Advertisement
The controller's local Radius server stores the authentication data locally, but can also be configured to
use a remote user database. A Radius server as the centralized authentication server is an excellent
choice for performing accounting. Radius can significantly increase security by centralizing password
management
NOTE
The controller can be configured to use its own local Radius server or an external Radius server you define and
configure. For information on the benefits and risks of using the controller's resident Radius Server (as opposed to
an external Radius Server), see
CAUTION
When restarting or rebooting the controller, the Radius server is restarted regardless of its state before the reboot.
The Radius server defines authentication and authorization schemes for granting the access to wireless
clients. Radius is also used for authenticating hotspot and remote VPN Xauth. The controller can be
configured to use 802.1x EAP for authenticating wireless clients with a Radius server. The following
EAP authentication types are supported by the controller's internal Radius server:
TLS
●
TLS and MD5
●
TTLS and PAP
●
TTLS and MSCHAPv2
●
PEAP and GTC
●
PEAP and MSCHAPv2
●
Apart from EAP authentication, the controller allows the enforcement of user-based policies. User-based
policies include dynamic VLAN assignment and access based on time of day.
The controller uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius
authentication (configured with the Radius service).
Dynamic VLAN assignment is achieved based on the Radius server response. A user who associates to
WLAN1 (mapped to VLAN1) can be assigned a different VLAN after authentication with the Radius
server. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the User associates.
CAUTION
For a Radius supported VLAN to function properly, the Dynamic Assignment checkbox must be enabled for the
WLAN supporting the VLAN. For more information, see
For 802.1x EAP authentication, the controller initiates the authentication process by sending an EAPoL
message to the Access Point only after the wireless client joins the wireless network. The Radius client
in the controller processes the EAP messages it receives. It encapsulates them to Radius access requests
and sends them to the configured Radius server (in this case the controller's local Radius server).
The Radius server validates the user's credentials and challenge information received in the Radius
access request frames. If the user is authorized and authenticated, the client is granted access by
sending a Radius access accept frame. The frame is transmitted to the client in an EAPoL frame format.
Summit WM3000 Series Controller System Reference Guide
"Using the Controller's Radius Server Versus an External Radius" on page
"Editing the WLAN Configuration" on page
398.
113.
397
- Quick Links:
- Introduction
- Configuration Management
Hide quick links:
Advertisement
Troubleshooting
