You can add an external RADIUS server, LDAP server, CPPM server for AirGroup or CoA through the Instant UI or CLI.
|
In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information, on management users and TACACS+ server based authentication, see Configuring Authentication Parameters for Management Users .. |
To configure an authentication server:
1. | Navigate to | > . The window is displayed.
2. | To create a new server, click | . A window for specifying details for the new server is displayed. The following figure shows the parameters to configure for a new RADIUS authentication server configuration:
Figure 1 New Authentication Server Window
3. | Configure any of the following types of server: |
| — To configure a RADIUS server, specify the attributes described in the following table: |
Parameter |
Description |
||||||||||||
Name |
Enter the name of the new external RADIUS server. |
||||||||||||
IP address |
Enter the IP address of the external RADIUS server. |
||||||||||||
Auth port |
Enter the authorization port number of the external RADIUS server. The default port number is 1812. |
||||||||||||
Accounting port |
Enter the accounting port number. This port is used for sending accounting records to the RADIUS server. The default port number is 1813. |
||||||||||||
Shared key |
Enter a shared key for communicating with the external RADIUS server. |
||||||||||||
Retype key | Re-enter the shared key. | ||||||||||||
Timeout |
Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The IAP retries to send the request several times (as configured in the Retry count), before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds. |
||||||||||||
Retry count |
Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests. |
||||||||||||
RFC 3576 |
Select Enabled to allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters. |
||||||||||||
NAS IP address |
Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets.
If you do not enter the IP address, the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled. |
||||||||||||
NAS identifier | Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server. | ||||||||||||
Dead Time |
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable. |
||||||||||||
Dynamic RADIUS proxy parameters |
Specify the following dynamic RADIUS proxy parameters:
For more information on dynamic RADIUS proxy parameters and configuration procedure, see Configuring Dynamic RADIUS Proxy Parameters. |
| —To configure an LDAP server, select the option and specify the attributes described in the following table: |
Parameter |
Description |
Name |
Enter the name of the LDAP server. |
IP address |
Enter the IP address of the LDAP server. |
Auth port |
Enter the authorization port number of the LDAP server. The default port number is 389. |
Admin-DN | Enter a distinguished name for the admin user with read/search privileges across all the entries in the LDAP database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database). |
Admin password |
Enter a password for administrator. |
Base-DN |
Enter a distinguished name for the node that contains the entire user database. |
Filter |
Specify the filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*). |
Key Attribute | Specify the attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName |
Timeout | Enter a value between 1 and 30 seconds. The default value is 5. |
Retry count | Enter a value between 1 and 5. The default value is 3. |
Dead Time |
Specify a dead time for authentication server in minutes within the range of 1-1440 minutes. The default dead time interval is 5 minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable. |
| AirGroup CoA — To configure a CPPM server used for AirGroup CoA (Change of Authorization), select the checkbox. The RADIUS server is automatically selected. | for
Parameter |
Description |
Name |
Enter the name of the server. |
IP address |
Enter the IP address of the server. |
Air Group CoA port |
Enter a port number for sending AirGroup CoA on a different port than on the standard CoA port. The default value is 5999. |
Shared key |
Enter a shared key for communicating with the external RADIUS server. |
Retype key | Re-enter the shared key. |
4. | Click | .
|
The CPPM server acts as a RADIUS server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location. |
To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
|
You can also add an external RADIUS server by selecting the Configuring Security Settings for a WLAN SSID Profile and Configuring Security Settings for a Wired Profile. option when configuring a WLAN or wired profile. For more information, see |
To configure a RADIUS server:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server <profile-name>)# ip <IP-address>
(Instant AP)(Auth Server <profile-name>)# key <key>
(Instant AP)(Auth Server <profile-name>)# port <port>
(Instant AP)(Auth Server <profile-name>)# acctport <port>
(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>
(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>
(Instant AP)(Auth Server <profile-name>)# timeout <seconds>
(Instant AP)(Auth Server <profile-name>)# retry-count <number>
(Instant AP)(Auth Server <profile-name>)# rfc3576
(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>
(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address)
(Instant AP)(Auth Server <profile-name>)# end
(Instant AP)# commit apply
(Instant AP)# commit apply
To configure an LDAP server:
(Instant AP)(config)# wlan ldap-server <profile-name>
(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>
(Instant AP)(LDAP Server <profile-name>)# port <port>
(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>
(Instant AP)(LDAP Server <profile-name>)# admin-password <password>
(Instant AP)(LDAP Server <profile-name>)# base-dn <name>
(Instant AP)(LDAP Server <profile-name>)# filter <filter>
(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>
(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>
(Instant AP)(LDAP Server <profile-name>)# retry-count <number>
(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>
(Instant AP)(LDAP Server <profile-name>)# end
(Instant AP)# commit apply
To configure a CPPM server used for AirGroup CoA (Change of Authorization):
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server <profile-name>)# ip <IP-address>
(Instant AP)(Auth Server <profile-name>)# key <key>
(Instant AP)(Auth Server <profile-name> # cppm-rfc3576-port <port>
(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only
(Instant AP)(Auth Server <profile-name>)# end
(Instant AP)# commit apply