You are here: Authentication and User Management > Configuring Authentication Servers > Configuring an External Server for Authentication
Previous TopicNext Topic

Configuring an External Server for Authentication

You can add an external RADIUS server, LDAP server, CPPM server for AirGroup or CoA through the Instant UI or CLI.

 

In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information, on management users and TACACS+ server based authentication, see Configuring Authentication Parameters for Management Users ..

In the Instant UI

To configure an authentication server:

1. Navigate to Security>Authentication Servers. The Security window is displayed.
2. To create a new server, click New. A window for specifying details for the new server is displayed. The following figure shows the parameters to configure for a new RADIUS authentication server configuration:

Figure 1  New Authentication Server Window

3. Configure any of the following types of server:
RADIUS Server — To configure a RADIUS server, specify the attributes described in the following table:

Table 1: RADIUS Server Configuration Parameters

Parameter

Description

Name

Enter the name of the new external RADIUS server.

IP address

Enter the IP address of the external RADIUS server.

Auth port

Enter the authorization port number of the external RADIUS server. The default port number is 1812.

Accounting port

Enter the accounting port number. This port is used for sending accounting records to the RADIUS server. The default port number is 1813.

Shared key

Enter a shared key for communicating with the external RADIUS server.

Retype key Re-enter the shared key.
Timeout

Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The IAP retries to send the request several times (as configured in the Retry count), before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

Retry count

Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.

RFC 3576

Select Enabled to allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.

NAS IP address

Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets.

 

NOTE: If you do not enter the IP address, the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled.

NAS identifier Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
Dead Time

Specify a dead time for authentication server in minutes.

When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

Dynamic RADIUS proxy parameters

Specify the following dynamic RADIUS proxy parameters:

l DRP IP— IP address to be used as source IP for RADIUS packets
l DRP Mask—Subnet mask of the DRP IP address.
l DRP VLAN—VLAN in which the RADIUS packets are sent.
l DRP Gateway—Gateway IP address of the DRP VLAN.

For more information on dynamic RADIUS proxy parameters and configuration procedure, see Configuring Dynamic RADIUS Proxy Parameters.

LDAP Server —To configure an LDAP server, select the LDAP option and specify the attributes described in the following table:

Table 2: LDAP Server Configuration Parameters

Parameter

Description

Name

Enter the name of the LDAP server.

IP address

Enter the IP address of the LDAP  server.

Auth port

Enter the authorization port number of the LDAP server. The default port number is 389.

Admin-DN Enter a distinguished name for the admin user with read/search privileges across all the entries in the LDAP database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database).
Admin password

Enter a password for administrator.

Base-DN

Enter a distinguished name for the node that contains the entire user database.

Filter

Specify the filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*).

Key Attribute Specify the attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName
Timeout Enter a value between 1 and 30 seconds. The default value is 5.
Retry count Enter a value between 1 and 5. The default value is 3.
Dead Time

Specify a dead time for authentication server in minutes within the range of 1-1440 minutes. The default dead time interval is 5 minutes.

When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

CPPM Server for AirGroup CoA — To configure a CPPM server used for AirGroup CoA (Change of Authorization), select the CoA only checkbox. The RADIUS server is automatically selected.

Table 3: CPPM Server Configuration Parameters for AirGroup CoA

Parameter

Description

Name

Enter the name of the server.

IP address

Enter the IP address of the server.

Air Group CoA port

Enter a port number for sending AirGroup CoA on a different port than on the standard CoA port. The default value is 5999.

Shared key

Enter a shared key for communicating with the external RADIUS server.

Retype key Re-enter the shared key.
4. Click OK.

 

The CPPM server acts as a RADIUS server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.

To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

 

You can also add an external RADIUS server by selecting the New option when configuring a WLAN or wired profile. For more information, see Configuring Security Settings for a WLAN SSID Profile and Configuring Security Settings for a Wired Profile.

In the CLI

To configure a RADIUS server:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <IP-address>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# rfc3576

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address)

(Instant AP)(Auth Server <profile-name>)# end

(Instant AP)# commit apply

(Instant AP)# commit apply

To configure an LDAP server:

(Instant AP)(config)# wlan ldap-server <profile-name>

(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>

(Instant AP)(LDAP Server <profile-name>)# port <port>

(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>

(Instant AP)(LDAP Server <profile-name>)# admin-password <password>

(Instant AP)(LDAP Server <profile-name>)# base-dn <name>

(Instant AP)(LDAP Server <profile-name>)# filter <filter>

(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>

(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>

(Instant AP)(LDAP Server <profile-name>)# retry-count <number>

(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>

(Instant AP)(LDAP Server <profile-name>)# end

(Instant AP)# commit apply

To configure a CPPM server used for AirGroup CoA (Change of Authorization):

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <IP-address>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name> # cppm-rfc3576-port <port>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only

(Instant AP)(Auth Server <profile-name>)# end

(Instant AP)# commit apply