Configuring Radius Login Authentication - Cisco ISR Configuration Manual

Chapter 7 Configuring RADIUS Servers
Command
Step 6
end
Step 7
show running-config
Step 8 copy running-config startup-config
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global
configuration command.
This example shows how to configure one RADIUS server to be used for authentication and another to
be used for accounting:
router(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1
router(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2
This example shows how to configure an SSID for RADIUS accounting:
router(config)# dot11 ssid batman
router(config-ssid)# accounting accounting-method-list
This example shows how to configure host1 as the RADIUS server and to use the default ports for both
authentication and accounting:
router(config)# radius-server host host1
You also need to configure some settings on the RADIUS server. These settings include the IP address
Note
of the access point and the key string to be shared by both the server and the access point. For more
information, refer to the RADIUS server documentation.

Configuring RADIUS Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails to respond, the software selects the next authentication method in
the method list. This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If authentication fails at any point in
this cycle—meaning that the security server or local username database responds by denying the user
access—the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This
procedure is required.
Command
Step 1 configure terminal
Step 2 aaa new-model
OL-6415-04
Purpose
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Purpose
Enter global configuration mode.
Enable AAA.
Cisco Wireless ISR and HWIC Access Point Configuration Guide
Configuring and Enabling RADIUS
7-7