Table of Contents
Advertisement
9.2 Example 2: IEEE 802.1x with an External RADIUS Server
You can configure SmartPath APs to act as RADIUS authenticators, also known as RADIUS clients or network access server (NAS)
devices. They forward IEEE 802.1X/EAP user authentication requests and responses between wireless supplicants and up to four
RADIUS authentication servers (a primary and three backups). In this example, you configure two SmartPath APs to act as RADIUS
authenticators. They provide network access to wireless clients/RADIUS supplicants and pass authentication requests between the
supplicants and a RADIUS authentication server.
NOTE: This example makes several assumptions about the RADIUS authentication server: (1) user accounts are already stored on it;
(2) it listens on UDP port 1812 for authentication requests; (3) it uses "t6bEdmNfot3vW9vVr6oAz48CNCsDtInd" as its
shared secret; (4) it allows RADIUS authentication requests from NAS devices in the 10.1.1.0/24 subnet. For configuration
details, consult the product documentation for your RADIUS server.
You also configure an SSID that makes use of IEEE 802.1X/EAP authentication on the SmartPath AP authenticators. Because an
SSID using 802.1X/EAP authentication can support numerous user profiles, the example shows how two groups of users—
employees and IT staff—can access the same SSID but be assigned to two different VLANs. See Figure 9-6.
RADIUS Authentication Server
IP Address: 10.1.1.10
Authentication Port: 1812
Shared Secret: radius123
Authentication
Requests
Figure 9-6. Authentication requests and replies for wireless clients on two SmartPath APs.
This example assumes that you have already accepted the SmartPath APs for SmartPath EMS management, assigned them to a
WLAN policy that includes a cluster and at least one SSID, and pushed that configuration to them. In other words, the SmartPath
APs are already under SmartPath EMS management by the time you begin the configuration in this example. If that is not yet the
case, see Chapter 8 before continuing.
VLANs and User Profiles
To begin, you create two VLAN objects and then two user profiles, each of which references one of the VLANs. When you
configure the SSID later, you reference both user profiles in the SSID configuration. With this approach, the SmartPath APs apply
different VLANs to traffic from different users based on their corresponding user profiles.
SmartPath AP
RADIUS
Authenticators
(NAS Devices)
10.1.1.0/24 subnet
SSID: corp-wifi
Auto-(WPA or WPA2)-EAP (802.1X)
Supplicants
(Wireless Clients)
User Profile, Attribute, and VLAN:
Emp(1), 1, VLAN 10 (striped yellow)
IT(2),
2, VLAN 20 (solid purple)
724-746-5500 | blackbox.com
Chapter 9: Common Configuration Examples
The RADIUS authentication server checks
authentication requests against user
accounts stored in its database.
Authentication
Replies
The SmartPath APs act as RADIUS
authenticators, forwarding
authentication requests and replies
between supplicants and the RADIUS
authentication server.
Based on the attributes that the
RADIUS authentication server
returns, the SmartPath
APs assign employees
(user profile = Emp) to
VLAN 10 and IT staff
(user profile = IT) to
VLAN 20.
Page 99
Advertisement
Chapters
Table of Contents
