Configure RADIUS Server Settings

Before you begin

You must create a wireless network SSID with Enterprise 802.1X (WPA/WPA2?WPA3) access security. This option requires users to authenticate themselves by entering a user name and password, which are checked against a RADIUS authentication server.

About this task

Extreme Networks devices use the wireless network (SSID) RADIUS server group, which can include up to four RADIUS servers, for RADIUS lookups, unless there is a device classification rule directing them to a different group based on their location or other parameters. The servers in the group can be external RADIUS servers, Extreme Networks A3 RADIUS servers, Extreme Networks RADIUS servers, Extreme Networks proxy servers, or a combination of these four types. Use this task for your configuration.

Procedure

Choose a RADIUS server group profile name.
Enter an optional server group description.
Select Settings next to the description field and enter or select the following:
- Retry Interval: Enter an unresponsive primary RADIUS server Access-Request retry time. The device retries the primary server after the interval elapses, even if the current backup server is responding.
  Note
  You cannot enter commas in this field. 100,000,000 must be entered as 100000000.
- Accounting Interim Update Interval: Set the interval for sending RADIUS accounting updates to report the client session status and cumulative length.
  Note
  You cannot enter commas in this field. 100,000,000 must be entered as 100000000.
- Permit Dynamic Change Of Authorization Messages (RFC 3576): Enable the RADIUS server to dynamically change a user's authorization or to disconnect a user per RFC 3576. When you enable this parameter, devices acting as RADIUS authenticators can accept unsolicited disconnect and Change of Authorization (CoA) messages from a RADIUS authentication server, such as GuestManager, per RFC 3576. Disconnect messages terminate a user's session immediately, and CoA messages modify session authorization attributes such as VLANs and user profile IDs.
- Inject Operator-Name attribute: Select to include the Operator-Name attribute in the Access-Request and Accounting-Request message that the Extreme Networks RADIUS authenticators send to the RADIUS authentication server. This attribute's value is the domain name suffix of the Extreme Networks authenticator, usually assigned by DHCP, and helps to identify the authentication requests source. Providing source information like this can aid in troubleshooting authentication problems.
- Message Authenticator attribute: The Message Authenticator is used to authenticate the RADIUS server's reply, and encrypt passwords.
From the RADIUS server lists, select up to four existing servers to add to your wireless network (SSID) RADIUS server group.
- If there are no RADIUS servers available, see Configure External RADIUS Server Settings.
- If there are no Extreme Networks A3 Servers available, see Configure an Extreme Networks A3 Server.
- If there are no Extreme Networks RADIUS Servers available, see Configure an Extreme Networks Device as a RADIUS Server.
Select Save RADIUS Settings and Save RADIUS.

Note
In addition to those set by you or by default, Extreme Networks APs report updated DHCP-snooped IP addresses of associated clients to the RADIUS server asynchronously, or as soon as the information is available.

What to do next

Return to the Wireless Network screen to complete the Network Policy configuration.