Cisco 802.1X Local Authentication Service

Hi,

I wonder if anyone has had any experience of the new Cisco IEEE 802.1X
Local Authentication Service which is distributed in the latest IOS
release for the Aironet 1200/1100?

It allows the AP to cache users 802.1x credentials so that if the main
RADIUS server is located on a WAN link and this link is down, the AP can
continue to authenticate the clients until the WAN link is restored.

My question is how long the AP caches this information? For
hours/days/indefinitely until the WAN link returns?

Many thanks for any insight,

N

On Wed, 07 Apr 2004 16:23:13 +0100, "BGates" <(E-Mail Removed)> wrote:

~ Hi,
~
~ I wonder if anyone has had any experience of the new Cisco IEEE 802.1X
~ Local Authentication Service which is distributed in the latest IOS
~ release for the Aironet 1200/1100?
~
~ It allows the AP to cache users 802.1x credentials so that if the main
~ RADIUS server is located on a WAN link and this link is down, the AP can
~ continue to authenticate the clients until the WAN link is restored.

That's not quite right. With local authentication on the AP, the
credentials from RADIUS are not "cached". Rather, this is actually
a separate "local" RADIUS server running within the IOS AP itself.
The credentials are stored in flash on the AP (independently from
whatever you're configured on the external RADIUS server.)

~ My question is how long the AP caches this information? For
~ hours/days/indefinitely until the WAN link returns?

The idea is that you configure the AP authenticator (RADIUS client)
to first try the external RADIUS server, the fall back to the
local one if no response. There are a few knobs to control
this behavior.

Aaron

Aaron,

Can the Local Authentication Service be used as a standalone
authenticator, with no need for an external RADIUS server?

Jesse

On Wed, 07 Apr 2004 13:31:55 -0700, Aaron Leonard <(E-Mail Removed)>
wrote:

>On Wed, 07 Apr 2004 16:23:13 +0100, "BGates" <(E-Mail Removed)> wrote:
>
>~ Hi,
>~
>~ I wonder if anyone has had any experience of the new Cisco IEEE 802.1X
>~ Local Authentication Service which is distributed in the latest IOS
>~ release for the Aironet 1200/1100?
>~
>~ It allows the AP to cache users 802.1x credentials so that if the main
>~ RADIUS server is located on a WAN link and this link is down, the AP can
>~ continue to authenticate the clients until the WAN link is restored.
>
>That's not quite right. With local authentication on the AP, the
>credentials from RADIUS are not "cached". Rather, this is actually
>a separate "local" RADIUS server running within the IOS AP itself.
>The credentials are stored in flash on the AP (independently from
>whatever you're configured on the external RADIUS server.)
>
>~ My question is how long the AP caches this information? For
>~ hours/days/indefinitely until the WAN link returns?
>
>The idea is that you configure the AP authenticator (RADIUS client)
>to first try the external RADIUS server, the fall back to the
>local one if no response. There are a few knobs to control
>this behavior.
>
>Aaron

On Wed, 07 Apr 2004 13:31:55 -0700, Aaron Leonard wrote:


> The idea is that you configure the AP authenticator (RADIUS client) to
> first try the external RADIUS server, the fall back to the local one if
> no response. There are a few knobs to control this behavior.
>
>
Thanks Aaron - you are absolutely right:

Cisco docs:

"You configure the local authenticator access point manually with client
usernames and passwords because it does not synchronize its database with
the main RADIUS servers."

On Wed, 07 Apr 2004 15:02:21 -0700, j wrote:

> Aaron,
>
> Can the Local Authentication Service be used as a standalone
> authenticator, with no need for an external RADIUS server?
>
>
>
Yes it can. I have it running here. You simply need a Cisco client and
AP1200/1100 with the latest IOS firmware and you can perform LEAP
authentication by having the AP use itself as the authenticating RADIUS
server.

Bear in mind LEAP has an achilles heal in that it sends its MS-CHAP
exchange over the air before the transmission is encrypted and this can be
intercepted and cracked using dictionary or brute force. Use complex
passwords to negate this. The Cisco client allows you to store a
username/password and it will perfrom the LEAP authentication as the
network interface comes up - so you don't have to remember that complex
password.