Local RADIUS server configuration
wlc# configure wlc(config)# radius-server local |
Configure NAS ap that contains access point subnets that will be served by the local RADIUS server during Enterprise authorization of Wi-Fi users:
wlc(config-radius)# nas ap wlc(config-radius-nas)# key ascii-text password wlc(config-radius-nas)# network 192.168.1.0/24 wlc(config-radius-nas)# exit |
The virtual server settings contain port numbers for authentication and accounting, proxying settings to the external RADIUS server. The use of standard ports (1812 for authentication and 1813 for accounting) does not require configuration. To proxy RADIUS requests to an external server, proxy-mode must be enabled:
Server-type auth — used to proxy only authentication requests. Requests will be proxied to the port specified in the port parameter (by default 1812). Server-type acct — used to proxy only accounting requests. Proxying will be done to the port specified in the port parameter (by default 1812). Change it if necessary (the default port for the account is 1813). Server-type all — used for proxying authentication and account requests. Authentication requests will be proxied to the port specified in the port parameter (by default 1812), and accounting will be proxied to port = 'port'+1 (i.e. default is 1813). |
Configure the external server (virtual-server), specify its address, type (server-type) and key, you can also specify the port. By default the server for authentication (server-type auth) and port 1812 are set, if there is no need to change these settings, then it is enough to configure the address and key for the server:
wlc(config-radius)# virtual-server default wlc(config-radius-vserver)# enable wlc(config-radius-vserver)# proxy-mode wlc(config-radius-vserver)# upstream-server eltex wlc(config-radius-upstream-server)# host 10.10.10.12 wlc(config-radius-upstream-server)# server-type all wlc(config-radius-upstream-server)# key ascii-text password wlc(config-radius-vserver)# exit |
wlc(config-radius)# enable wlc(config)# exit |
Switch to the settings of the AP configuration management module:
wlc(config)# wlc |
Configure the RADIUS server profile that will be used to authenticate wireless clients with the Enterprise SSID of Wi-Fi access points:
wlc(config-wlc)# radius-profile default-radius |
Since we are configuring the proxying of authentication and accounting requests, we specify the address of the local RADIUS server controller in the AP subnet.
The RADIUS server key must match the key specified for the NAS ap we specified in radius-server local.
wlc(config-wlc-radius-profile)# auth-address 192.168.1.1 wlc(config-wlc-radius-profile)# auth-password ascii-text password |
If you use proxying on SoftWLC, specify the RADIUS domain. This domain must match the domain in which the Enterprise user accounts are created on SoftWLC.
|
Specify the IP address of the RADIUS server of the access point subnet used for accounting and the RADIUS server key:
wlc(config-wlc-radius-profile)# acct-address 192.168.1.1 wlc(config-wlc-radius-profile)# acct-password ascii-text password |
Activate account sending to RADIUS server:
wlc(config-wlc-radius-profile)# acct-enable |
Configure AP SSID.
wlc(config-wlc)# ssid-profile default-ssid |
Specify in ssid-profile the previously configured RADIUS server settings profile that will be used for Wi-Fi user authorization:
wlc(config-wlc-ssid-profile)# radius-profile default-radius |
To configure an external RADIUS server, write the address and key of the local WLC-30 RADIUS server to the NAS table of the external RADIUS server. |
Configuration example:
|