RADIUS / AAA question

  • 0
  • 1
  • Question
  • Updated 6 months ago
  • Answered
Hello,

A site has 24 AP7522s, they are adopted to a NOC VX9000 over WAN. The VX9000 has UDP 24576 and TCP 443 opened. I'd like to create a CP with internal RADIUS / AAA and then create bulk vouchers for guests. The CP will be hosted on the APs.

Option A - Use internal RADIUS on the VX9000
A1 - Under AAA policy -> Server Type do I use onboard-controller or onboard-centralized-controller?
Is onboard-controller used when there is a site controller?
A2 - Do I need to open up UDP 1812 and 1813 on the VX?

Option B - Use internal RADIUS on the APs
B1 - Do I enable RADIUS policy for only one AP or can I enable it in the profile for all APs? If enabled on all APs, do they synchronize data between them? How does it work?
B2 - Am I limited to 256 RADIUS users in this scenario?

Regarding vouchers, if printing to A4 paper, it seems to print one voucher per page. This seems like a waste. How to change this?

Thanks.

Best regards.
Photo of Vedran Jurak

Vedran Jurak

  • 788 Points 500 badge 2x thumb

Posted 6 months ago

  • 0
  • 1
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,744 Points 4k badge 2x thumb
Hello Vedra,

when you use AAA policy configuration "onboard controller" or "onboar centralized-controller" the RADIUS is encapsulated within MINT(UDP 24576) so you do not have to enable any other port.

Regarding the voucher size - this is supposed to be printed using mobile printers. There is unfortunately not much you can change on WiNG side. 
More options are under Printer preferences

Regards,
Ondrej
Photo of Vedran Jurak

Vedran Jurak

  • 788 Points 500 badge 2x thumb
Hello Ondrej,

Thanks for replying. I will check with the end user if they have some mobile / label printer.

What about option B? I will probably not use it, but I would like to know. :)

According to the centralized deployment guide:

"When backup RADIUS services are provided locally on the Independent Access Points at a site, a RADIUS Server Policy will need to be defined and assigned to the Access Point Profile. The RADIUS Server Policy includes the RADIUS Server configuration along with specific User Pools. During a WAN outage, each Independent Access Point will be fully capable of authenticating EAP or Hotspot users locally providing no interruption to Wireless services at the remote site."

This implies to just enable the RADIUS server policy in the AP profile and forget about it. :)

Best regards.
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,744 Points 4k badge 2x thumb
Hi,

for option B shall use:
  • use onboard self RADIUS authentication server
  • map RADIUS server policy to affected devices profile
  • these won't synchronize data - NO ROAMING
Using the bulk user creating on web admin I was able to create ~8200 users (didn't test more) and I am able to print up to 4 vouchers per page (WiNG 5.9)
See below:



Regards,
Ondrej
(Edited)
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Ondrej, what do you mean with no roaming? If we use internal AAA on a AP, we can't roam seamless? Each AP change need to reauthenticate?

Vedran, for the printing, you can get user and password in cleartext from the config. Just copy and paste it. With this data you can create your own "voucher".
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,744 Points 4k badge 2x thumb
Well, let's tear it down
  • RADIUS runs locally on every AP = unique RADIUS user pool per AP
  • roaming presumes presence of known authentication = not possible due different RADIUS databases
If we talk about scenario where the RADIUS user pool is shared (or static) then "roaming" obviously works, but this is not seamless roaming at all.

From RADIUS perspective the MAC address associated with the user account is not known - with RADIUS onboard-self every AP runs own database of account / MAC combinations with accounting on its own. When you roam, you go for re-association based on WNMP but then you hit the edge of EAP authentication and RADIUS server will start to send challenges instead of recognizing the client MAC.

In my opinion this is unnecessary mess you can easily avoid by mapping the RADIUS to either RFDM or centralized controller. Moreover, if Vendran wants to use Captive portal, that would bring extra layer of complexity. 

I'd definitely go for elegant option A and rather use multiple (per-site) user group / user pool.

Regards,
Ondrej
(Edited)
Photo of Vedran Jurak

Vedran Jurak

  • 788 Points 500 badge 2x thumb
Thanks for the replies. We used onboard-centralized-controller.

Regarding vouchers, an A4 paper can easily fit 6, maybe even 8 vouchers per page but the maximum available setting is 4, unfortunately.

After creating bulk vouchers, if you did not print them, you won't be able to do it later on... only one by one, which is not very nice when there's thousands of users.

In the end, we created a spreadsheet of users and uploaded it in the configured user pool. For printing we used an online label design and print tool which can import the spreadsheet.

Best regards.
(Edited)