Brocade Mobility RFS7000-GR Controller System Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual
Page 418
404
Brocade Mobility RFS7000-GR Controller System Reference Guide
53-1001944-01
Configuring the RADIUS Server
6
The switch’s local RADIUS server stores the authentication data locally, but can also be configured
to use a remote user database. A RADIUS server as the centralized authentication server is an
excellent choice for performing accounting. RADIUS can significantly increase security by
centralizing password management.
NOTE
The switch can be configured to use its own local RADIUS server or an external RADIUS server you
define and configure. For information on the benefits and risks of using the switch’s resident
RADIUS Server (as opposed to an external RADIUS Server), see
“Using the switch’s RADIUS Server versus an External RADIUS”
NOTE
When restarting or rebooting the switch, the RADIUS server is restarted regardless of its state before
the reboot.
The RADIUS server defines authentication and authorization schemes for granting the access to
wireless clients. RADIUS is also used for authenticating hotspot and remote VPN Xauth. The switch
can be configured to use 802.1x EAP for authenticating wireless clients with a RADIUS server. The
following EAP authentication types are supported by the switch’s onboard RADIUS server:
•
TLS
•
TLS and MD5
•
TTLS and PAP
•
TTLS and MSCHAPv2
•
PEAP and GTC
•
PEAP and MSCHAPv2
Apart from EAP authentication, the switch allows the enforcement of user-based policies.
User-based policies include dynamic VLAN assignment and access based on time of day.
The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS RADIUS
authentication (configured with the RADIUS service).
Dynamic VLAN assignment is achieved based on the RADIUS server response. A user who
associates to WLAN1 (mapped to VLAN1) can be assigned a different VLAN after authentication
with the RADIUS server. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the
User associates.
NOTE
For a RADIUS supported VLAN to function properly, the "Dynamic Assignment" checkbox must be
enabled for the WLAN supporting the VLAN. For more information, see
For 802.1x EAP authentication, the switch initiates the authentication process by sending an
EAPoL message to the Access Port only after the wireless client joins the wireless network. The
RADIUS client in the switch processes the EAP messages it receives. It encapsulates them to
RADIUS access requests and sends them to the configured RADIUS server (in this case the switch’s
local RADIUS server).