Cisco 802.1X Local Authentication Service

Archived from groups: alt.internet.wireless (More info?)

Hi,

I wonder if anyone has had any experience of the new Cisco IEEE 802.1X
Local Authentication Service which is distributed in the latest IOS
release for the Aironet 1200/1100?

It allows the AP to cache users 802.1x credentials so that if the main
RADIUS server is located on a WAN link and this link is down, the AP can
continue to authenticate the clients until the WAN link is restored.

My question is how long the AP caches this information? For
hours/days/indefinitely until the WAN link returns?

Many thanks for any insight,

N
4 answers Last reply
More about cisco local authentication service
  1. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 07 Apr 2004 16:23:13 +0100, "BGates" <bgates@yahoo.com> wrote:

    ~ Hi,
    ~
    ~ I wonder if anyone has had any experience of the new Cisco IEEE 802.1X
    ~ Local Authentication Service which is distributed in the latest IOS
    ~ release for the Aironet 1200/1100?
    ~
    ~ It allows the AP to cache users 802.1x credentials so that if the main
    ~ RADIUS server is located on a WAN link and this link is down, the AP can
    ~ continue to authenticate the clients until the WAN link is restored.

    That's not quite right. With local authentication on the AP, the
    credentials from RADIUS are not "cached". Rather, this is actually
    a separate "local" RADIUS server running within the IOS AP itself.
    The credentials are stored in flash on the AP (independently from
    whatever you're configured on the external RADIUS server.)

    ~ My question is how long the AP caches this information? For
    ~ hours/days/indefinitely until the WAN link returns?

    The idea is that you configure the AP authenticator (RADIUS client)
    to first try the external RADIUS server, the fall back to the
    local one if no response. There are a few knobs to control
    this behavior.

    Aaron
  2. Archived from groups: alt.internet.wireless (More info?)

    Aaron,

    Can the Local Authentication Service be used as a standalone
    authenticator, with no need for an external RADIUS server?

    Jesse

    On Wed, 07 Apr 2004 13:31:55 -0700, Aaron Leonard <Aaron@Cisco.COM>
    wrote:

    >On Wed, 07 Apr 2004 16:23:13 +0100, "BGates" <bgates@yahoo.com> wrote:
    >
    >~ Hi,
    >~
    >~ I wonder if anyone has had any experience of the new Cisco IEEE 802.1X
    >~ Local Authentication Service which is distributed in the latest IOS
    >~ release for the Aironet 1200/1100?
    >~
    >~ It allows the AP to cache users 802.1x credentials so that if the main
    >~ RADIUS server is located on a WAN link and this link is down, the AP can
    >~ continue to authenticate the clients until the WAN link is restored.
    >
    >That's not quite right. With local authentication on the AP, the
    >credentials from RADIUS are not "cached". Rather, this is actually
    >a separate "local" RADIUS server running within the IOS AP itself.
    >The credentials are stored in flash on the AP (independently from
    >whatever you're configured on the external RADIUS server.)
    >
    >~ My question is how long the AP caches this information? For
    >~ hours/days/indefinitely until the WAN link returns?
    >
    >The idea is that you configure the AP authenticator (RADIUS client)
    >to first try the external RADIUS server, the fall back to the
    >local one if no response. There are a few knobs to control
    >this behavior.
    >
    >Aaron
  3. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 07 Apr 2004 13:31:55 -0700, Aaron Leonard wrote:


    > The idea is that you configure the AP authenticator (RADIUS client) to
    > first try the external RADIUS server, the fall back to the local one if
    > no response. There are a few knobs to control this behavior.
    >
    >
    Thanks Aaron - you are absolutely right:

    Cisco docs:

    "You configure the local authenticator access point manually with client
    usernames and passwords because it does not synchronize its database with
    the main RADIUS servers."
  4. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 07 Apr 2004 15:02:21 -0700, j wrote:

    > Aaron,
    >
    > Can the Local Authentication Service be used as a standalone
    > authenticator, with no need for an external RADIUS server?
    >
    >
    >
    Yes it can. I have it running here. You simply need a Cisco client and
    AP1200/1100 with the latest IOS firmware and you can perform LEAP
    authentication by having the AP use itself as the authenticating RADIUS
    server.

    Bear in mind LEAP has an achilles heal in that it sends its MS-CHAP
    exchange over the air before the transmission is encrypted and this can be
    intercepted and cracked using dictionary or brute force. Use complex
    passwords to negate this. The Cisco client allows you to store a
    username/password and it will perfrom the LEAP authentication as the
    network interface comes up - so you don't have to remember that complex
    password.
Ask a new question

Read More

WAN Authentication Cisco Wireless Networking