Aruba Instant 8.6.0.0 Online Help Center Help Center
You are here: Home > Aruba Instant User Guide > Table of Contents > Configuring Dynamic RADIUS Proxy Parameters

Configuring Dynamic RADIUS Proxy Parameters

The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server can be deployed at different locations and VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. In most cases, a centralized RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or local server is used to authenticate users. However, some user networks can use a local RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for employee authentication and a centralized RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -based captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server for guest authentication. To ensure that the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  traffic is routed to the required RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, the dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy feature must be enabled.

 

The dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters configuration is not required if RadSec is enabled in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server profile.

If the Instant AP clients need to authenticate to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers through a different IP address and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., ensure that the following steps are completed:

1. Enable dynamic RADIUS proxy.

2. Configure dynamic RADIUS proxy IP, VLAN, netmask, and gateway for each authentication server.

3. Associate the authentication servers to SSID or a wired profile to which the clients connect.

After completing the configuration steps mentioned above, you can authenticate the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. users against the configured dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters.

Enabling Dynamic RADIUS Proxy

The following procedure describes how to enable RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server support using the WebUI.

Table 1: Enabling Dynamic RADIUS Proxy

New WebUI

Old WebUI

1. Navigate to the Configuration > System page.

2. Expand General.

3. Toggle the Dynamic RADIUS Proxy switch to enable.

4. Click Save.

1. In the Instant main window, click the System link. The System window is displayed.

2. In the General tab of the System window, select the RADIUS check box for Dynamic Proxy.

3. Click OK.

NOTE: When dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy is enabled, the virtual controller network uses the IP Address of the virtual controller for communication with external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers. Ensure that the virtual controller IP Address is set as a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP when configuring RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server attributes, see Configuring an External Server for Authentication.

NOTE: In case of VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. deployments, the tunnel IP received when establishing a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection is used as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server.  IP. In such cases, the virtual controller IP need not be configured for the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables the dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy feature:

(Instant AP)(config)# dynamic-radius-proxy

Configuring Dynamic RADIUS Proxy Parameters

The following procedure describes how to configure DRP parameters for the authentication server by using the WebUI.

Table 2: Configuring Dynamic RADIUS Proxy Parameters

New WebUI

Old WebUI

1. Navigate to the Configuration > Security page.

2. Expand Authentication Servers.

3. To create a new server, click + and configure the required RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server parameters as described in Table 2.

4. Ensure that the following dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters are configured:

a. DRP IP—IP address to be used as source IP for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

b. DRP MaskSubnetSubnet is the logical division of an IP network. mask of the DRP IP address.

c. DRP VlanVLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets are sent.

d. DRP GatewayGatewayGateway is a network node that allows traffic to flow in and out of the network. IP address of the DRP VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

5. Click OK.

1. Go to Security > Authentication Servers.

2. To create a new server, click New and configure the required RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server parameters as described in Table 2.

3. Ensure that the following dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters are configured:

a. DRP IP—IP address to be used as source IP for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

b. DRP MaskSubnetSubnet is the logical division of an IP network. mask of the DRP IP address.

c. DRP VLANVLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets are sent.

d. DRP GatewayGatewayGateway is a network node that allows traffic to flow in and out of the network. IP address of the DRP VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

4. Click OK.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configures a dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <IP-address>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address>

Associate DRP Server Profile to a Network Profile

The following procedure describes how to associate the DRP server profiles with a network profile by using the WebUI:

Table 3: Associating DRP Server profile to a Network Profile

New WebUI

Old WebUI

1. Access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window (Go to the Configuration > Networks, select a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or a wired profile and click Edit).

 

NOTE: You can also associate the authentication servers when creating a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.

2. Select the Security tab.

3. If you are configuring the authentication server for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, move the slider to Enterprise security level and select an authentication type from the Key management drop-down list.

4. For a wired profile, enable the MAC authentication or 802.1X authentication toggle switch.

5. From the Auth server 1 drop-down list, select the server name on which dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters are enabled. You can also create a new server with dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters enabled by selecting +.

6. Click Next and until Finish.

7. To assign the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired network profile.

1. Access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window.

a. To open the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard, select an existing SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. on the Networks tab, and click edit.

b. To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit.

 

NOTE: You can also associate the authentication servers when creating a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.

2. Click the Security tab.

3. If you are configuring the authentication server for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, move the slider to Enterprise security level and select an authentication type from the Key management drop-down list.

4. For a wired profile, set MAC authentication or 802.1X authentication to Enabled.

5. From the Auth server 1 drop-down list, select the server name on which dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters are enabled. You can also create a new server with dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters enabled by selecting New.

6. Click Next and then click Finish.

7. To assign the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired network profile.

NOTE: You can also add an external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by selecting New for Authentication Server when configuring a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile. For more information, see Configuring Multiple PSK For WLAN SSID Profiles and Configuring Security Settings for a Wired Employee Network .

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands associates an authentication server to a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands associates an authentication server to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# auth-server <name>

/*]]>*/