Table of Contents
Advertisement
6 - 92 WiNG 4.4 Switch System Reference Guide
Group to WLAN access is controlled using a "Time of the day" access policy.
Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1). When the user tries to connect to
WLAN1, the user is prompted to enter his/her credentials. Once the authentication and authorization phases are
successful, only User1 is able to access WLAN1 for the allowed duration (but not any other WLAN). Each user group can
be configured to be a part of one VLAN. All the users in that group are assigned the same VLAN ID if dynamic VLAN
authorization has been enabled on the WLAN.
6.8.1.4 Proxy to External Radius Server
Proxy realms are configured on the switch, which has the details of the external Radius server to which the corresponding
realm users are to be proxied. The obtained user ID is parsed in a (user@realm, realm/user, user%realm, user/realm)
format to determine which proxy Radius server is to be used.
6.8.1.5 LDAP
An external data source based on LDAP can be used to authorize users. The Radius server looks for user credentials in the
configured external LDAP server and authorizes users. The switch supports two LDAP server configurations.
6.8.1.6 Accounting
Accounting should be initiated by the Radius client. Once the Local/Onboard Radius server is started, it listens for both
authentication and accounting records.
6.8.2 Using the Switch's Radius Server Versus an External Radius
The switch ships with a default configuration defining the local Radius Server as the primary authentication source (default
users are admin with superuser privileges and operator with monitor privileges). No secondary authentication source is
specified. However, Motorola Solutions recommends using an external Radius Server as the primary authentication source
and the local switch Radius Server as the secondary user authentication source. For information on configuring an external
Radius Server, see
switch's local Radius Server, see
If an external Radius server is configured as the switch's primary user authentication source and the switch's local Radius
Server is defined as an alternate method, the switch first tries to authenticate users using the external Radius Server. If
an external Radius Server is unreachable, the switch reverts to the local Server's user database to authenticate users.
However, if the external Radius server is reachable but rejects the user or if the user is not found in the external Server's
database, the switch will not revert to the local Radius Server and the authentication attempt fails.
If the switch's local Radius Server is configured as the primary authentication method and an external Radius Server is
configured as an alternate method, the alternate external Radius Server will not be used as an authentication source if a
user does not exist in the local Server's database, since the primary method has rejected the authentication attempt.
6.8.3 Defining the Radius Configuration
To configure Radius support on the switch:
1. Select
Security
2. Ensure the
Configuration
Configuring External Radius Server Support on page
Defining the Radius Configuration on page
>
Radius Server
from the main menu.
tab is selected.
4-47. For instructions on how to configure the
6-92.
Advertisement
Table of Contents
Troubleshooting
