Authentication services
Using a third-party RADIUS server
11-8
RADIUS servers, if a secondary server is defined. A reply that is received after the
retry interval expires is ignored.
Retry interval applies to access and accounting requests that are generated by the
following:
Manager or operator access to the management tool
User authentication by way of HTML
MAC-based authentication of devices
Authentication of the controller
Authentication of the controlled AP.
You can determine the maximum number of retries as follows:
HTML-based logins: Calculate the number of retries by taking the setting for the
HTML-based logins Authentication Timeout parameter and dividing it by the
value of this parameter. Default settings result in 4 retries (40 / 10).
MAC-based and controller authentication: Number of retries is infinite.
802.1X authentication: Retries are controlled by the 802.1X client software.
Authentication method: Select the default authentication method that the
controller uses when exchanging authentication packets with the RADIUS server
defined for this profile. For 802.1X users, the authentication method is always
determined by the 802.1X client software and is not controlled by this setting. If
traffic between the controller and the RADIUS server is not protected by a VPN, it is
recommended that you use either EAP-MD5 or MSCHAP V2 (if supported by your
RADIUS Server). PAP and MSCHAP V1 are less secure protocols.
NAS ID: Specify the identifier for the network access server that you want to use for
the controller. By default the serial number of the controller is used. The controller
includes the NAS-ID attribute in all packets that it sends to the RADIUS server.
Always try primary server first: Enable this option if you want to force the
controller to contact the primary server first.
Otherwise, the controller sends the first RADIUS access request to the last known
RADIUS server that replied to any previous RADIUS access request. If the request
times out, the next request is sent to the other RADIUS server if defined.
For example, assume that the primary RADIUS server was not reachable and that the
secondary server responded to the last RADIUS access request. When a new
authentication request is received, the controller sends the first RADIUS access
request to the secondary RADIUS server.
If the secondary RADIUS server does not reply, the controller retransmits the
RADIUS access request to the primary RADIUS server. When two servers are
configured, the controller always alternates between the two.
To Next Page
Loading...
