Home > GUI > Configuration > RADIUS Server Settings
|
RADIUS Server Settings
Configure a RADIUS server group.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Wireless Networks > ssid_name > Configuration Guide > RADIUS Server Group > Add RADIUS Server Group
or
Configure > Network Policies > policy_name > Wireless Networks > ssid_name > Configuration Guide > RADIUS Server Group > RADIUS_server_group_name
RADIUS authentication is used for Enterprise WPA/WPA2 802.1X and WEP 802.1X SSIDs, MAC authentication, and captive web portals that require user authentication. For all these, Extreme Networks APs can use their own built-in RADIUS servers, external RADIUS servers, Extreme Networks RADIUS proxy servers, or any combination.
For Enterprise 802.1X SSIDs and captive web portals with user authentication, you also have the choice to use the cloud-based ExtremeCloud IQ authentication service. This service supports far more RADIUS users than individual APs support and is commonly accessible from multiple locations, making it ideal for institutions with a large number of permanent users who move frequently among various sites. Another advantage of storing RADIUS users in the cloud is you can add, modify, and delete users and user groups without updating your Extreme Networks RADIUS servers. External RADIUS servers also offer these benefits; however, if you do not already have a RADIUS infrastructure set up, the ExtremeCloud IQ authentication service offers a simple alternative.
For Help about each type of RADIUS server, see the following:
External RADIUS server: External RADIUS Server Settings
Extreme Networks RADIUS server: AAA Server Settings
Extreme Networks RADIUS proxy: Extreme RADIUS Proxy Servers
Note
ExtremeCloud IQ Connect only supports external RADIUS servers.From the Standard Wireless Network Settings window, you can configure an external or Extreme Networks RADIUS server group. Extreme Networks devices use the wireless network (SSID) RADIUS server group, which can include up to four RADIUS servers, for RADIUS lookups unless there is a device classification rule directing them to a different group based on their location or other parameters. The servers in the group can be external RADIUS servers, Extreme Networks RADIUS servers, Extreme Networks proxy servers, or a combination of these three types.
The following sections describe how to view, add, select, modify, and delete wireless network (SSID)-specific RADIUS objects. (See External RADIUS Server Settings to view, add, select, modify, and delete external RADIUS common objects.)
Use the following steps to add or modify a RADIUS server group.
In the Standard Wireless Network Settings window, in the left navigation bar, under RADIUS Server Group, select Add RADIUS Server Group or RADIUS_server_group_name.
Enter or select the following:
RADIUS Server Group Name: Choose a RADIUS server group profile name.
RADIUS Server Group Description: Enter an optional server group description.
From the RADIUS server lists, select up to four existing servers to add to your wireless network (SSID) RADIUS server group. If there are no RADIUS servers available, see External RADIUS Server Settings for information about how to configure some.
In the Configure RADIUS Servers dialog box, select 
. Enter or select the following:
Retry Interval: Enter an unresponsive primary RADIUS server Access-Request retry time. Range = 60 - 100000000 seconds. Default = 600 seconds. The device retries the primary server after the interval elapses even if the current backup server is responding. (You cannot enter commas in this field; that is, "100,000,000" must be entered as "100000000".)
Accounting Interim Update Interval: Set the interval for sending RADIUS accounting updates to report the status and cumulative length of client sessions. Range = 10 - 100000000 seconds. Default = 600 seconds. (You cannot enter commas in this field; that is, "100,000,000" must be entered as "100000000".)
Permit Dynamic Change Of Authorization Messages (RFC 3576): Allow the RADIUS server to dynamically change a user's authorization or to disconnect a user per RFC 3576. Default is Off.
When you enable this parameter, devices acting as RADIUS authenticators can accept unsolicited disconnect and CoA (Change of Authorization) messages from a RADIUS authentication server, such as GuestManager per RFC 3576. Disconnect messages terminate a user's session immediately, and CoA messages modify session authorization attributes such as VLANs and user profile IDs.
Inject Operator-Name attribute: Select to include the Operator-Name attribute in the Access-Request and Accounting-Request message that the Extreme Networks RADIUS authenticators send to the RADIUS authentication server. The value of this attribute is the domain name suffix of the Extreme Networks authenticator, usually assigned by DHCP, and helps to identify the source of the authentication requests. Providing source information like this can aid in troubleshooting authentication problems. The default is Off.
Message Authenticator attribute: The Message Authenticator is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords. The default is Off.
Select Save RADIUS Settings and Save RADIUS.
Extreme Networks APs report updated DHCP-snooped IP addresses of associated clients to the RADIUS server asynchronously, or as soon as the information is available. These updates occur in addition to those set by default or which you set.
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.