cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS / AAA question

RADIUS / AAA question

Vedran_Jurak
New Contributor II
Hello,

A site has 24 AP7522s, they are adopted to a NOC VX9000 over WAN. The VX9000 has UDP 24576 and TCP 443 opened. I'd like to create a CP with internal RADIUS / AAA and then create bulk vouchers for guests. The CP will be hosted on the APs.

Option A - Use internal RADIUS on the VX9000
A1 - Under AAA policy -> Server Type do I use onboard-controller or onboard-centralized-controller?
Is onboard-controller used when there is a site controller?
A2 - Do I need to open up UDP 1812 and 1813 on the VX?

Option B - Use internal RADIUS on the APs
B1 - Do I enable RADIUS policy for only one AP or can I enable it in the profile for all APs? If enabled on all APs, do they synchronize data between them? How does it work?
B2 - Am I limited to 256 RADIUS users in this scenario?

Regarding vouchers, if printing to A4 paper, it seems to print one voucher per page. This seems like a waste. How to change this?

Thanks.

Best regards.

6 REPLIES 6

Vedran_Jurak
New Contributor II
Thanks for the replies. We used onboard-centralized-controller.

Regarding vouchers, an A4 paper can easily fit 6, maybe even 8 vouchers per page but the maximum available setting is 4, unfortunately.

After creating bulk vouchers, if you did not print them, you won't be able to do it later on... only one by one, which is not very nice when there's thousands of users.

In the end, we created a spreadsheet of users and uploaded it in the configured user pool. For printing we used an online label design and print tool which can import the spreadsheet.

Best regards.

Vedran_Jurak
New Contributor II
Hello Ondrej,

Thanks for replying. I will check with the end user if they have some mobile / label printer.

What about option B? I will probably not use it, but I would like to know. 🙂

According to the centralized deployment guide:

"When backup RADIUS services are provided locally on the Independent Access Points at a site, a RADIUS Server Policy will need to be defined and assigned to the Access Point Profile. The RADIUS Server Policy includes the RADIUS Server configuration along with specific User Pools. During a WAN outage, each Independent Access Point will be fully capable of authenticating EAP or Hotspot users locally providing no interruption to Wireless services at the remote site."

This implies to just enable the RADIUS server policy in the AP profile and forget about it. 🙂

Best regards.

Well, let's tear it down
    RADIUS runs locally on every AP = unique RADIUS user pool per AP roaming presumes presence of known authentication = not possible due different RADIUS databases
If we talk about scenario where the RADIUS user pool is shared (or static) then "roaming" obviously works, but this is not seamless roaming at all.

From RADIUS perspective the MAC address associated with the user account is not known - with RADIUS onboard-self every AP runs own database of account / MAC combinations with accounting on its own. When you roam, you go for re-association based on WNMP but then you hit the edge of EAP authentication and RADIUS server will start to send challenges instead of recognizing the client MAC.

In my opinion this is unnecessary mess you can easily avoid by mapping the RADIUS to either RFDM or centralized controller. Moreover, if Vendran wants to use Captive portal, that would bring extra layer of complexity.

I'd definitely go for elegant option A and rather use multiple (per-site) user group / user pool.

Regards,
Ondrej

Timo1
New Contributor II
Ondrej, what do you mean with no roaming? If we use internal AAA on a AP, we can't roam seamless? Each AP change need to reauthenticate?

Vedran, for the printing, you can get user and password in cleartext from the config. Just copy and paste it. With this data you can create your own "voucher".
GTM-P2G8KFN