Configuring Local Authentication Using LDAP

Local authentication using Lightweight Directory Access Protocol (LDAP) allows an endpoint to be authenticated using 802.1X, MAC authentication bypass (MAB), or web authentication with LDAP as a backend. Local authentication in Identity-Based Networking Services also supports associating an authentication, authorization, and accounting (AAA) attribute list with the local username. This module provides information about configuring local authentication for Identity-Based Networking Services.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Local Authentication Using LDAP

Local Authentication Using LDAP

Local authentication using LDAP allows an endpoint to be authenticated using 802.1X, MAB, or web authentication with LDAP as a backend. Local authentication also supports additional AAA attributes by associating an attribute list with a local username for wireless sessions.

AES Key Wrap

The Advanced Encryption Standard (AES) key wrap feature makes the shared secret between the controller and the RADIUS server more secure. AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant RADIUS authentication server.

How to Configure Local Authentication Using LDAP

Configuring Local Authentication Using LDAP

Perform this task to specify the AAA method list for local authentication and to associate an attribute list with a local username.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    aaa local authentication {method-list-name | default} authorization {method-list-name | default}

    5.    username name aaa attribute list aaa-attribute-list [password password]

    6.    exit


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 aaa new-model


    Example: 
    Device(config)# aaa new-model
     

    Enables the authentication, authorization, and accounting (AAA) access control model.

     
    Step 4 aaa local authentication {method-list-name | default} authorization {method-list-name | default}


    Example: 
    Device(config)# aaa local authentication default authorization default
     

    Specifies the method lists to use for local authentication and authorization from a LDAP server.

     
    Step 5 username name aaa attribute list aaa-attribute-list [password password]


    Example: 
    Device(config)# username USER_1 aaa attribute list LOCAL_LIST password CISCO
     

    Associates a AAA attribute list with a local username.

     
    Step 6 exit


    Example: 
    Device(config)# exit
     

    Exits global configuration mode and returns to privileged EXEC mode.

     

    Configuring MAC Filtering Support

    Perform this task to set the RADIUS compatibility mode, the MAC delimiter, and the MAC address as the username to support MAC filtering.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    aaa new-model

      4.    aaa group server radius group-name

      5.    subscriber mac-filtering security-mode {mac | none | shared-secret}

      6.    mac-delimiter {colon | hyphen | none | single-hyphen}

      7.    exit

      8.    username mac-address mac [aaa attribute list aaa-attribute-list]

      9.    exit


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 aaa new-model


      Example: 
      Device(config)# aaa new-model
       

      Enables the authentication, authorization, and accounting (AAA) access control model.

       
      Step 4 aaa group server radius group-name


      Example: 
      Device(config)# aaa group server radius RAD_GROUP1
       

      Groups different RADIUS server hosts into distinct lists.

       
      Step 5 subscriber mac-filtering security-mode {mac | none | shared-secret}


      Example: 
      Device(config-sg-radius)# subscriber mac-filtering security-mode mac
       

      Specifies the RADIUS compatibility mode for MAC filtering.

      • The default value is none.

       
      Step 6 mac-delimiter {colon | hyphen | none | single-hyphen}


      Example: 
      Device(config-sg-radius)# mac-delimiter hyphen
       

      Specifies the MAC delimiter for RADIUS compatibility mode.

      • The default value is none.

       
      Step 7 exit


      Example: 
      Device(config-sg-radius)# exit
       

      Exits server group configuration mode and returns to global configuration mode.

       
      Step 8 username mac-address mac [aaa attribute list aaa-attribute-list]


      Example: 
      Device(config)# username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1
       

      Allows a MAC address to be used as the username for MAC filtering done locally.

       
      Step 9 exit


      Example: 
      Device(config)# exit
       

      Exits global configuration mode and returns to privileged EXEC mode.

