Header Only - DO NOT REMOVE - Extreme Networks
Question

Multiple Authentication types on Radius Service Policy

  • 25 April 2020
  • 8 replies
  • 212 views

  • New Member
  • 5 replies

Hi all,

 

    I’m new here and I’m preparing to deploy my first network with Extreme Wing wireless.

    In my enviroment I will have an SSID with 802.1x for corp users and other SSID for guest witch captive portal.

    I managed to make it work one at a time. I was not able to do both work same time because use of “Radius Service Policy”.

    I saw that need to configure the Radius Service Policy inside Device Controller or Profile, but only one Radius Service Policy is allowed per profile.

      The doubt is;

     Is it possible configure 802.1x and internal radius for guest user using the same “Radius Service Policy”?

      What is the best way for this configuration?     

 

     Regards,

    Claudio Rezende

  


8 replies

Userlevel 5

Hello Claudio,

      You are correct, only one radius server policy can be mapped to Wing device via self and/or profile (depending on deployment and usage). That being said, if both Corp and Guest will be using internal radius on Wing for authentication, you can map different user pools, which are mapped to groups, to the one radius policy. The radius server policy “Authentication Type” should be ALL. 

 

Hi Christopher,

 

    Both SSID will use internal Radius, Guest with user pools, but Corp will authenticate against Active Directory using LDAP.  

    Is it sound ok for you?

 

Regards,

 

Userlevel 5

Hello Claudio,

     Absolutely, but you will need to configure the Radius Server Policy/Authentication “Default Source” by adding both SSID’s and source (guest using local and corp using LDAP). 

Hi Christopher, thanks a lot for your help…  

I believe that I’m almost there but still not working…  look below, where I’m mistaking?

 

 

 

Userlevel 5

Hello Claudio,

      Looks correct. Did you configure the LDAP section (on the radius policy tabs above)? You need to configure LDAP accordingly and ensure that the Wing device is binded with LDAP server. 

Once LDAP is configured, from Wing CLI (Command Line Interface), you can verify that Wing is binded with LDAP server using the following commands;

 

enable [enter]

show ldap-agent join-status [enter]

If running the above and LDAP is not configured and/or not configured properly, you will see the following:

Wing#show ldap-agent join-status

Primary LDAP Server's agent join-status : Not Configured or Unused

If successful, you should something like the following, then you would need to verify your wireless client for 802.1x:

Wing#show ldap-agent join-status

Primary LDAP Server's agent join-status : Joined domain SONIC.

 

 

Userlevel 5

Hello Claudio,

      I have attached a document that covers Wing and LDAP integration with MS Active Directory. This covers what you are trying to accomplish.

Hi Christopher,

 

     Thanks a lot again, it is working now. 

     Windows machine authenticating with AD credentials.

     Mobiles autenticating with guest users. 

   

     The only think that is still not working, is some Mobile Corporative that need to authenticate in SSID CORP. After change the “Authentication type from MSCHAPv2 to ALL” they stop work.

     Any ideia about it?

   

     

Regars,

     

vx9000-600CCE#show ldap-agent join-status

Primary LDAP Server's agent join-status : Joined domain LAB.


Secondary LDAP Server's agent join-status : Not Configured or Unused
vx9000-600CCE#
 

Hi Christopher,

 

     Now all is working fine. Thank you for you time.

 

Regards,

Claudio Rezende

       

Reply