Controller Security
Summit WM3000 Series Controller System Reference Guide398
User Database
User group names and associated users (in each group) can be created in the local database. The User
ID in the received access request is mapped to the associated wireless group for authentication. The
controller supports the creation of 500 users and 100 groups within its local database. Each group can
have a maximum of 500 users.
Authentication of Terminal/Management User(s)
The local Radius server can be used to authenticate users. A normal user (with a password) should be
created in the local database. These users should not be a part of any group.
Access Policy
Access policies are defined for a group created in the local database. Each user is authorized based on
the access policies defined for the groups to which the user belongs. Access policies allow the
administrator to control access to a set of users based on the WLANs (ESSID).
Group to WLAN access is controlled using a “Time of the day” access policy.
Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1). When the user tries
to connect to WLAN1, the user is prompted to enter his/her credentials. Once the authentication and
authorization phases are successful, only User1 is able to access WLAN1 for the allowed duration (but
not any other WLAN). Each user group can be configured to be a part of one VLAN. All the users in
that group are assigned the same VLAN ID if dynamic VLAN authorization has been enabled on the
WLAN.
Proxy to External Radius Server
Proxy realms are configured on the controller, which has the details of the external Radius server to
which the corresponding realm users are to be proxied. The obtained user ID is parsed in a
(user@realm, realm/user, user%realm, user/realm) format to determine which proxy Radius server is to
be used.
LDAP
An external data source based on LDAP can be used to authorize users. The Radius server looks for
user credentials in the configured external LDAP server and authorizes users. The controller supports
two LDAP server configurations.
Accounting
Accounting should be initiated by the Radius client. Once the Local/internal Radius server is started, it
listens for both authentication and accounting records.
Using the Controller’s Radius Server Versus an External Radius
The controller ships with a default configuration defining the local Radius Server as the primary
authentication source (default users are admin with superuser privileges and operator with monitor
To Next Page
Loading...