       

      Enabling AES Key Wrap

      Advanced Encryption Standard (AES) key wrap makes the shared secret between the controller and the RADIUS server more secure. AES key wrap requires a key-wrap compliant RADIUS authentication server.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    radius-server host {hostname | ip-address} key-wrap encryption-key encryption-key message-auth-code-key encryption-key [format {ascii | hex}]

        4.    aaa new-model

        5.    aaa group server radius group-name

        6.    server ip-address [auth-port port-number] [acct-port port-number]

        7.    key-wrap enable

        8.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example: 
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example: 
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 radius-server host {hostname | ip-address} key-wrap encryption-key encryption-key message-auth-code-key encryption-key [format {ascii | hex}]


        Example: 
        Device(config)# radius-server host 10.10.1.2 key-wrap encryption-key testkey99 message-auth-code-key testkey123
         

        Defines a RADIUS server host.

         
        Step 4 aaa new-model


        Example: 
        Device(config)# aaa new-model
         

        Enables the authentication, authorization, and accounting (AAA) access control model.

         
        Step 5 aaa group server radius group-name


        Example: 
        Device(config)# aaa group server radius RAD_GROUP1
         

        Groups different RADIUS server hosts into distinct lists.

         
        Step 6 server ip-address [auth-port port-number] [acct-port port-number]


        Example: 
        Device(config-sg-radius)# server 10.10.1.2
         

        Specifies the IP address of the RADIUS server in the server group.

         
        Step 7 key-wrap enable


        Example: 
        Device(config-sg-radius)# key-wrap enable
         

        Enables AES key wrap for this RADIUS server.

         
        Step 8 end


        Example: 
        Device(config-sg-radius)# end
         

        Exits server group configuration mode and returns to privileged EXEC mode.

         

        Configuration Examples for Local Authentication Using LDAP

        Example: Configuring Local Authentication Using LDAP

        The following example shows a configuration for local authentication:

        !
username USER_1 password 0 CISCO
username USER_1 aaa attribute list LOCAL_LIST
aaa new-model
aaa local authentication EAP_LIST authorization EAP_LIST
!

        Example: Configuring MAC Filtering Support

        The following example shows a configuration for MAC filtering: 

        username 00-22-WP-EC-23-3C mac aaa attribute list AAA_list1
!
aaa new-model
aaa group server radius RAD_GROUP1
subscriber mac-filtering security-mode mac
mac-delimiter hyphen

        Example: Configuring AES Key Wrap

        The following example shows a configuration with key wrap enabled for a RADIUS server: 

        aaa new-model
aaa group server radius RAD_GROUP1
server 10.10.1.2
key-wrap enable
!
radius-server host 10.10.1.2
!

        Additional References

        Related Documents

        Related Topic

        Document Title

        Cisco IOS commands

        Cisco IOS Master Command List, All Releases

        Identity-Based Networking Services commands

        Cisco IOS Identity-Based Networking Services Command Reference

        Address Resolution Protocol (ARP) commands

        Cisco IOS IP Addressing Services Command Reference

        ARP configuration tasks

        IP Addressing - ARP Configuration Guide

        Authentication, authorization, and accounting (AAA) configuration tasks

        Authentication Authorization and Accounting Configuration Guide

        AAA commands

        Cisco IOS Security Command Reference

        Standards and RFCs

        Standard/RFC

        Title

        RFC 5176

        Dynamic Authorization Extensions to RADIUS

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for Local Authentication Using LDAP

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
        Table 1 Feature Information for Local Authentication Using LDAP
        Feature Name Releases Feature Information

        Local Authentication Using LDAP

        Cisco IOS XE Release 3.2SE

        Introduces support for local authentication using Lightweight Directory Access Protocol (LDAP).

        In Cisco IOS XE 3.2SE, this feature is supported on the following platforms:

        • Cisco Catalyst 3650 Series Switches

        • Cisco Catalyst 3850 Series Switches

        • Cisco 5700 Wireless LAN Controllers

        The following commands were introduced or modified: aaa local authentication, key-wrap enable, mac-delimiter, radius-server host, subscriber mac-filtering security-mode, username.