEPS

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 aaa new-model Enables the authentication, authorization, and


accounting (AAA) access control model.
Example:
Device(config)# aaa new-model

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
2
Configuring Local Authentication Using LDAP
Configuring MAC Filtering Support

Command or Action Purpose


Step 4 aaa local authentication {method-list-name | default} Specifies the method lists to use for local authentication
authorization {method-list-name | default} and authorization from a LDAP server.

Example:
Device(config)# aaa local authentication default
authorization default

Step 5 username name aaa attribute list aaa-attribute-list Associates a AAA attribute list with a local username.
[password password]

Example:
Device(config)# username USER_1 aaa attribute list
LOCAL_LIST password CISCO

Step 6 exit Exits global configuration mode and returns to


privileged EXEC mode.
Example:
Device(config)# exit

Configuring MAC Filtering Support


Perform this task to set the RADIUS compatibility mode, the MAC delimiter, and the MAC address as the
username to support MAC filtering.

SUMMARY STEPS

1. enable
2. configure terminal
3. aaa new-model
4. aaa group server radius group-name
5. subscriber mac-filtering security-mode {mac | none | shared-secret}
6. mac-delimiter {colon | hyphen | none | single-hyphen}
7. exit
8. username mac-address mac [aaa attribute list aaa-attribute-list]
9. exit

DETAILED STEPS

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

3
Configuring Local Authentication Using LDAP
Configuring MAC Filtering Support

Command or Action Purpose


• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 aaa new-model Enables the authentication, authorization, and accounting


(AAA) access control model.
Example:
Device(config)# aaa new-model

Step 4 aaa group server radius group-name Groups different RADIUS server hosts into distinct lists.

Example:
Device(config)# aaa group server radius
RAD_GROUP1

Step 5 subscriber mac-filtering security-mode {mac | none | Specifies the RADIUS compatibility mode for MAC
shared-secret} filtering.
• The default value is none.
Example:
Device(config-sg-radius)# subscriber
mac-filtering security-mode mac

Step 6 mac-delimiter {colon | hyphen | none | single-hyphen} Specifies the MAC delimiter for RADIUS compatibility
mode.
Example: • The default value is none.
Device(config-sg-radius)# mac-delimiter hyphen

Step 7 exit Exits server group configuration mode and returns to


global configuration mode.
Example:
Device(config-sg-radius)# exit

Step 8 username mac-address mac [aaa attribute list Allows a MAC address to be used as the username for
aaa-attribute-list] MAC filtering done locally.

Example:
Device(config)# username 00-22-WP-EC-23-3C mac
aaa attribute list AAA_list1

Step 9 exit Exits global configuration mode and returns to privileged


EXEC mode.
Example:
Device(config)# exit

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
4
Configuring Local Authentication Using LDAP
Enabling AES Key Wrap

Enabling AES Key Wrap


Advanced Encryption Standard (AES) key wrap makes the shared secret between the controller and the
RADIUS server more secure. AES key wrap requires a key-wrap compliant RADIUS authentication server.

SUMMARY STEPS

1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} key-wrap encryption-key encryption-key
message-auth-code-key encryption-key [format {ascii | hex}]
4. aaa new-model
5. aaa group server radius group-name
6. server ip-address [auth-port port-number] [acct-port port-number]
7. key-wrap enable
8. end

DETAILED STEPS

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 radius-server host {hostname | ip-address} key-wrap Defines a RADIUS server host.
encryption-key encryption-key message-auth-code-key
encryption-key [format {ascii | hex}]

Example:
Device(config)# radius-server host 10.10.1.2 key-wrap
encryption-key testkey99 message-auth-code-key
testkey123

Step 4 aaa new-model Enables the authentication, authorization, and


accounting (AAA) access control model.
Example:
Device(config)# aaa new-model

Step 5 aaa group server radius group-name Groups different RADIUS server hosts into distinct
lists.
Example:
Device(config)# aaa group server radius RAD_GROUP1

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

5
Configuring Local Authentication Using LDAP
Configuration Examples for Local Authentication Using LDAP

Command or Action Purpose


Step 6 server ip-address [auth-port port-number] [acct-port Specifies the IP address of the RADIUS server in
port-number] the server group.

Example:
Device(config-sg-radius)# server 10.10.1.2

Step 7 key-wrap enable Enables AES key wrap for this RADIUS server.

Example:
Device(config-sg-radius)# key-wrap enable

Step 8 end Exits server group configuration mode and returns


to privileged EXEC mode.
Example:
Device(config-sg-radius)# end

Configuration Examples for Local Authentication Using LDAP


Example: Configuring Local Authentication Using LDAP
The following example shows a configuration for local authentication:
!
username USER_1 password 0 CISCO
username USER_1 aaa attribute list LOCAL_LIST
aaa new-model
aaa local authentication EAP_LIST authorization EAP_LIST
!

Example: Configuring MAC Filtering Support


The following example shows a configuration for MAC filtering:
username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1
!
aaa new-model
aaa group server radius RAD_GROUP1
subscriber mac-filtering security-mode mac
mac-delimiter hyphen

Example: Configuring AES Key Wrap


The following example shows a configuration with key wrap enabled for a RADIUS server:
aaa new-model
aaa group server radius RAD_GROUP1
server 10.10.1.2
key-wrap enable

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
6
Configuring Local Authentication Using LDAP
Additional References

!
radius-server host 10.10.1.2
!

Additional References
Related Documents

Related Topic Document Title


Cisco IOS commands Cisco IOS Master Command List, All Releases

Identity-Based Networking Services commands Cisco IOS Identity-Based Networking Services


Command Reference

Address Resolution Protocol (ARP) commands Cisco IOS IP Addressing Services Command
Reference

ARP configuration tasks IP Addressing - ARP Configuration Guide

Authentication, authorization, and accounting (AAA) Authentication Authorization and Accounting


configuration tasks Configuration Guide

AAA commands Cisco IOS Security Command Reference

Standards and RFCs

Standard/RFC Title
RFC 5176 Dynamic Authorization Extensions to RADIUS

Technical Assistance

Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

7
Configuring Local Authentication Using LDAP
Feature Information for Local Authentication Using LDAP

Feature Information for Local Authentication Using LDAP


The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1: Feature Information for Local Authentication Using LDAP

Feature Name Releases Feature Information


Local Authentication Cisco IOS XE Introduces support for local authentication using Lightweight
Using LDAP Release 3.2SE Directory Access Protocol (LDAP).
In Cisco IOS XE 3.2SE, this feature is supported on the
following platforms:
• Cisco Catalyst 3650 Series Switches
• Cisco Catalyst 3850 Series Switches
• Cisco 5700 Wireless LAN Controllers

The following commands were introduced or modified: aaa


local authentication, key-wrap enable, mac-delimiter,
radius-server host, subscriber mac-filtering security-mode,
username.

Identity-Based Networking Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
8

You might also like