Creating a Network That Uses an Enterprise AAA Server
You can create a network that
authenticates users against a remote authentication, authorization, and accounting (AAA)
server. Before you create a network, write down the IP address, port number, and shared
secret of the primary and secondary (if any) RADIUS server that you want to use to
authenticate network users.
In non-proxy mode, an AP makes the RADIUS requests directly to the RADIUS server. The
outbound connection is from the AP to the IP/FQDN of RADIUS on the RADIUS port in
use by the RADIUS service. If this is an internet/external RADIUS system, the APs
must be able to reach the server from their locations, presumably via NAT or public
routing.
For proxy mode, the controller makes the
outbound RADIUS queries on behalf of the AP to the RADIUS system. Therefore, in this
instance, the Cloud controller performs the outbound connection on the required
port, and there is no firewall requirements for the customer (given that the Cloud
is making the request). If you are hosting the RADIUS system, you must allow inbound
connectivity to a routable or NATted IP address on the RADIUS port that is
configured in the WLAN. In proxy mode, all the RADIUS requests from the AP to the
controller passes over the existing control tunnel.
Complete the following steps to create a
network that uses a remote AAA server.
On the navigation bar, click
Wi-Fi > Wi-Fi
Networks > Wi-Fi Networks
List.
The Wi-Fi
Networks page is displayed.
On the upper-right corner, click
Add Wi-Fi
Network. Alternatively, select an Enterprise AAA (802.1X)
network setting that you want to copy and click Clone at the top
of the table.
The Create New
Network page is displayed.
Complete the following settings
in the Network Details page.
Network Name: Enter a name (up to 32 characters) that
you want assign to the network.
Set different
SSID: Use this option to configure the SSID different
from the network name.
Description: Enter a description (up to 64 characters)
to help you identify the network using.
Network Type: Select Enterprise AAA
(802.1X).
When the network type is selected, a
structure diagram of a Enterprise AAA (802.1X) type of network is displayed.
Enterprise AAA (802.1X) Network
Click Next.
The Enterprise
AAA (802.1X) Settings page is displayed.Enterprise AAA
(802.1X) Settings Page
Complete the settings on the
Enterprise AAA (802.1X) Settings
page.
Security
Protocol : Select WPA or
WPA2 (Recommend) from the drop down list. By
default, WPA2 (Recommend) is selected.
Note: For robust Wi-Fi
security, WPA2 (Wi-Fi Protected Access 2) is an excellent choice.
Widely supported on most mobile devices since 2006, it offers a
strong foundation. However, if you're using cutting-edge technology
with 6 GHz Wi-Fi radios, WPA3 might be necessary for optimal
connection.
Authentication
Service: Select the existing RADIUS Server from the drop
down list or complete the following steps to add a new RADIUS Server.
Proxy
Service: Toggle switch to ON to
enable the proxy service.
Note: Use the controller as
proxy in 802.1X networks. A proxy AAA server is used when APs send
authentication/accounting messages to the controller and the
controller forwards these messages to an external AAA
server.
Accounting
Service: Toggle the switch to ON to
enable this option and select the existing RADIUS Server from the drop
down list or complete the following steps to add a new RADIUS Server.
Proxy
Service: Toggle switch to ON to
enable the proxy service.
Note: Use the controller as
proxy in 802.1X networks. A proxy AAA server is used when APs send
authentication/accounting messages to the controller and the
controller forwards these messages to an external AAA
server.
MAC Authentication: Toggle the switch to
ON to enable the MAC
Authentication feature and select a MAC Address
Format from the drop-down.
Supported MAC address format
are:
Upper case MAC address separated by colons:
70:EA:5A:78:A1:A0
Upper case MAC address separated by hyphens:
70-EA-5A-78-A1-A0
Upper case MAC in a continuous string:
70EA5A78A1A0
Lower case MAC address separated by colons:
70:ea:5a:78:a1:a0
Lower case MAC address separated by
hyphens: 70-ea-5a-78-a1-a0
Lower case MAC in a continuous string: 70ea5a78a1a0
Note:
MAC Authentication provides an additional level of
security for corporate networks. Client MAC addresses
are passed to the configured RADIUS servers for
authentication and accounting.
By default, the MAC Authentication
is disabled.
Changing the MAC
Authentication option requires to
re-create the Enterprise AAA (802.1X) network.
Currently, there is no edit option for this
feature.
In the 802.1X and MAC Authentication method, MAC
authentication is the first layer of security—a list of authorized
MAC addresses is configured on the network device first. Devices
with MAC addresses that are not on the list are denied access to the
network. The 802.1X authentication method uses a RADIUS server to
verify the user’s identity (for example, username, password) before
granting access to the network. A RUCKUS AP grants access to UE only
after both the MAC authentication and 802.1X authentication are
successful.
Click Show more
settings.
By default, the
VLAN sub-tab is displayed. Each sub-tab includes
additional Wi-Fi configuration options to configure the settings of your
preference. Refer to Configuring Additional Settings for a Wi-Fi Network to configure each of the available settings.
Note:
Demonstration of
Advanced Settings for a Wi-Fi Network. This video explains
advanced settings for a Wi-Fi network and walks you through the process
of configuring them.
