External RADIUS Server

In the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, the IP address of the virtual controller is configured as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address. Instant RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  is implemented on the virtual controller and this eliminates the need to configure multiple NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. clients for every Instant AP on the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for client authentication. Instant RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dynamically forwards all the authentication requests from a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. to a remote RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server responds to the authentication request with an Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network depending on the response from the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. When you enable an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for the network, the client on the Instant AP sends a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet to the local IP address. The external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server then responds to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

Instant supports the following external authentication servers:

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.

ClearPass Policy Manager Server for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

To use an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server for user authentication, configure the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server on the virtual controller, and configure user IDs and passwords. To use a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for user authentication, configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server on the virtual controller.

Configuring an External Server for Authentication

The following procedure describes how to configure RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., and ClearPass Policy Manager servers using the WebUI.

Table 1: Configuring an External Server for Authentication

New WebUI

Old WebUI

1. Navigate to the Configuration > Security page.

2. Expand Authentication Servers.

3. To create a new server, click +. The New Authentication Server window for specifying details for the new server is displayed.

4. Configure parameters based on the type of sever.

RADIUS—To configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, specify the attributes described in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Server Configuration Parameters table below. To assign the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

NOTE: You can also add an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by selecting the New option when configuring a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile. For more information, see Configuring Multiple PSK For WLAN SSID Profiles and Configuring Security Settings for a Wired Employee Network .

LDAP—To configure an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, select the LDAP option and configure the attributes described in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Server Configuration Parameters table below.

TACACS—To configure TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server, select the TACACS option and configure the attributes described in the TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Server Configuration parameters table below.

NOTE: You can also add TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.  server by selecting the New option when configuring authentication parameters for management users. For more information, see Configuring Authentication Parameters for Management Users .

CoA only for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. —To configure a ClearPass Policy Manager server used for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. , select the CoA only check box and configure the attributes defined in the ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. table below. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is automatically selected.

NOTE: The ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server acts as a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.

5. Click OK.

1. Navigate to Security > Authentication Servers. The Security window is displayed.

2. To create a new server, click New. A window for specifying details for the new server is displayed.

3. Configure parameters based on the type of sever.

RADIUS—To configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, specify the attributes described in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Server Configuration Parameters table below. To assign the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

NOTE: You can also add an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by selecting the New option when configuring a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile. For more information, see Configuring Multiple PSK For WLAN SSID Profiles and Configuring Security Settings for a Wired Employee Network .

LDAP—To configure an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, select the LDAP option and configure the attributes described in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Server Configuration Parameters table below.

TACACS—To configure TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server, select the TACACS option and configure the attributes described in the TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Server Configuration parameters table below.

NOTE: You can also add TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.  server by selecting the New option when configuring authentication parameters for management users. For more information, see Configuring Authentication Parameters for Management Users .

CoA only for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. —To configure a ClearPass Policy Manager server used for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. , select the CoA only check box and configure the attributes defined in the ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. table below. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is automatically selected.

NOTE: The ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server acts as a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.

4. Click OK.

 

Table 2: RADIUS Server Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the host name or the IP address of the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

NOTE: The hose name value will be accepted only if the RadSec parameter is enabled.

RadSec

Set RadSec to Enabled to enable secure communication between the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and Instant AP by creating a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the Instant AP and the server.

If RadSec is enabled, the following configuration options are displayed:

RadSec port—Communication port number for RadSec TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection. By default, the port number is set to 2083.

RFC 3576

RFC 5997

NAS IP address

NAS identifier

Service type framed user

For more information on RadSec configuration, see Configuring a RadSec Server.

Auth port

Enter the authorization port number of the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server within the range of 1–65,535. The default port number is 1812.

Accounting port

Enter the accounting port number within the range of 1–65,535. This port is used for sending accounting records to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The default port number is 1813.

Shared key

Enter a shared key for communicating with the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Retype key

Re-enter the shared key.

Timeout

Specify a timeout value in seconds. The value determines the timeout for one RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request. The Instant AP retries to send the request several times (as configured in the Retry count) before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

Retry count

Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.

RFC 3576

Select Enabled to allow the Instant APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.

RFC 5997

This helps to detect the server status of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Every time there is an authentication or accounting request timeout, the Instant AP will send a status request enquiry to get the actual status of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server before confirming the status of the server to be DOWN.

Authentication—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.

Accounting—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

NOTE: You can choose to select either the Authentication or Accounting check-boxes or select both check-boxes to support RFC5997.

