Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

213

Administering the WAP Access

Chapter 6

In this example, the wireless device is configured to recognize two different
RADIUS group servers (

group1 and group2). Group1 has two different host

entries on the same RADIUS server configured for the same services. The second
host entry acts as a fail-over backup to the first entry.

AP(config)# aaa new-model

AP(config)# radius-server host 172.20.0.1 auth-port

1000 acct-port 1001

AP(config)# radius-server host 172.10.0.1 auth-port

1645 acct-port 1646

AP(config)# aaa group server radius group1

AP(config-sg-radius)# server 172.20.0.1 auth-port

1000 acct-port 1001

AP(config-sg-radius)# exit

AP(config)# aaa group server radius group2

AP(config-sg-radius)# server 172.20.0.1 auth-port

2000 acct-port 2001

AP(config-sg-radius)# exit

Configuring RADIUS Authorization for User Privileged Access and
Network Services

AAA authorization limits the services available to a user. When AAA
authorization is enabled, the wireless device uses information retrieved from the
user profile, that is in the local user database or on the security server, to configure
the user session. The user is granted access only to a requested service if the
information in the user profile permits it.

You can use the

aaa authorization

global configuration command with the

radius

keyword to set parameters that restrict a user network access to

privileged EXEC mode.

The

aaa authorization exec radius local

command sets these

authorization parameters:

• Use RADIUS for privileged EXEC access authorization if authentication

was performed by using RADIUS.

• Use the local database if authentication was not performed by using

RADIUS.

TIP

Authorization is bypassed for authenticated users who log in through CLI even
if authorization has been configured.