Using The Controller's Radius Server Versus An External Radius - Brocade Communications Systems RFS6000 System Reference Manual

Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1). When the user
tries to connect to WLAN1, the user is prompted to enter his/her credentials. Once the
authentication and authorization phases are successful, only User1 is able to access WLAN1 for
the allowed duration (but not any other WLAN). Each user group can be configured to be a part of
one VLAN. All the users in that group are assigned the same VLAN ID if dynamic VLAN authorization
has been enabled on the WLAN.
Proxy to external Radius server
Proxy realms are configured on the controller, which has the details of the external Radius server to
which the corresponding realm users are to be proxied. The obtained user ID is parsed in a
(user@realm, realm/user, user%realm, user/realm) format to determine which proxy Radius server
is to be used.
LDAP
An external data source based on LDAP can be used to authorize users. The Radius server looks for
user credentials in the configured external LDAP server and authorizes users. The controller
supports two LDAP server configurations.
Accounting
Accounting should be initiated by the Radius client. Once the Local/Onboard Radius server is
started, it listens for both authentication and accounting records.

Using the controller's Radius server versus an external Radius

The controller ships with a default configuration defining the local Radius Server as the primary
authentication source (default users are admin with superuser privileges and operator with
monitor privileges). No secondary authentication source is specified. However, Brocade
recommends using an external Radius Server as the primary authentication source and the local
controller Radius Server as the secondary user authentication source. For information on
configuring an external Radius Server, see
page 132. For instructions on how to configure the controller's local Radius Server, see
the Radius configuration"
If an external Radius server is configured as the controller's primary user authentication source
and the controller's local Radius Server is defined as an alternate method, the controller first tries
to authenticate users using the external Radius Server. If an external Radius Server is
unreachable, the controller reverts to the local Server's user database to authenticate users.
However, if the external Radius server is reachable but rejects the user or if the user is not found in
the external Server's database, the controller will not revert to the local Radius Server and the
authentication attempt fails.
If the controller's local Radius Server is configured as the primary authentication method and an
external Radius Server is configured as an alternate method, the alternate external Radius Server
will not be used as an authentication source if a user does not exist in the local Server's database,
since the primary method has rejected the authentication attempt.
Defining the Radius configuration
To configure Radius support on the controller:
Brocade Mobility RFS6000 and RFS7000 System Reference Guide
53-1001858-01
"Configuring external Radius server support"
on page 429.
Configuring the Radius server
6
on
"Defining
429