Configure RADIUS Server Policy

About this task

The RADIUS server ensures that the information is correct using an authentication scheme like PAP, CHAP, or EAP. The user's proof of identification is verified along with other information. A RADIUS server policy can also use an external LDAP resource to verify user credentials.

Procedure

  1. Select Policies > RADIUS Server.
    The RADIUS Server dashboard opens.
  2. Select to add a new policy or to edit an existing policy.
  3. Configure the following server policy settings:
    Setting Description
    RADIUS User Pools Select one or multiple RADIUS user pool from the available list
    RADIUS Groups Select one or multiple RADIUS user groups
    LDAP Server Dead Period Type or use the spinner to assign LDAP server inactive period in seconds. The range is 0 through 600 seconds, and the default is 300 seconds
    LDAP Group Verification Select this option to add verification to an LDAP group. This option is selected by default
    LDAP Chase Referral This option is not selected by default
    Local Realm Type a local realm name and add it to the RADIUS server
  4. Configure the following authentication settings:
    Setting Description
    Default Source Select the RADIUS source designated for user authentication requests. The default selection is Local
    Default Fallback Select the option to activate a fallback option to revert to local RADIUS resources if the designated external LDAP resource were to fail or become unavailable. This option is not selected by default
    Sources Select Add to create a new authentication data source settings. Settings include:
    • Precedence - Set a precedence between 1 and 5000
    • SSID - Assign a SSID
    • Source - Select a local or LDAP source
    • Fallback - Select this option to provide fallback for the source
    Authentication Type Select an authentication type from the list of available authentication options. The default selection is ALL
    Do Not Verify Username Select this option to not verify a username during user authentication
    Enable EAP Termination Extensible Authentication Protocol (EAP) is used to provide secured authentication access to WLANs. When using an external RADIUS server, EAP requests are forwarded. Select this option to cancel EAP authentication
    Enable CRL Validation Select this option to validate CRL check
    Bypass CRL Check Select this option to skip CRL check. This option is selected by default
    Allow Expired CRL Select this option to permit CRL check past the date. This option is selected by default
    LDAP Agent Select Add to create a new LDAP agent. Configure the following LDAP Agent settings:
    • Username - Type a unique username for the LDAP agent
    • Password - Type a password to use with the LDAP agent username
    • Confirm Password - Retype the password
    • Redundancy - Select primary or secondary redundancy. The default option is primary
    • Domain Name - Provide a domain name for the LDAP Agent

    Select Add to save the LDAP Agent settings

  5. Configure session resumption or fast reauthentication settings:
    Setting Description
    Enable Session Resumption Select this option to force an EAP supported clients to reauthenticate
    Cached Entry Lifetime Assign cached entry lifetime between 1 and 24 hours. The default option is 1 hour
    Maximum Cache Entries Assign maximum cache entries between 1 and 1,024. The default option is 128 entries
  6. Select Save to update server policy configuration.