Table of Contents
Advertisement
Chapter 6: Authentication Using External Servers
Name
Enter a meaningful name for the external RADIUS authentication server.
Note: As described in the previous section, if you wish to authenticate iPass clients who
attempt to log into the BSC, you must include the word "iPass" in the name you assign to
the external RADIUS authentication server. For example, if you enter "iPass Authentication
Server" in the Name field, the BSC will attempt to authenticate iPass clients, along with
other BSC users, against the external RADIUS authentication server.
Precedence
Optional. If you are setting up multiple external RADIUS authentication servers and need
to establish the order in which the BSC checks the servers for user authentication, select
the server's priority from the Precedence drop-down list.
Note that 1 means the server is checked first. The precedence you configure here does
not apply to Transparent NTLM Windows logins, Transparent 802.1x logins, or local
users in the BSC database, because these authentication schemes are always checked
first.
If you set a Precedence for a server that is the same as that set for a previously configured
server, the previous server's Precedence, and that of all servers having a lower
configured precedence, is incremented by 1. For example, if server A already has a
Precedence of 1 and server B's is 2 and you then set server C's to 1, server A's
Precedence becomes 2 and server B's becomes 3.
RADIUS Server
Enter the server's IP address or fully qualified domain name in the Server address
1.
Settings
field.
2.
Enter the server's port number in the Port field.
Enter the known secret shared between the BSC and the RADIUS authentication
3.
server in the Shared secret field, and then confirm the shared secret by entering it in
the Confirm shared secret field.
Enter the number of seconds by which the RADIUS server must respond to the BSC's
4.
query before the request times out in the Timeout field.You must enter a value greater
than zero in this field.
NAS Identifier
Optional. Enter a Network Access Server identifier string used to access the RADIUS
server in the NAS Identifier field. When left blank, the BSC sends its configured host
name as the NAS identifier.
Note: Make sure you leave the NAS Identifier field blank when using replication so that a
common NAS Identifier is not copied to all nodes. Otherwise, when using RADIUS
Accounting, the entries in the RADIUS log will show a common NAS identifier for all
replicated nodes, making it impossible to determine the specific server that initiated the
RADIUS request.
NAC Integration
Mark the Enable MAC Address Authentication checkbox to enable the BSC, upon seeing
a MAC address from a user device, authenticate that MAC address against a RADIUS
authentication server for role placement. The BSC will supply the device MAC address as
the username and password for RADIUS authentication. If the MAC address RADIUS
authentication fails, then the user remains in the unregistered role and must authenticate
via other methods (user login page, NTLM, etc.).
Mark the Enable BlueSocketRole Vendor Attribute checkbox to allow role placement using
the Bluesocket RADIUS vendor attribute (vendor code 9967 attribute 100 type string).
This is used by a NAS server to override the user's role, specifically for BVMS Guest
Manager and 3rd party NAC integration.
Accounting
To enable RADIUS accounting for this server, select the name of the external RADIUS
accounting server from the Accounting server drop-down list.
6-4
Advertisement
Table of Contents
