Configuring RADIUS Authentication Server for a WLAN SSID Profile

To configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, complete the following steps:

1. To access the WLAN SSID configuration wizard for a new SSID profile or an existing SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode or Configuring a WLAN SSID Profile in Tunnel and Mixed Mode.
2. In the WLAN SSID configuration wizard, click the Security tab.
3. In Security Level, select Enterprise.
4. Perform one of the following actions:

   • To add a new external authentication server, click + next to Primary Server or Secondary Server.

     The New Server pop-up window is displayed.

   • To edit an existing external authentication server, click the edit icon next to Primary Server or Secondary Server.

     The Edit Server pop-up window is displayed.

5. Configure the parameters described in Table 1.
6. Click OK.

   The following table describes the parameters to create RADIUS authentication servers for a WLAN SSID profile.

   Table 1: RADIUS Authentication Server Configuration

   Parameter	Description
   Server Type	Select RADIUS from the drop-down list.
   Name	Enter a name for the external RADIUS server.
   Radsec	Select this check box to enable secure communication between the RADIUS server and AP by creating a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the AP and the server. If Radsec is enabled, the following parameters are displayed: Radsec Port Radsec Keepalive Type IP Address/FQDN NAS IP Address NAS Identifier Query Status of RADIUS Servers (RFC 5997) Dynamic Authorization Service Type Framed User
   Radsec Port	Enter a communication port number for RadSec TLS connection. By default, the port number is set to 2083.
   Radsec Keepalive Type	Specifies the keepalive Signal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. message type to keep the Radsec server connection alive. Select one of the following Radsec Keepalive type options based on the Radsec server capabilities and system load requirements: TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. Keepalive—Sends TCP Keepalive messages periodically to keep the Radsec connection alive. TCP Keepalive are TCP level packets that does not involve processing RADIUS protocol headers. Hence, it consumes less resources as compared to status server Keepalive type. For example, TCP Keepalive type helps to reduce the system load in Aruba Cloud Guest server. Status Server—Sends RADIUS status server messages periodically to keep the Radsec connection alive. Radsec servers need status server Keepalive type as CPPM terminates the Radsec connection after 15 minutes of RADIUS inactivity even if TCP Keepalive packets are active. Keepalive is recommended in a network where a RadSec server is connected to a large number of RadSec clients for tracking and port access sessions. The Radsec server requires additional resources to process status-server and access-request messages when compared to keepalive messages. This is because status server and access-request messages are RADIUS protocol packets. However, keepalive packets are TCP control packets that do not require any additional resources. NOTE: The Radsec Keepalive Type parameter is available only when Radsec option is enabled.
   IP Address/FQDN	Enter IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.
   NAS IP Address	Enter the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address. For AP-based cluster deployments, ensure that you enter the VC IP address as the NAS IP address. For Cloud AP based Campus WLAN deployments, ensure that you enter the AP IP address as the NAS IP address.
   NAS Identifier	Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
   Query Status of RADIUS Servers (RFC 5997)	Select any of the following check boxes to detect the server status of the RADIUS server: Authentication—Select this check box to ensure the AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable. Accounting—Select this check box to ensure the AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
   Dynamic Authorization	Select this check box to allow the APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
   Service Type Framed User	Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server: 802.1X—Changes the service type to frame for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. MAC—Changes the service type to frame for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication. Captive Portal—Changes the service type to frame for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.
   Auth Port	Enter the authorization port number of the external RADIUS server. The default port number is 1812.
   Accounting Port	Enter the accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.
   Shared Key and Retype Key	Enter the shared key for communicating with the external RADIUS server.
   Timeout (in secs)	Enter the timeout duration for one RADIUS request. The AP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
   Retry Count	Enter the maximum number of authentication requests that can be sent to the server group by the AP. You can specify a value within the range of 1–5. The default value is 3 requests.
   Dead Time	Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable. If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters: DRP IP—IP address to be used as source IP for RADIUS packets. DRP MASK—Subnet mask of the DRP IP address. DRP VLAN—VLAN in which the RADIUS packets are sent. DRP GATEWAY—Gateway IP address of the DRP VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..