The RADIUS server ensures the information is correct using an authentication scheme like PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information. A RADIUS server policy can also use an external LDAP resource to verify user credentials. The creation and utilization of a single RADIUS server policy is supported.
To manage the access point‘s RADIUS server policy:
RADIUS Server Policy | Select the user pools (groups of existing client users) to apply to this server policy. If there is not an existing user pool configuration suitable for the deployment, select the Create link and define a new configuration. For more information, see Defining User Pools. |
LDAP Server Dead Period | Set an interval in either seconds (0 - 600) or minutes (0- 10) during which the access point will not contact its LDAP server resource. A dead period is only implemented when additional LDAP servers are configured and available. |
LDAP Groups | Use the drop-down menu to select LDAP groups to apply the server policy configuration. Select the Create or Edit icons as needed to either create a new group or modify an existing group. Use the arrow icons to add and remove groups as required. |
LDAP Group Verification | Select the check box to set the LDAP group search configuration. This setting is enabled by default. |
LDAP Chase Referral | Select the check box to set the LDAP referral chase feature. This settings is enabled by default. When enabled, if the LDAP server does not contain the requested information, it indicates to the LDAP client that it does not have the requested information and provides the client with another LDAP server that could have the requested information. It is up to the client to contact the other LDAP server for its information. |
Local Realm | Define the LDAP Realm performing authentication using information from an LDAP server. User information includes user name, password, and the groups to which the user belongs. |
Default Source | Select the RADIUS resource for user authentication with this server policy. Options include Local for the local user database or LDAP for a remote LDAP resource. The default setting is Local. |
Default Fallback | Select this option to indicate
that fall back from RADIUS to local is enabled in case
RADIUS authentication is not available for any reason. This
option is enabled only when LDAP is selected as the Default
Source. Use the Add Row button to add
fallback sources into the Sources
table. Provide the following information:
|
Authentication Type | Use the drop-down menu to select
the EAP authentication scheme used with this policy. The
following EAP authentication types are supported:
|
Do Not Verify Username | Enabled only when TLS is selected in Authentication Type. When selected, user name is not matched but the certificate expiry is checked. |
Enable CRL Validation | Select this option to enable a Certificate Revocation List (CRL) check. Certificates can be checked and revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. This option is disabled by default. |
Enable EAP Termination | Select this option to enable EAP Termination on the current RADIUS server policy. EAP Termination terminates EAP authentication at the controller |
Bypass CRL Check | Select the option to bypass a certificate revocation list (CRL) check when a CRL is not detected. This setting is enabled by default. A CRL is a list of certificates that have been revoked or are no longer valid. |
Allow Expired CRL | Select this option to allow the use of an expired CRL. This option is enabled by default |
Note
When you are using LDAP as authentication external source, the PEAP-MSCHAPV2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory Server.Username | Enter a 128-character maximum username for the LDAP server‘s domain administrator. This is the username defined on the LDAP server for RADIUS authentication requests. |
Password | Enter and confirm the 32-character maximum password (for the username provided above). The successful verification of the password maintained on the controller or service platform enables PEAP-MSCHAPv2 authentication using the remote LDAP server resource. |
Retry Timeout | Set the number of seconds (60 - 300) or minutes (1 - 5) to wait between LDAP server access requests when attempting to join the remote LDAP server‘s domain. The default setting is one minute. |
Redundancy | Define the Primary or Secondary LDAP agent configuration used to connect to the LDAP server domain. |
Domain Name | Enter the name of the domain (from 1 - 127 characters) to which the remote LDAP server resource belongs. |
Enable Session Resumption | Select the checkbox to control volume and the duration cached data is maintained by the server policy upon the termination of a server policy session. The availability and quick retrieval of the cached data speeds up session resumption. This setting is disabled by default. |
Cached Entry Lifetime | If enabling session resumption, use the spinner control to set the lifetime (1 - 24 hours) cached data is maintained by the RADIUS server policy. The default setting is 1 hour. |
Maximum Cache Entries | If enabling session resumption, use the spinner control to define the maximum number of entries maintained in cache for this RADIUS server policy. The default setting is 128 entries. |
The access point uses a RADIUS client as a mechanism to communicate with a central server to authenticate users and authorize access.
