The maximum number of MAC addresses of clients that Cisco Access Point supports
The AP can authenticate a maximum of 50 clients,If you want to store more than 50 MAC addresses, then use a RADIUS server.
Note: It is also possible to configure MAC with an Extensible Authentication Protocol (EAP) method.
Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link. If the WAN link fails, or if the access points cannot access the RADIUS servers for any reason, client devices cannot access the wireless network even if the work they wish to do is entirely local.
To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an access point to act as a local RADIUS server. The access point can authenticate LEAP-enabled wireless client devices and allow them to join your network.
You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with the main RADIUS servers. You can also specify a VLAN and a list of SSIDs that a client is allowed to use. You can configure up to 50 users on the local authenticator.
Note Users associated to the local authenticator access point might notice a drop in performance when the access point authenticates client devices. However, if your wireless LAN contains only one access point, you can configure the access point as both the 802.1X authenticator and the local authenticator.
You configure your access points to use the local authenticator when they cannot reach the main servers (or as the main authenticator if you do not have a RADIUS server). The access points periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.
Caution The access point you use as an authenticator contains detailed authentication information for your wireless LAN, so you should secure it physically to protect its configuration.
This example shows how to set up a local authenticator used by three access points with three user groups and several users:
|configure terminal||Enter global configuration mode.|
|Step 2||aaa new-model||Enable AAA.|
Enable the access point as a local authenticator and enter configuration mode for the authenticator.
nas ip-address key shared-key
Add an access point to the list of units that use the local authenticator. Enter the access point's IP address and the shared key used to authenticate communication between the local authenticator and other access points. You must enter this shared key on the access points that use the local authenticator. If your local authenticator also serves client devices, you must enter the local authenticator access point as a NAS.
Note Leading spaces in the key string are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
Repeat this step to add each access point that uses the local authenticator.
|Step 5||group group-name||(Optional) Enter user group configuration mode and configure a user group to which you can assign shared settings.|
|Step 6||vlan vlan||(Optional) Specify a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group.|
|(Optional) Enter up to 20 SSIDs to limit members of the user group to those SSIDs. The access point checks that the SSID that the client used to associate matches one of the SSIDs in the list. If the SSID does not match, the client is disassociated.|
reauthentication time seconds
|(Optional) Enter the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate.|
lockout count count
|(Optional) To help protect against password guessing attacks, you can lock out group members for a length of time after a set number of incorrect passwords.|
•count—The number of failed passwords that triggers a lockout of the user name.
•time—The number of seconds the lockout should last. If you enter infinite, an administrator must manually unblock the locked user name. See the "Unblocking Locked Usernames" section for instructions on unblocking client devices.
Exit group configuration mode and return to authenticator configuration mode.
Enter the users allowed to authenticate using the local authenticator. You must enter a user name and password for each user. If you only know the NT value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.
To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.
Return to privileged EXEC mode.
copy running-config startup-config
(Optional) Save your entries in the configuration file.
AP# configure terminal AP(config)# radius-server local AP(config-radsrv)# nas 10.91.6.159 key 110337 AP(config-radsrv)# nas 10.91.6.162 key 110337 AP(config-radsrv)# nas 10.91.6.181 key 110337 AP(config-radsrv)# group clerks AP(config-radsrv-group)# vlan 87 AP(config-radsrv-group)# ssid batman AP(config-radsrv-group)# ssid robin AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# lockout count 2 time 600 AP(config-radsrv-group)# group cashiers AP(config-radsrv-group)# vlan 97 AP(config-radsrv-group)# ssid deer AP(config-radsrv-group)# ssid antelope AP(config-radsrv-group)# ssid elk AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# lockout count 2 time 600 AP(config-radsrv-group)# group managers AP(config-radsrv-group)# vlan 77 AP(config-radsrv-group)# ssid mouse AP(config-radsrv-group)# ssid chipmunk AP(config-radsrv-group)# reauthentication time 1800 AP(config-radsrv-group)# lockout count 2 time 600 AP(config-radsrv-group)# exit AP(config-radsrv)# user jsmith password twain74 group clerks AP(config-radsrv)# user stpatrick password snake100 group clerks AP(config-radsrv)# user nick password uptown group clerks AP(config-radsrv)# user sam password rover32 group cashiers AP(config-radsrv)# user patsy password crowder group cashiers AP(config-radsrv)# user carl password 272165 group managers AP(config-radsrv)# user vic password lid178 group managers AP(config-radsrv)# end
For more information, refer to Configuring an Access Point as a Local Authenticator
Release notes / product overview / data sheet / FAQ
Technical product specification / features
WLAN adapters (wireless card) / ACU (Aironet Client Utility)
MAC address authentication (Media Access Control)