The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication. To ensure that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUS proxy feature must be enabled.
If the IAP clients need to authenticate to the RADIUS servers through a different IP address and VLAN, ensure that the following steps are completed:
1. | Enable dynamic RADIUS proxy. |
2. | Configure dynamic RADIUS proxy IP, VLAN. netmask, gateway for each authentication server. |
3. | Associate the authentication servers to SSID or a wired profile to which the clients connect. |
After completing the above-mentioned configuration steps, you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters.
You can enable RADIUS Server Support using the Instant UI or CLI.
To enable RADIUS server support:
1. | In the Instant main window, click the System link. The System window is displayed. |
2. | In the General tab of System window, select Enabled from the Dynamic RADIUS Proxy drop-down list. |
3. | Click OK. |
|
When dynamic RADIUS proxy is enabled, ensure that a static Virtual Controller IP is configured. For more information on configuring Virtual Controller IP address, see Configuring Virtual Controller IP Address. When dynamic RADIUS proxy is enabled, the Virtual Controller network uses the IP Address of the Virtual Controller for communication with external RADIUS servers. Ensure that the Virtual Controller IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see Configuring an External Server for Authentication. |
To enable the dynamic RADIUS proxy feature:
(Instant AP)(config)# dynamic-radius-proxy
(Instant AP)(config)# end
(Instant AP)# commit apply
You can configure DRP parameters for the authentication server by using the Instant UI or CLI.
1. | Click the | > .
2. | To create a new server, click Table 1. | and configure the required RADIUS server parameters as described in
3. | Ensure that the following dynamic RADIUS proxy parameters are configured: |
| — IP address to be used as source IP for RADIUS packets |
| —Subnet mask of the DRP IP address. |
| —VLAN in which the RADIUS packets are sent. |
| —Gateway IP address of the DRP VLAN. |
4. | Click | .
To configure dynamic RADIUS proxy parameters:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server <profile-name>)# ip <IP-address>
(Instant AP)(Auth Server <profile-name>)# key <key>
(Instant AP)(Auth Server <profile-name>)# port <port>
(Instant AP)(Auth Server <profile-name>)# acctport <port>
(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>
(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>
(Instant AP)(Auth Server <profile-name>)# timeout <seconds>
(Instant AP)(Auth Server <profile-name>)# retry-count <number>
(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>
(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address>
(Instant AP)(Auth Server <profile-name>)# end
(Instant AP)# commit apply
1. | Access the WLAN wizard or Wired Settings window. |
| To open the WLAN wizard, select an existing SSID in the Network tab, and click edit. |
| To open the wired settings window, click Wired. In the window, select a profile and click Edit. | >
You can also associate the authentication servers when creating a new WLAN or wired profile.
2. | Click the | tab.
3. | If you are configuring the authentication server for a WLAN SSID, under | tab, slide to security level.
4. | Ensure that an authentication type is enabled. |
5. | From the | drop-down list, select the server name on which dynamic RADIUS proxy parameters are enabled. You can also create a new server with RADIUS and RADIUS proxy parameters by selecting .
6. | Click | and then click .
7. | To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile. |
|
You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile. For more information, see Configuring Security Settings for a WLAN SSID Profile and Configuring Security Settings for a Wired Profile. |
To associate an authentication server to a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name># auth-server <server-name>
(Instant AP)(SSID Profile <name># end
((Instant AP)# commit apply
To associate an authentication server to a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# auth-server <name>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply