Configuring External Authentication Servers for APs
You can configure an external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server, TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , and LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server for user authentication. You can configure guest network using External Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile for external authentication.
To configure a server, complete the following procedure:
- In the app, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under , click > .
A list of APs is displayed in the view.
- Click the icon.
The tabs to configure the APs are displayed.
- Click .
- Click the tab.
The Security page is displayed.
- In the panel, click to create a new server.
-
Select any of the following server types and configure the parameters for your deployment scenario.
Table 1: Authentication Server Configuration
Type of Server
Parameters
Name of the external RADIUS server.
IP address or the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.
Set to to enable secure communication between the RADIUS server and IAP by creating a TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the IAP and the server.
If is enabled, the following configuration options are displayed:
—Communication port number for RadSec TLS connection. By default, the port number is set to 2083.
Authorization port number of the external RADIUS server. The default port number is 1812.
The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.
Shared key for communicating with the external RADIUS server.
The timeout duration for one RADIUS request. The IAP retries sending the request several times (as configured in the ) before the user is disconnected. For example, if the is 5 seconds, is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
The maximum number of authentication requests that can be sent to the server group by the IAP. You can specify a value within the range of 1–5. The default value is 3 requests.
To allow the APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the option, the field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
Enter the IP address.
For IAP-based cluster deployments, ensure that you enter the VC IP address as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.
For Cloud AP based Campus WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. deployments, ensure that you enter the AP IP address as the NAS IP address.
Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters:
- —IP address to be used as source IP for RADIUS packets.
- —SubnetSubnet is the logical division of an IP network. mask of the DRP IP address.
- —VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which the RADIUS packets are sent.
Select any of the following check boxes to send the service type as in the access requests to the RADIUS server:
- —Changes the service type to frame for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.
- —Changes the service type to frame for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.
- —Changes the service type to frame for Captive Portal authentication.
Select any of the following check boxes to detect the server status of the RADIUS server:
—Select this check-box to ensure the IAP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.
—Select this check-box to ensure the IAP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
Name of the LDAP server.
IP address of the LDAP server.
Authorization port number of the LDAP server. The default port number is 389.
A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).
Password for the admin user.
Distinguished name for the node that contains the entire user database.
The filter to apply when searching for a user in the LDAP database. The default filter string is .
The attribute to use as a key while searching for the LDAP server. For Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is .
Timeout interval within a range of 1–30 seconds for one RADIUS request. The default value is 5.
The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 1–5. The default value is 3.
Name of the server.
The secret key to authenticate communication between the TACACS client and server.
The TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. IP port used by the server. The default port number is 49.
A number between 1 and 30 seconds to indicate the timeout period for TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. requests. The default value is 20 seconds.
IP address of the server.
The maximum number of authentication attempts to be allowed. The default value is 3.
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
Enable this option to allow the authorization of sessions.
—The external captive portal servers are used for authenticating guest users in a WLAN.
Enter a name for the profile.
Select any one of the following types of authentication:
- —Select this option to enable user authentication against a RADIUS server.
- Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Enter the IP address or the host name of the external splash page server.
Enter the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server.
Enter the port number that is used for communicating with the external captive portal server.
Select this to enforce clients to use HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select to prevent guest users from using the network, or to access the network.
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
If the page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Specify a redirect URL if you want to redirect the users to another URL.
Name of the server.
IP address of the server.
A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
A shared key for communicating with the external RADIUS server.
Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages.
- Click .
To assign the authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server when configuring a WLAN SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile.
