You are here: Authentication and User Management > Configuring Authentication Servers > Configuring Dynamic RADIUS Proxy Parameters
Previous TopicNext Topic

Configuring Dynamic RADIUS Proxy Parameters

The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication. To ensure that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUS proxy feature must be enabled.

If the IAP clients need to authenticate to the RADIUS servers through a different IP address and VLAN, ensure that the following steps are completed:

1. Enable dynamic RADIUS proxy.
2. Configure dynamic RADIUS proxy IP, VLAN. netmask, gateway for each authentication server.
3. Associate the authentication servers to SSID or a wired profile to which the clients connect.

After completing the above-mentioned configuration steps, you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters.

Enabling Dynamic RADIUS Proxy

You can enable RADIUS Server Support using the Instant UI or CLI.

In the Instant UI

To enable RADIUS server support:

1. In the Instant main window, click the System link. The System window is displayed.
2. In the General tab of System window, select Enabled from the Dynamic RADIUS Proxy drop-down list.
3. Click OK.

 

When dynamic RADIUS proxy is enabled, ensure that a static Virtual Controller IP is configured. For more information on configuring Virtual Controller IP address, see Configuring Virtual Controller IP Address.

When dynamic RADIUS proxy is enabled, the Virtual Controller network uses the IP Address of the Virtual Controller for communication with external RADIUS servers. Ensure that the Virtual Controller IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see Configuring an External Server for Authentication.

In the CLI

To enable the dynamic RADIUS proxy feature:

(Instant AP)(config)# dynamic-radius-proxy

(Instant AP)(config)# end

(Instant AP)# commit apply

Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers

You can configure DRP parameters for the authentication server by using the Instant UI or CLI.

In the Instant UI

1. Click the Security>Authentication Servers.
2. To create a new server, click New and configure the required RADIUS server parameters as described in Table 1.
3. Ensure that the following dynamic RADIUS proxy parameters are configured:
DRP IP— IP address to be used as source IP for RADIUS packets
DRP Mask—Subnet mask of the DRP IP address.
DRP VLAN—VLAN in which the RADIUS packets are sent.
DRP Gateway—Gateway IP address of the DRP VLAN.
4. Click OK.

In the CLI

To configure dynamic RADIUS proxy parameters:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <IP-address>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address>

(Instant AP)(Auth Server <profile-name>)# end

(Instant AP)# commit apply

Associate the Authentication Servers with an SSID or Wired Profile

1. Access the WLAN wizard or Wired Settings window.
To open the WLAN wizard, select an existing SSID in the Network tab, and click edit.
To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit.

You can also associate the authentication servers when creating a new WLAN or wired profile.

2. Click the Security tab.
3. If you are configuring the authentication server for a WLAN SSID, under Security tab, slide to Enterprise security level.
4. Ensure that an authentication type is enabled.
5. From the Authentication Server 1 drop-down list, select the server name on which dynamic RADIUS proxy parameters are enabled. You can also create a new server with RADIUS and RADIUS proxy parameters by selecting New.
6. Click Next and then click Finish.
7. To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

 

You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile. For more information, see Configuring Security Settings for a WLAN SSID Profile and Configuring Security Settings for a Wired Profile.

In the CLI

To associate an authentication server to a WLAN SSID:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name># auth-server <server-name>

(Instant AP)(SSID Profile <name># end

((Instant AP)# commit apply

To associate an authentication server to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# auth-server <name>

(Instant AP)(wired ap profile <name>)# end

(Instant AP)# commit apply