RADIUS

Name of the external RADIUS server.

IP address or the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.

Set Radsec to Enabled to enable secure communication between the RADIUS server and Instant AP by creating a TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the Instant AP and the server.

If Radsec is enabled, the following configuration options are displayed:

Radsec Port—Communication port number for RadSec TLS connection. By default, the port number is set to 2083.

NAS Identifier

NAS IP Address

Service Type Framed User

Query Status of RADIUS Servers (RFC 5997)

Dynamic Authorization

Authorization port number of the external RADIUS server. The default port number is 1812.

The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.

Shared key for communicating with the external RADIUS server.

The timeout duration for one RADIUS request. The Instant AP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

The maximum number of authentication requests that can be sent to the server group by the Instant AP. You can specify a value within the range of 1–5. The default value is 3 requests.

To allow the APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.

Enter the IP address.

For Instant AP-based cluster deployments, ensure that you enter the VC IP address as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.

For Cloud AP based Campus WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. deployments, ensure that you enter the AP IP address as the NAS IP address.

Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.

Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.

If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters:

DRP IP—IP address to be used as source IP for RADIUS packets.

DRP MASK—SubnetSubnet is the logical division of an IP network. mask of the DRP IP address.

DRP VLAN—VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which the RADIUS packets are sent.

Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server:

802.1X—Changes the service type to frame for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

MAC—Changes the service type to frame for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

Captive Portal—Changes the service type to frame for Captive Portal authentication.

Select any of the following check boxes to detect the server status of the RADIUS server:

Authentication—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.

Accounting—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

LDAP

Name of the LDAP server.

IP address of the LDAP server.

Authorization port number of the LDAP server. The default port number is 389.

A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).

Password for the admin user.

Distinguished name for the node that contains the entire user database.

The filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*).

The attribute to use as a key while searching for the LDAP server. For Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is sAMAccountName.

Timeout interval within a range of 1–30 seconds for one RADIUS request. The default value is 5.

The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 1–5. The default value is 3.

TACACS

Name of the server.

The secret key to authenticate communication between the TACACS client and server.

The TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. IP port used by the server. The default port number is 49.

A number between 1 and 30 seconds to indicate the timeout period for TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  requests. The default value is 20 seconds.

IP address of the server.

The maximum number of authentication attempts to be allowed. The default value is 3.

Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.

Enable this option to allow the authorization of sessions.

External Captive Portal—The external captive portal servers are used for authenticating guest users in a WLAN.

Enter a name for the profile.

Select any one of the following types of authentication:

Radius Authentication—Select this option to enable user authentication against a RADIUS server.

Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

Enter the IP address or the host name of the external splash page server.

Enter the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server.

Enter the port number that is used for communicating with the external captive portal server.

Select this to enforce clients to use HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.

This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.

Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.

Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.

On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted.

If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.

Specify a redirect URL if you want to redirect the users to another URL.

Dynamic Authorization Only

Name of the server.

IP address of the server.

A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.