Creating RADIUS Groups

About this task

The RADIUS server allows the configuration of user groups with common user policies. User group names and associated users are stored in a local database. The user ID in the received access request is mapped to the specified group for authentication. RADIUS groups allows the enforcement of the following policies managing user access.

  • Assign a VLAN to the user upon successful authentication
  • Define a start and end of time in (HH:MM) when the user is allowed to authenticate
  • Define the list of SSIDs to which a user belonging to this group is allowed to associate
  • Define the days of the week the user is allowed to login
  • Rate limit traffic

To access the RADIUS Groups menu:

Procedure

  1. Select ConfigurationServicesRADIUS from the main menu.
  2. Select Groups.
    The browser displays a list of the existing groups.
    Click to expand in new window
    RADIUS Group Screen
    GUID-A2AE3D55-1EEC-4801-8C27-211E6F81D0B9-low.png
  3. Select a group from the Group Browser to view the following read-only information for existing groups:
    RADIUS Group Policy Displays the group name or identifier assigned to each listed group when it was created. The name cannot exceed 32 characters or be modified as part of the group edit process.
    Guest User Group Specifies whether a user group only has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each group. A red “X” designates the group as having permanent access to the local RADIUS server. Guest user groups cannot be made management groups with unique access and role permissions.
    Management Group A green checkmark designates this RADIUS user group as a management group. Management groups can be assigned unique access and role permissions.
    Role If a group is listed as a management group, it may also have a unique role assigned. Available roles include:
    • monitor - Read-only access
    • helpdesk - Helpdesk/support access
    • network-admin - Wired and wireless access
    • security-admin - Full read/write access
    • system-admin - System administrator access
    • superuser - Super user access
    • webuser-admin - Rights to manage captive portal users
    • vendor-admin - Rights to manage device onboarding
    VLAN Displays the group‘s VLAN ID. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the network (once authenticated by the local RADIUS server).
    Time Start Specifies the time users within each listed group can access local RADIUS resources.
    Time Stop Specifies the time users within each listed group lose access to local RADIUS resources.
  4. Click Add to create a new RADIUS group, Edit to modify the configuration of an existing group, or Delete to permanently remove a selected group.
    Click to expand in new window
    RADIUS Group Policy - Add/Edit Screen
    GUID-52CE90AD-0FDC-4C40-B10E-7C38B4AE89C6-low.png
  5. Define the following settings to define the user group configuration:
    RADIUS Group Policy If you are creating a new RADIUS group, assign it a name to help differentiate it from others with similar configurations. The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process.
    Guest User Group Select this option to assign only guest access and temporary permissions to the local RADIUS server. Guest user groups cannot be made management groups with unique access and role permissions.
    VLAN Select this option to assign a specific VLAN to this RADIUS user group. Ensure Dynamic VLAN assignment (single VLAN) is enabled for the WLAN in order for the VLAN assignment to work properly.

    For more information, see “Configuring WLAN Basic Configuration” on page 529.

    WLAN SSID Assign a list of SSIDs users within this RADIUS group are allowed to associate with. An SSID cannot exceed 32 characters. Assign WLAN SSIDs representative of the configurations a guest user will need to access. The parameter is not available if this RADIUS group is a management group.
    Rate Limit from Air Select the checkbox to set the rate limit for clients within the RADIUS group. Use the spinner to set value from 100-1,000,000 kbps. Setting a value of 0 disables rate limiting.
    Rate Limit To Air Select the checkbox to set the rate limit from clients within the RADIUS group. Use the spinner to set value from 100-1,000,000 kbps. Setting a value of 0 disables rate limiting.
    Management Group Select this option to designate this RADIUS group as a management group. If set as management group, assign member roles (System-Admin, Help Desk etc.) using the Role drop-down menu. This feature is disabled by default.
    Access If a group is listed as a management group, assign how the devices can be accessed. Available access types are:
    • Web - Web access through browser is permitted.
    • SSH - SSH access through command line is permitted.
    • Telnet - Telnet access through command line is permitted.
    • Console - Console access to the device is permitted.
    Role If a group is listed as a management group, it may also have a unique role assigned. Available roles include:
    • monitor - Read-only access
    • helpdesk - Helpdesk/support access
    • network-admin - Wired and wireless access
    • security-admin - Full read/write access
    • system-admin - System administrator access
    • superuser - Super user access
    • webuser-admin - Rights to manage captive portal users
    • vendor-admin - Rights to manage device onboarding
    Inactivity Timeout ESelect the option to enable inactivity timeout. Use the drop-down menu to specify an interval in Seconds (60 - 86,400). When, for this duration no frame is received, the session is timed out.

    The default is 60 seconds.

    Session Time Select the option to enable session timeout. Use the drop-down menu to set a client session time in Minutes (5 - 144,000). This is the session time a client is granted upon successful authentication. When this time expires, the RADIUS session is terminated.
  6. Set the Schedule to configure access times and dates.

    Select Restrict Access By Time to enable time-based access.

    Time Start Use the spinner control to set the time (in HH:MM format) RADIUS group members are allowed access the RADIUS server resources. Select either the AM or PM radio button to set the time as morning or evening.
    Time Stop Use the spinner control to set the time (in HH:MM format) RADIUS group members are denied access to RADIUS server resources. Select either the AM or PM radio button to set the time as morning or evening. If already logged in, the RADIUS group user is deauthenticated from the WLAN.
    Days Optionally select the Restrict Access by Day Of Week option, and select the days on which RADIUS group members can access RADIUS resources. This is an additional means of refining the access permissions of RADIUS group members.
  7. Click OK to save the changes.
    Click Reset to revert to the last saved configuration.