Showing results for 
Search instead for 
Did you mean: 




The maximum number of MAC addresses of clients that Cisco Access Point supports


The AP can authenticate a maximum of 50 clients,If you want to store more than 50 MAC addresses, then use a RADIUS server.

Note: It is also possible to configure MAC with an Extensible Authentication Protocol (EAP) method.

Understanding Local Authentication

Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link. If the WAN link fails, or if the access points cannot access the RADIUS servers for any reason, client devices cannot access the wireless network even if the work they wish to do is entirely local.

To provide local authentication service or backup authentication service in case of a WAN link or a server failure, you can configure an access point to act as a local RADIUS server. The access point can authenticate LEAP-enabled wireless client devices and allow them to join your network.

You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with the main RADIUS servers. You can also specify a VLAN and a list of SSIDs that a client is allowed to use. You can configure up to 50 users on the local authenticator.

Note  Users associated to the local authenticator access point might notice a drop in performance when the access point authenticates client devices. However, if your wireless LAN contains only one access point, you can configure the access point as both the 802.1X authenticator and the local authenticator.

You configure your access points to use the local authenticator when they cannot reach the main servers (or as the main authenticator if you do not have a RADIUS server). The access points periodically check the link to the main servers and stop using the local authenticator automatically when the link to the main servers is restored.

Caution The access point you use as an authenticator contains detailed authentication information for your wireless LAN, so you should secure it physically to protect its configuration.


This example shows how to set up a local authenticator used by three access points with three user groups and several users:


Step 1 

configure terminalEnter global configuration mode.
Step 2 aaa new-modelEnable AAA.
Step 3 

radius-server local


Enable the access point as a local authenticator and enter configuration mode for the authenticator.

Step 4 

nas ip-address key shared-key


Add an access point to the list of units that use the local authenticator. Enter the access point's IP address and the shared key used to authenticate communication between the local authenticator and other access points. You must enter this shared key on the access points that use the local authenticator. If your local authenticator also serves client devices, you must enter the local authenticator access point as a NAS.

Note Leading spaces in the key string are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

Repeat this step to add each access point that uses the local authenticator.

Step 5 group group-name(Optional) Enter user group configuration mode and configure a user group to which you can assign shared settings.
Step 6 vlan vlan(Optional) Specify a VLAN to be used by members of the user group. The access point moves group members into that VLAN, overriding other VLAN assignments. You can assign only one VLAN to the group.

Step 7 


ssid ssid

(Optional) Enter up to 20 SSIDs to limit members of the user group to those SSIDs. The access point checks that the SSID that the client used to associate matches one of the SSIDs in the list. If the SSID does not match, the client is disassociated.

Step 8 


reauthentication time seconds

(Optional) Enter the number of seconds after which access points should reauthenticate members of the group. The reauthentication provides users with a new encryption key. The default setting is 0, which means that group members are never required to reauthenticate.

Step 9 


lockout count count 
time { seconds | infinite }

(Optional) To help protect against password guessing attacks, you can lock out group members for a length of time after a set number of incorrect passwords.

count—The number of failed passwords that triggers a lockout of the user name.


time—The number of seconds the lockout should last. If you enter infinite, an administrator must manually unblock the locked user name. See the "Unblocking Locked Usernames" section for instructions on unblocking client devices.


Step 10 




Exit group configuration mode and return to authenticator configuration mode.


Step 11 


user username 
{ password | nthash } password 
[ group group-name ]


Enter the users allowed to authenticate using the local authenticator. You must enter a user name and password for each user. If you only know the NT value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.


To add the user to a user group, enter the group name. If you do not specify a group, the user is not assigned to a specific VLAN and is never forced to reauthenticate.


Step 12 




Return to privileged EXEC mode.


Step 13 


copy running-config startup-config


(Optional) Save your entries in the configuration file.


AP# configure terminal
AP(config)# radius-server local
AP(config-radsrv)# nas key 110337
AP(config-radsrv)# nas key 110337
AP(config-radsrv)# nas key 110337
AP(config-radsrv)# group clerks
AP(config-radsrv-group)# vlan 87
AP(config-radsrv-group)# ssid batman
AP(config-radsrv-group)# ssid robin
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# lockout count 2 time 600
AP(config-radsrv-group)# group cashiers
AP(config-radsrv-group)# vlan 97
AP(config-radsrv-group)# ssid deer
AP(config-radsrv-group)# ssid antelope
AP(config-radsrv-group)# ssid elk
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# lockout count 2 time 600
AP(config-radsrv-group)# group managers
AP(config-radsrv-group)# vlan 77
AP(config-radsrv-group)# ssid mouse
AP(config-radsrv-group)# ssid chipmunk
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# lockout count 2 time 600
AP(config-radsrv-group)# exit
AP(config-radsrv)# user jsmith password twain74 group clerks
AP(config-radsrv)# user stpatrick password snake100 group clerks
AP(config-radsrv)# user nick password uptown group clerks
AP(config-radsrv)# user sam password rover32 group cashiers
AP(config-radsrv)# user patsy password crowder group cashiers
AP(config-radsrv)# user carl password 272165 group managers
AP(config-radsrv)# user vic password lid178 group managers
AP(config-radsrv)# end

For more information, refer to Configuring an Access Point as a Local Authenticator

Problem Type

Release notes / product  overview / data sheet / FAQ

Technical product specification / features


Access point

WLAN adapters (wireless card) / ACU (Aironet Client Utility)

Security Options

MAC address authentication (Media Access Control)



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links