Configuring RADIUS Authentication Server for a WLAN SSID Profile

To configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, complete the following steps:

  1. To access the WLAN SSID configuration wizard for a new SSID profile or an existing SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode or Configuring a WLAN SSID Profile in Tunnel and Mixed Mode.
  2. In the WLAN SSID configuration wizard, click the Security tab.
  3. In Security Level, select Enterprise.
  4. Perform one of the following actions:
    • To add a new external authentication server, click + next to Primary Server or Secondary Server.

      The New Server pop-up window is displayed.

    • To edit an existing external authentication server, click the edit icon next to Primary Server or Secondary Server.

      The Edit Server pop-up window is displayed.

  5. Configure the parameters described in Table 1.
  6. Click OK.

    The following table describes the parameters to create RADIUS authentication servers for a WLAN SSID profile.

    Table 1: RADIUS Authentication Server Configuration



    Server Type

    Select RADIUS from the drop-down list.


    Enter a name for the external RADIUS server.


    Select this check box to enable secure communication between the RADIUS server and AP by creating a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the AP and the server.

    If Radsec is enabled, the following parameters are displayed:

    Radsec Port

    Enter a communication port number for RadSec TLS connection.

    By default, the port number is set to 2083.

    Radsec Keepalive Type

    Specifies the keepalive Signal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. message type to keep the Radsec server connection alive. Select one of the following Radsec Keepalive type options based on the Radsec server capabilities and system load requirements:

    Keepalive is recommended in a network where a RadSec server is connected to a large number of RadSec clients for tracking and port access sessions. The Radsec server requires additional resources to process status-server and access-request messages when compared to keepalive messages. This is because status server and access-request messages are RADIUS protocol packets. However, keepalive packets are TCP control packets that do not require any additional resources.

    NOTE: The Radsec Keepalive Type parameter is available only when Radsec option is enabled.

    IP Address/FQDN

    Enter IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.

    NAS IP Address

    Enter the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.

    For AP-based cluster deployments, ensure that you enter the VC IP address as the NAS IP address.

    For Cloud AP based Campus WLAN deployments, ensure that you enter the AP IP address as the NAS IP address.

    NAS Identifier

    Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.

    Query Status of RADIUS Servers (RFC 5997)

    Select any of the following check boxes to detect the server status of the RADIUS server:

    • Authentication—Select this check box to ensure the AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.
    • Accounting—Select this check box to ensure the AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

    Dynamic Authorization

    Select this check box to allow the APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.

    Service Type Framed User

    Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server:

    Auth Port

    Enter the authorization port number of the external RADIUS server.

    The default port number is 1812.

    Accounting Port

    Enter the accounting port number used for sending accounting records to the RADIUS server.

    The default port number is 1813.

    Shared Key and Retype Key

    Enter the shared key for communicating with the external RADIUS server.

    Timeout (in secs)

    Enter the timeout duration for one RADIUS request.

    The AP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds.

    The default value is 5 seconds.

    Retry Count

    Enter the maximum number of authentication requests that can be sent to the server group by the AP. You can specify a value within the range of 1–5.

    The default value is 3 requests.

    Dead Time

    Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.

    If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters: