Using The Switch's Radius Server Versus An External Radius - Motorola WS5100 Series Reference Manual

6.9.1.3 Access Policy
Access policies are defined for a group created in the local database. Each user is authorized based on the
access policies defined for the groups to which the user belongs. Access policies allow the administrator to
control access to a set of users based on the WLANs (ESSID).
Group to WLAN access is controlled using a "Time of the day" access policy.
Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1). When the user tries to
connect to WLAN1, the user is prompted to enter his/her credentials. Once the authentication and
authorization phases are successful, only User1 is able to access WLAN1 for the allowed duration (but not
any other WLAN). Each user group can be configured to be a part of one VLAN. All the users in that group
are assigned the same VLAN ID if dynamic VLAN authorization has been enabled on the WLAN.
6.9.1.4 Proxy to External Radius Server
Proxy realms are configured on the switch, which has the details of the external Radius server to which the
corresponding realm users are to be proxied. The obtained user ID is parsed in a (user@realm, realm/user,
user%realm, user/realm) format to determine which proxy Radius server is to be used.
6.9.1.5 LDAP
An external data source based on LDAP can be used to authorize users. The Radius server looks for user
credentials in the configured external LDAP server and authorizes users. The switch supports two LDAP
server configurations.
6.9.1.6 Accounting
Accounting should be initiated by the Radius client. Once the Local/Onboard Radius server is started, it
listens for both authentication and accounting records.

6.9.2 Using the Switch's Radius Server Versus an External Radius

The switch ships with a default configuration defining the local Radius Server as the primary authentication
source (default users are admin with superuser privileges and operator with monitor privileges). No
secondary authentication source is specified. However, Motorola recommends using an external Radius
Server as the primary authentication source and the local switch Radius Server as the secondary user
authentication source. For information on configuring an external Radius Server, see
Radius Server Support on page
see Defining the Radius Configuration on page
If an external Radius server is configured as the switch's primary user authentication source and the switch's
local Radius Server is defined as an alternate method, the switch first tries to authenticate users using the
external Radius Server. If an external Radius Server is unreachable, the switch reverts to the local Server's
user database to authenticate users. However, if the external Radius server is reachable but rejects the user
or if the user is not found in the external Server's database, the switch will not revert to the local Radius
Server and the authentication attempt fails.
If the switch's local Radius Server is configured as the primary authentication method and an external Radius
Server is configured as an alternate method, the alternate external Radius Server will not be used as an
authentication source if a user does not exist in the local Server's database, since the primary method has
rejected the authentication attempt.
4-40. For instructions on how to configure the switch's local Radius Server,
6-70.
6-69
Switch Security
Configuring External