doc title Help Center
You are here: Home > Tunnel and Mixed Mode Deployment > Configuring External Authentication Servers in the SSID Security Profile

Configuring External Authentication Servers in the SSID Security Profile

WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. clients connecting to an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the network can authenticate to an external server based on the security profile configured on the SSID.

You can create and associate an external authentication server when configuring a security profile for an WLAN SSID.

In a Tunnel mode or Mixed mode, authentication is performed at the gateway cluster level.
In the Tunnel and Mixed mode, the APs act as authenticators and gateways act as authentication proxies.

The following table describes the procedure for creating external authentication servers for WLAN client authentication. You can select between LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , and Dynamic Authorization:

Table 1: Authentication Server Configuration

Type of Server

Parameters

RADIUS

Name

Name of the external RADIUS server.

IP Address

IP address or the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.

Radsec

Set Radsec to Enabled to enable secure communication between the RADIUS server and AP by creating a TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the AP and the server.

If Radsec is enabled, the following configuration options are displayed:

Radsec Port—Communication port number for RadSec TLS connection. By default, the port number is set to 2083.

NAS Identifier

NAS IP Address

Service Type Framed User

Query Status of RADIUS Servers (RFC 5997)

Dynamic Authorization

Auth Port

Authorization port number of the external RADIUS server. The default port number is 1812.

Accounting Port

The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.

Shared Key and Retype Shared Key

Shared key for communicating with the external RADIUS server.

Timeout

The timeout duration for one RADIUS request. The AP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

Retry Count

The maximum number of authentication requests that can be sent to the server group by the AP. You can specify a value within the range of 1–5. The default value is 3 requests.

Dynamic Authorization

To allow the APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.

NAS IP Address

Enter the IP address.

For AP-based cluster deployments, ensure that you enter the VC IP address as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.

For Cloud AP based Campus WLAN deployments, ensure that you enter the AP IP address as the NAS IP address.

NAS Identifier

Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.

Dead Time

Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.

If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters:

DRP IP—IP address to be used as source IP for RADIUS packets.

DRP MASKSubnetSubnet is the logical division of an IP network. mask of the DRP IP address.

DRP VLANVLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which the RADIUS packets are sent.

DRP GATEWAY—Gateway IP address of the DRP VLAN.

Service Type Framed User

Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server:

802.1X—Changes the service type to frame for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

MAC—Changes the service type to frame for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

Captive Portal—Changes the service type to frame for Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

Query Status of RADIUS Servers (RFC 5997)

Select any of the following check boxes to detect the server status of the RADIUS server:

Authentication—Select this check-box to ensure the AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.

Accounting—Select this check-box to ensure the AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

LDAP

Name

Name of the LDAP server.

IP Address

IP address of the LDAP server.

Auth Port

Authorization port number of the LDAP server. The default port number is 389.

Admin-Distinguished-Name

A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).

Admin Password and Retype Admin Password

Password for the admin user.

Base-DN

Distinguished name for the node that contains the entire user database.

Filter

The filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*).

Key Attribute

The attribute to use as a key while searching for the LDAP server. For Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is sAMAccountName.

Timeout

Timeout interval within a range of 1–30 seconds for one RADIUS request. The default value is 5.

Retry Count

The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 1–5. The default value is 3.

Dynamic Authorization Only

Name

Name of the server.

IP Address

IP address of the server.

AirGroup CoA Port

A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.

Shared Key and Retype Key

A shared key for communicating with the external RADIUS server.

Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages.


Parent TopicTunnel and Mixed Mode Deployment Workflow Steps

Next Topic: Configuring Access Rule for a WLAN SSID Profile in Tunnel and Mixed Mode

Previous Topic: Configuring External Authentication Servers in the SSID Security Profile

/*]]>*/