Creating a Network That Uses an Enterprise AAA Server

You can create a network that authenticates users against a remote authentication, authorization, and accounting (AAA) server. Before you create a network, write down the IP address, port number, and shared secret of the primary and secondary (if any) RADIUS server that you want to use to authenticate network users.

In non-proxy mode, an AP makes the RADIUS requests directly to the RADIUS server. The outbound connection is from the AP to the IP/FQDN of RADIUS on the RADIUS port in use by the RADIUS service. If this is an internet/external RADIUS system, the APs must be able to reach the server from their locations, presumably via NAT or public routing.

For proxy mode, the controller makes the outbound RADIUS queries on behalf of the AP to the RADIUS system. Therefore, in this instance, the Cloud controller performs the outbound connection on the required port, and there is no firewall requirements for the customer (given that the Cloud is making the request). If you are hosting the RADIUS system, you must allow inbound connectivity to a routable or NAT'd IP address on the RADIUS port that is configured in the WLAN. In proxy mode, all the RADIUS requests from the AP to the controller passes over the existing control tunnel.

Complete the following steps to create a network that uses a remote AAA server.
  1. On the navigation bar, click Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
    The Wi-Fi Networks page is displayed.
  2. On the upper-right corner, click Add Wi-Fi Network. Alternatively, select an Enterprise AAA (802.1X) network setting that you want to copy and click Clone at the top of the table.
    The Create New Network page is displayed.
  3. Complete the following settings in the Network Details page.
    • Network Name: Enter a name (up to 32 characters) that you want assign to the network.
    • Set different SSID: Use this option to configure the SSID different from the network name.
    • Description: Enter a description (up to 64 characters) to help you identify the network using.
    • Network Type: Select Enterprise AAA (802.1X).
    When the network type is selected, a structure diagram of an Enterprise AAA (802.1X) type of network is displayed.
    Enterprise AAA (802.1X) Network
  4. Click Next.
    The Enterprise AAA (802.1X) Settings page is displayed.
    Enterprise AAA (802.1X) Settings Page
  5. Complete the settings on the Enterprise AAA (802.1X) Settings page.
    • Security Protocol : Select WPA or WPA2 (Recommend) from the drop down list. By default, WPA2 (Recommend) is selected.
      Note: For robust Wi-Fi security, WPA2 (Wi-Fi Protected Access 2) is an excellent choice. Widely supported on most mobile devices since 2006, it offers a strong foundation. However, if you're using cutting-edge technology with 6 GHz Wi-Fi radios, WPA3 might be necessary for optimal connection.
    • By default, Use External AAA Service is selected. If you want to use a certificate authority, select Use Certificate Auth and select a certificate template from the Certificate Template drop-down or click Add to add a certificate template. Refer to Adding a Certificate Template for instructions on how to add a certificate template.
    • Identity Group: Select an identity group from the drop-down or click Add to add an identity group. Refer to Adding an Identity Group for instructions on how to add an identity group. To view details about the identity group, click View Details. The Identity Group sidebar is displayed.
      Note:
      • When an identity group is selected, all devices joining the network will automatically become an identity within that group, as displayed on the Identity Group page.
      • Users have the option to either select an existing identity group from the list or create a new one.
      • During network editing, the initially selected identity group cannot be removed; however, it can be changed to a different identity group.
      • The identity configuration section is not applicable to the MAC Registration List when MAC Authentication is enabled.
    • Authentication Service: Select the existing RADIUS Server from the drop down list or complete the following steps to add a new RADIUS Server.
      1. Click Add Server and configure a new RADIUS Server. Refer to Creating a Radius Server Profile.
    • Proxy Service: Toggle switch to ON to enable the proxy service.
      Note: Use the controller as proxy in 802.1X networks. A proxy AAA server is used when APs send authentication/accounting messages to the controller and the controller forwards these messages to an external AAA server.
    • Accounting Service: Toggle the switch to ON to enable this option and select the existing RADIUS Server from the drop down list or complete the following steps to add a new RADIUS Server.
      1. Click Add Server and configure a new RADIUS Server. Refer to Creating a Radius Server Profile.
    • Proxy Service: Toggle switch to ON to enable the proxy service.
      Note: Use the controller as proxy in 802.1X networks. A proxy AAA server is used when APs send authentication/accounting messages to the controller and the controller forwards these messages to an external AAA server.
    • MAC Authentication: Toggle the switch to ON to enable the MAC Authentication feature and select a MAC Address Format from the drop-down.
      Supported MAC address format are:
      • Upper case MAC address separated by colons: 70:EA:5A:78:A1:A0
      • Upper case MAC address separated by hyphens: 70-EA-5A-78-A1-A0
      • Upper case MAC in a continuous string: 70EA5A78A1A0
      • Lower case MAC address separated by colons: 70:ea:5a:78:a1:a0
      • Lower case MAC address separated by hyphens: 70-ea-5a-78-a1-a0
      • Lower case MAC in a continuous string: 70ea5a78a1a0
      Note:
      • MAC Authentication provides an additional level of security for corporate networks. Client MAC addresses are passed to the configured RADIUS servers for authentication and accounting.
      • By default, the MAC Authentication is disabled.
      • Changing the MAC Authentication option requires you to re-create the Enterprise AAA (802.1X) network.​ Currently, there is no edit option for this feature.
      In the 802.1X and MAC Authentication method, MAC authentication is the first layer of security—a list of authorized MAC addresses is configured on the network device first. Devices with MAC addresses that are not on the list are denied access to the network. The 802.1X authentication method uses a RADIUS server to verify the user’s identity (for example, username, password) before granting access to the network. A RUCKUS AP grants access to UE only after both the MAC authentication and 802.1X authentication are successful.
  6. Click Show more settings.

    By default, the VLAN sub-tab is displayed. Each sub-tab includes additional Wi-Fi configuration options to configure the settings of your preference. Refer to Configuring Additional Settings for a Wi-Fi Network to configure each of the available settings.

    Note:

    Demonstration of Advanced Settings for a Wi-Fi Network. This video explains advanced settings for a Wi-Fi network and walks you through the process of configuring them.

    Click to play video in full screen mode.

  7. Click Next to go to the Venues page and select venues to activate this network.
    The Venues page is displayed.
    Venues Page
  8. Click Next.
    The Summary page is displayed.
    Network Summary
  9. Review the settings that you configured. To display the Shared Secret in plain text, click the eye icon.
  10. Click Finish.