Chapter 9. Radius; Overview - Motorola WS5100 Series Migration Giude

This chapter provides detailed feature and configuration information for the Radius features.
•

Overview

• Configuring Onboard Radius Server using CLI
• Configuring Radius using GUI
• Configuring Radius Server
• Configuring WLAN
• Configuring LDAP
9.1 Overview
The Radius server is used to define authentication and authorization schemes in the WS5100 switch for
granting the access to the wireless clients. Radius is also used for authenticating hotspot and remote VPN
Xauth.
The WS5100 switch can be configured to use 802.1x EAP for authenticating the wireless clients with a
RADIUS server. The following EAP authentication types are supported by the onboard Radius server:
• TLS*
• TTLS and MD5
• TTLS and PAP
• TTLS and MSCHAPv2
• PEAP and GTC
• PEAP and MSCHAPv2
Apart from EAP authentication, the WS5100 switch's capabilities allows enforcement of User based policies.
User based policies include dynamic VLAN assignment, access based on time of day, etc.
The WS5100 switch uses the default trustpoint. A certificate is required for EAP type TTLS,PEAP and TLS
Radius authentication, which can be configured with the Radius service.
Dynamic VLAN assignment is done based on the Radius server response. A user who associates to WLAN1
(mapped to VLAN1) can be assigned to a different VLAN after authentication with the Radius server. This
dynamic VLAN assignment overrides the WLAN's VLAN ID to which the User associates.
For 802.1x EAP authentication, the WS5100 switch initiates the authentication process by sending EAPoL
message to the access port only after the wireless client joins the wireless network. The RADIUS client in
Radius