The RADIUS server ensures the information is correct using an authentication scheme like PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information. A RADIUS server policy can also use an external LDAP resource to verify user credentials.
To review RADIUS existing server policies, manage the creation of new policies of manage the modification of existing policies:
RADIUS Server Policy | Lists the administrator assigned policy name defined upon creation of the server policy. |
RADIUS User Pools | Lists the user pools assigned to this server policy. These are the client users who an administrator has assigned to each listed group and who must adhere to its network access requirements before granted access to controller or service platform resources. |
Default Source | Displays the RADIUS resource designated for user authentication requests. Options include Local (resident controller or service platform RADIUS server resources) or LDAP (designated remote LDAP resource). |
Default Fallback | States whether a fallback is enabled providing a revert back to local RADIUS resources if the designated external LDAP resource were to fail or become unavailable. A green checkmark indicates Default Fallback is enabled. A red “X” indicates it‘s disabled. Default Fallback is disabled by default. |
Authentication Type | Lists the local EAP authentication
scheme used with this policy. The following EAP
authentication types are supported by the local RADIUS and
remote LDAP servers:
|
CRL Validation | Specifies whether a Certificate Revocation List (CRL) check is made. A green checkmark indicates CRL validation is enabled. A red “X” indicates it‘s disabled. A CRL is a list of revoked certificates issued and subsequently revoked by a Certification Authority (CA). Certificates can be revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. The mechanism used for certificate revocation depends on the CA. |
RADIUS User Pools | Select the user pools (groups of existing client users) to apply to this server policy. If there is not an existing user pool configuration suitable for the deployment, select the Create link and define a new configuration. |
LDAP Server Dead Period | Set an interval in either Seconds (0 - 600) or Minutes (0 - 10) for planned LDAP server inactivity. A dead period is only implemented when additional LDAP servers are configured and available for LDAP failover. The default setting is 5 minutes. |
LDAP Groups | Use the drop-down menu to select LDAP groups to apply the server policy configuration. Select the Create or Edit icons to either create a new group or modify an existing group. Use the arrow icons to add and remove groups as required. |
LDAP Group Verification | Select the checkbox to set the LDAP group search configuration. |
LDAP Chase Referral | Select this option to enable the chasing of referrals from an
external LDAP server resource. An LDAP referral is a controller or service platform‘s way of indicating to a client it does not hold the section of the directory tree where a requested content object resides. The referral is the controller or service platform‘s direction to the client a different location is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the domain controller to generate another referral, although it usually does not take long to discover the object does not exist and inform the client. This feature is disabled by default. |
Local Realm | Define the LDAP performing authentication using information from an LDAP server. User information includes user name, password, and groups to which the user belongs. |
Default Source | Select the RADIUS resource for user authentication with this server policy. Options include Local for the local user database or LDAP for a remote LDAP resource. The default setting is Local. |
Default Fallback | Define whether a fallback is enabled providing a revert back to local RADIUS resources if the designated external LDAP resource were to fail or become unavailable. The default fallback feature is disabled by default. |
Authentication Type | Use the drop-down menu to select
the EAP authentication scheme used with this policy. The
following EAP authentication types are supported by the
local RADIUS and remote LDAP servers:
|
Do Not Verify Username | Select this option to use certificate expiration as matching criteria, as opposed to the hostname. This setting is disabled by default. |
Enable EAP Termination | Select this option to enable EAP termination with this RADIUS server policy. This setting is disabled by default. |
Enable CRL Validation | Select this option to enable a Certificate Revocation List (CRL) check. Certificates can be checked and revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. This option is disabled by default. |
Bypass CRL Check | Select the option to bypass a certificate revocation list (CRL) check when a CRL is not detected. This setting is enabled by default. A CRL is a list of certificates that have been revoked or are no longer valid. |
Allow Expired CRL | Select this option to allow the use of an expired CRL. This option is enabled by default |
Precedence | Use the spinner control to set the numeric precedence (priority) for this authentication data source rule. Rules with the lowest precedence receive the highest priority. Set the value between 1 - 5000. This value is mandatory. |
SSID | Enter or modify the SSID associated with the authentication data source rule. The maximum number of characters is 32. Do not use any of these characters (< > | " & \ ? ,). |
Source | Use the drop-down menu to define the RADIUS data source for this authentication data source rule as Local or LDAP |
Fallback | Select this option to fallback to the Local resource for RADIUS data authentication from LDAP for this authentication data source rule. |
Username | Enter a 63-character maximum username for the LDAP server‘s domain administrator. This is the username defined on the LDAP server for RADIUS authentication requests. |
Password | Enter and confirm the 32 character maximum password (for the username provided above). The successful verification of the password maintained on the controller or service platform enables PEAP-MSCHAPv2 authentication using the remote LDAP server resource. |
Retry Timeout | Set the number of seconds (60 - 300) or minutes (1 - 5) to wait between LDAP server access requests when attempting to join the remote LDAP server‘s domain. The default setting is one minute. |
Redundancy | Define the Primary or Secondary LDAP agent configuration used to connect to the LDAP server domain. |
Domain Name | Enter the name of the domain (from 1 - 127 characters) to which the remote LDAP server resource belongs. |
Enable Session Resumption | Select the checkbox to control volume and the duration cached data is maintained by the server policy upon the termination of a server policy session. The availability and quick retrieval of the cached data speeds up session resumption. This setting is disabled by default. |
Cached Entry Lifetime | If enabling session resumption, use the spinner control to set the lifetime (1 - 24 hours) cached data is maintained by the RADIUS server policy. The default setting is 1 hour. |
Maximum Cache Entries | If enabling session resumption, use the spinner control to define the maximum number of entries maintained in cache for this RADIUS server policy. The default setting is 128 entries. |