The client and server share a secret (a password). That shared secret followed by the request authenticator is put through a MD5 hash to create a 16 octet value used with the password entered by the user. If the user password is greater than 16 octets, additional MD5 calculations are performed, using the previous ciphertext instead of the request authenticator. The server receives a RADIUS access request packet and verifies the server possesses a shared secret for the client. If the server does not possess a shared secret for the client, the request is dropped. If the client received a verified access accept packet, the username and password are considered correct, and the user is authenticated. If the client receives a verified access reject message, the username and password are considered incorrect, and the user is not authenticated.
A user‘s access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources. The proxy server checks the information in the user access request, and either accepts or rejects the request. If the proxy server accepts the request, it returns configuration information specifying the type of connection service required to authenticate the user.
The RADIUS proxy appears to act as a RADIUS server to the NAS, whereas the proxy appears to act as a RADIUS client to the RADIUS server.
When the access point‘s RADIUS server receives a request for a user name containing a realm, the server references a table of configured realms. If the realm is known, the server proxies the request to the RADIUS server. The behavior of the proxying server is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite requests when they are proxied.
Administrators have the option of using the access point‘s RADIUS server to authenticate users against an external LDAP server resource. An external LDAP user database allows the centralization of user information and reduces administrative user management overhead. Thus, making the RADIUS authorization process more secure and efficient.
RADIUS is not just a database. It is a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location. It is the access point‘s RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic. There is no way to perform such complex authorization checks from a LDAP user database alone.
Redundancy | Whether the listed LDAP server IP address has been defined as a primary or secondary server resource. Designating at least one secondary server is a good practice to ensure RADIUS resources are available if a primary server becomes unavailable. |
IP Address | The IP address of the external LDAP server acting as the data source for the RADIUS server. |
Port | The physical port number used by the RADIUS server to secure a connection with the remote LDAP server resource. |
Timeout | The number of seconds (1- 10) this server session waits for a connection before aborting the connection attempt with the listed RADIUS server resource. |
Redundancy | Whether this LDAP server is a primary or secondary server resource. Primary servers are always queried for connection first. However, designating at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server becomes unavailable. |
IP Address | The 128-character maximum IP address or FQDN of the external LDAP server acting as the data source for the RADIUS server. |
Login | A unique login name used for accessing the remote LDAP server resource. Consider using a unique login name for each LDAP server provided to increase the security of the connection to the remote LDAP server. |
Port | Use the spinner control to set the physical port number used by the RADIUS server to secure a connection with the remote LDAP server resource. The default port is 389.. |
Timeout | An interval between 1 - 10 seconds the RADIUS server uses as a wait period for a response from the target primary or secondary LDAP server resource. The default setting is 10 seconds. |
Secure Mode | The security mode when connecting to an external LDAP server. Use start-tls or tls-mode to connect. The start-tls mode provides a way to upgrade a plain text connection to an encrypted connection using TLS. |
Bind DN | The distinguished name to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas. |
Base DN | A distinguished name (DN) that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with the most specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). The RDN identifies an entry distinctly from any other entries that have the same parent. |
Bind Password | A valid password for the LDAP server. Select the Show check box to expose the password‘s actual character string. Otherwise the password is displayed as a string of asterisks (*). The password cannot 32 characters. |
Password Attribute | The LDAP server password attribute. The password cannot exceed 64 characters. |
GroupAttribute | LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group, an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password, or group membership name. |
Group Filter | Specify the group filters used by the LDAP server. This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service. |
Group Membership Attribute | Specify the group member attribute sent to the LDAP server when authenticating users. |