Remote Authentication Dial-In User Service (RADIUS) is a client or server protocol and software. It enables remote access servers to authenticate users and authorize their access. RADIUS is a distributed client or server system that secures networks against unauthorized access.
RADIUS clients send authentication requests to the controller or service platform's local RADIUS server containing user authentication and network service access information. RADIUS enables centralized management of authentication data (usernames and passwords). When a client attempts to associate to the controller or service platform, authentication requests are sent to the RADIUS server. Authentication and encryption takes place through the use of a shared secret password that is not transmitted over the network.
The controller‘s local RADIUS server stores the user database locally, and can optionally use a remote user database. It ensures higher accounting performance. It allows the configuration of multiple users, and assign policies for group authorization.
Controllers and service platforms have full internal RADIUS resource capability. Additionally, all controllers maintain a local RADIUS resource. The local enforcement of user-based policies is configurable.
User policies include dynamic VLAN assignment and access restrictions based on time of day. A certificate is required for EAP TTLS, PEAP, and TLS RADIUS authentication (configured with the RADIUS service).
Dynamic VLAN assignment is achieved based on the RADIUS server response. A user who associates to WLAN1 (mapped to VLAN1) can be assigned a different VLAN after authentication with the RADIUS server. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the user associates.