ap(config)# aaa group server radius <server groupname for EAP>
ap(config-sg-radius)# server <ip address> auth-port 1645 acct-port 1646
ap(config-sg-radius)# deadtime <minutes>
ap(config)# aaa authentication login <auth list for EAP> group <server groupname>
Step 8 In the Global Server Properties section of the Server Manager page, configure the non-default RADIUS Server Timeout (the default is 5 seconds), RADIUS Server Retransmit Retries (the default is three attempts), and Dead RADIUS Server List (the default is Disabled). The Dead RADIUS Server function controls the period of time that the access point stays on a secondary or backup before attempting to again authenticate users with the primary server.
If the Dead RADIUS Server List is not enabled, all authentication attempts to the primary server must time out before the access point tries authentication with the backup server. Therefore, the Dead RADIUS Server List should be enabled for all deployments of backup RADIUS servers.
Step 9 Choose SSID Manager from the Security submenu.
Step 10 Choose SSID from the Current SSID List (see Figure 11) to configure Cisco LEAP for the active SSID.
Step 11 Check the Network EAP check box. If you are using non-Cisco client cards, specify Open Authentication, check the Add check box, and specify EAP Authentication in the drop-down box.
Step 12 Click Apply to activate changes to the appropriate radio interface (Radio0 for an internal radio, Radio1 for a modular radio).
This CLI command approximates the GUI steps above:
Step 13 Choose WEP Key Manager from the Security submenu.
Step 14 Choose Optional or Mandatory encryption from the WEP Encryption drop-down box under the Encryption Modes section. Choosing Optional encryption permits non-WEP clients to associate to the access point.
Step 15 Click Apply to activate changes for the appropriate radio interface.
Step 16 Choose Advanced Security from the Security submenu.
Step 17 Click the Timers tab.
Step 18 Under Global Client Properties, set the client holdoff time, the period of time that a client is disabled from reauthenticating after unsuccessful EAP retries. In addition, you can configure client EAP settings for (re)authentication and the EAP request interval. The EAP reauthentication interval setting enables the access point to force client reauthentication at a specified interval if not specified by the RADIUS server. The EAP client timeout controls the amount of time that the access point waits for an EAP response from the client before considering an EAP request failed.
These CLI commands approximate the GUI steps above:
ap(config)# dot11 holdoff-time (seconds, client lockout after unsuccessful EAP)
Special attention should be paid to the use of strong passwords. Cisco LEAP is a password-based algorithm. To minimize the possibility of a successful dictionary attack, use strong passwords, which are difficult to guess. Some characteristics of strong passwords include the following:
A minimum of ten characters.
A mixture of uppercase and lowercase letters.
At least one numeric character or one non-alphanumeric character (example: !#@$%).
No form of the user's name or user ID.
A word that is not found in the dictionary (domestic or foreign).
Client / Device cannot authenticate
WLAN adapters (wireless card) / ACU (Aironet Client Utility)