5-46
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 5 Configuring Security Solutions
Configuring Local EAP
Step 4
To specify the order in which user credentials are retrieved from the local and/or LDAP databases, enter
this command:
config local-auth user-credentials
{
local
|
ldap
}
Note
If you enter
config local-auth user-credentials
ldap local
, local EAP attempts to authenticate
clients using the LDAP backend database and fails over to the local user database if the LDAP
servers are not reachable. If the user is not found, the authentication attempt is rejected. If you
enter
config local-auth user-credentials
local ldap
, local EAP attempts to authenticate using
only the local user database. It does not fail over to the LDAP backend database.
Step 5
To specify values for the local EAP timers, enter these commands:
•
config local-auth active-timeout
timeout—
Specifies the amount of time (in seconds) in which the
controller attempts to authenticate wireless clients using local EAP after any pair of configured
RADIUS servers fails. The valid range is 1 to 3600 seconds, and the default setting is 100 seconds.
•
config advanced eap identity-request-timeout
timeout
—Specifies the amount of time (in seconds)
in which the controller attempts to send an EAP identity request to wireless clients using local EAP.
The valid range is 1 to 120 seconds, and the default setting is 30 seconds.
•
config advanced eap identity-request-retries
retries
—Specifies the maximum number of times
that the controller attempts to retransmit the EAP identity request to wireless clients using local
EAP. The valid range is 1 to 20 retries, and the default setting is 20 retries.
•
config advanced eap key-index
index
—Specifies the key index used for dynamic wired equivalent
privacy (WEP). The default setting is 0.
•
config advanced eap request-timeout
timeout
—Specifies the amount of time (in seconds) in which
the controller attempts to send an EAP request to wireless clients using local EAP. The valid range
is 1 to 120 seconds, and the default setting is 30 seconds.
•
config advanced eap request-retries
retries
—Specifies the maximum number of times that the
controller attempts to retransmit the EAP request to wireless clients using local EAP. The valid
range is 1 to 120 retries, and the default setting is 20 retries.
•
config advanced eap eapol-key-timeout
timeout
—Specifies the amount of time (in seconds) in
which the controller attempts to send an EAP key over the LAN to wireless clients using local EAP.
The valid range is 1 to 5 seconds, and the default setting is 1 second.
•
config advanced eap eapol-key-retries
retries
—Specifies the maximum number of times that the
controller attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid
range is 0 to 4 retries, and the default setting is 2 retries.
•
config advanced eap max-login-ignore-identity-response
{
enable
|
disable
}—When enabled,
this command limits the number of devices that can be connected to the controller with the same
username. You can log in up to eight times from different devices (PDA, laptop, IP phone, and so
on) on the same controller. The default value is enabled.
Step 6
To create a local EAP profile, enter this command:
config local-auth eap-profile add
profile_name
Note
Do not include spaces within the profile name.