NAS IP address

Allows you to configure an arbitrary IP address to be used as RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 4, NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP Address, without changing source IP Address in the IP header of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

NOTE: If you do not enter the IP address, the virtual controller IP address is used by default when Dynamic RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Proxy is enabled.

NAS Identifier

Allows you to configure strings for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32, NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. Identifier, to be sent with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Dead Time

Specify a dead time for authentication server in minutes.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

Dynamic RADIUS proxy parameters

Specify the following dynamic RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters:

DRP IP—IP address to be used as source IP for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

DRP Mask—Subnet mask of the DRP IP address.

DRP VLAN—VLAN in which the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets are sent.

DRP Gateway—Gateway IP address of the DRP VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

For more information on dynamic RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters and configuration procedure, see Enabling Dynamic RADIUS Proxy.

Service type framed user

Sets the service type value to frame for the following authentication methods:

802.1X—Changes the service type to frame for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

Captive Portal—Changes the service type to frame for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

MAC—Changes the service type to frame for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication.

 

Table 3: LDAP Server Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the IP address of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.  server.

Auth port

Enter the authorization port number of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. The default port number is 389.

NOTE: Secure LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. is currently not supported on Instant APs. Changing the authentication port to 636 will not enable secure LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet..

Admin-DN

Enter a DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the admin user with read/search privileges across all the entries in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database).

Admin password

Enter a password for administrator.

Base-DN

Enter a DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the node that contains the entire user database.

Filter

Specify the filter to apply when searching for a user in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database. The default filter string is (objectclass=*).

Key Attribute

Specify the attribute to use as a key while searching for the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. For Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is sAMAccountName

Timeout

Enter a value between 1 and 30 seconds. The default value is 5.

Retry count

Enter a value between 1 and 5. The default value is 3.

Dead Time

Specify a dead time for the authentication server in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

 

Table 4: TACACS Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the IP address of the TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server.

Auth Port

Enter a TCPIP port used by the server. The default port number is 49.

Shared Key

Enter a secret key of your choice to authenticate communication between the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  client and the server.

Retype Key

Re-enter the shared key.

Timeout

Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  requests. The default value is 20 seconds.

Retry Count

Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.

Dead time

Specify a dead time in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

Session authorization

Enables or disables session authorization. When enabled, the optional authorization session is turned on for the admin users. By default, session authorization is disabled.

 

Table 5: ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA

Parameter

Description

Name

Enter a name of the server.

IP address

Enter the host name or IP address of the server.

Air Group CoA port

Enter a port number for sending AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. on a port different from the standard CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. port. The default value is 5999.

Shared key

Enter a shared key for communicating with the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Retype key

Re-enter the shared key.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with DRP parameters:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# rfc3576

(Instant AP)(Auth Server <profile-name>)# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address)

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable RadSec:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server "name")# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server:

(Instant AP)(config)# wlan ldap-server <profile-name>

(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>

(Instant AP)(LDAP Server <profile-name>)# port <port>

(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>

(Instant AP)(LDAP Server <profile-name>)# admin-password <password>

(Instant AP)(LDAP Server <profile-name>)# base-dn <name>

(Instant AP)(LDAP Server <profile-name>)# filter <filter>

(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>

(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>

(Instant AP)(LDAP Server <profile-name>)# retry-count <number>

(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server:

(Instant AP)(config)# wlan tacacs-server <profile-name>

(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>

(Instant AP)(TACACS Server <profile-name>)# port <port>

(Instant AP)(TACACS Server <profile-name>)# key <key>

(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>

(Instant AP)(TACACS Server <profile-name>)# retry-count <number>

(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a ClearPass Policy Manager server used for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. :

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-port <port>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only

Customizing the RADIUS Attributes

Starting from Aruba Instant 8.3.0.0, the users can now configure RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile to customize the attributes that are included, excluded and modified in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request before it is sent to the authentication server. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile can be configured and applied to either Access-Request RADIUS packet sent to a RADIUS server requesting authorization. or Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information. or both on a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server.

This profile can contain up to 64 RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes with static values that are used either to add or update in the request and another 64 RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes to be excluded from the Requests.

Two new parameters have been added in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server profile :

l auth-modifier: When assigned, it references to a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile which is applied to all Access-Requests sending to this RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server.

l acct-modifier: When assigned, it references to a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile which is applied to all Accounting-Requests sending to this RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server.