Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

335

Configure an Access Point as a Local Authenticator

Chapter 10

This example shows how to set up two main servers and a local authenticator
with a server deadtime of 10 minutes:

AP(config)# aaa new-model

AP(config)# radius-server host 172.20.0.1 auth-port

1000 acct-port 1001 key 77654

AP(config)# radius-server host 172.10.0.1 auth-port

1645 acct-port 1646 key 77654

AP(config)# radius-server host 10.91.6.151 auth-

port 1812 acct-port 1813 key 110337

AP(config)# radius-server deadtime 10

In this example, if the WAN link to the main servers fails, the access point
completes these steps when a LEAP-enabled client device associates:

1. It tries the first server, times out multiple times, and marks the first server

as dead.

2. It tries the second server, times out multiple times, and marks the second

server as dead.

3. It tries and succeeds by using the local authenticator.

If another client device needs to authenticate during the 10-minute dead-time
interval, the access point skips the first two servers and tries the local
authenticator first. After the dead-time interval, the access point tries to use the
main servers for authentication. When setting a dead time, you must balance the
need to skip dead servers with the need to check the WAN link and begin by
using the main servers again as soon as possible.

Each time the access point tries to use the main servers while they are down, the
client device trying to authenticate can report an authentication timeout. The
client device retries and succeeds when the main servers time out and the access
point tries the local authenticator. You can extend the timeout value on Cisco
client devices to accommodate expected server timeouts.

To remove the local authenticator from the access point configuration, use the

no

radius-server host hostname | ip-address

global configuration

command.