This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- RADIUS / AAA question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
RADIUS / AAA question
RADIUS / AAA question
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-19-2017 07:36 PM
Hello,
A site has 24 AP7522s, they are adopted to a NOC VX9000 over WAN. The VX9000 has UDP 24576 and TCP 443 opened. I'd like to create a CP with internal RADIUS / AAA and then create bulk vouchers for guests. The CP will be hosted on the APs.
Option A - Use internal RADIUS on the VX9000
A1 - Under AAA policy -> Server Type do I use onboard-controller or onboard-centralized-controller?
Is onboard-controller used when there is a site controller?
A2 - Do I need to open up UDP 1812 and 1813 on the VX?
Option B - Use internal RADIUS on the APs
B1 - Do I enable RADIUS policy for only one AP or can I enable it in the profile for all APs? If enabled on all APs, do they synchronize data between them? How does it work?
B2 - Am I limited to 256 RADIUS users in this scenario?
Regarding vouchers, if printing to A4 paper, it seems to print one voucher per page. This seems like a waste. How to change this?
Thanks.
Best regards.
A site has 24 AP7522s, they are adopted to a NOC VX9000 over WAN. The VX9000 has UDP 24576 and TCP 443 opened. I'd like to create a CP with internal RADIUS / AAA and then create bulk vouchers for guests. The CP will be hosted on the APs.
Option A - Use internal RADIUS on the VX9000
A1 - Under AAA policy -> Server Type do I use onboard-controller or onboard-centralized-controller?
Is onboard-controller used when there is a site controller?
A2 - Do I need to open up UDP 1812 and 1813 on the VX?
Option B - Use internal RADIUS on the APs
B1 - Do I enable RADIUS policy for only one AP or can I enable it in the profile for all APs? If enabled on all APs, do they synchronize data between them? How does it work?
B2 - Am I limited to 256 RADIUS users in this scenario?
Regarding vouchers, if printing to A4 paper, it seems to print one voucher per page. This seems like a waste. How to change this?
Thanks.
Best regards.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-05-2017 11:02 AM
Thanks for the replies. We used onboard-centralized-controller.
Regarding vouchers, an A4 paper can easily fit 6, maybe even 8 vouchers per page but the maximum available setting is 4, unfortunately.
After creating bulk vouchers, if you did not print them, you won't be able to do it later on... only one by one, which is not very nice when there's thousands of users.
In the end, we created a spreadsheet of users and uploaded it in the configured user pool. For printing we used an online label design and print tool which can import the spreadsheet.
Best regards.
Regarding vouchers, an A4 paper can easily fit 6, maybe even 8 vouchers per page but the maximum available setting is 4, unfortunately.
After creating bulk vouchers, if you did not print them, you won't be able to do it later on... only one by one, which is not very nice when there's thousands of users.
In the end, we created a spreadsheet of users and uploaded it in the configured user pool. For printing we used an online label design and print tool which can import the spreadsheet.
Best regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-20-2017 09:51 AM
Hello Ondrej,
Thanks for replying. I will check with the end user if they have some mobile / label printer.
What about option B? I will probably not use it, but I would like to know. 🙂
According to the centralized deployment guide:
"When backup RADIUS services are provided locally on the Independent Access Points at a site, a RADIUS Server Policy will need to be defined and assigned to the Access Point Profile. The RADIUS Server Policy includes the RADIUS Server configuration along with specific User Pools. During a WAN outage, each Independent Access Point will be fully capable of authenticating EAP or Hotspot users locally providing no interruption to Wireless services at the remote site."
This implies to just enable the RADIUS server policy in the AP profile and forget about it. 🙂
Best regards.
Thanks for replying. I will check with the end user if they have some mobile / label printer.
What about option B? I will probably not use it, but I would like to know. 🙂
According to the centralized deployment guide:
"When backup RADIUS services are provided locally on the Independent Access Points at a site, a RADIUS Server Policy will need to be defined and assigned to the Access Point Profile. The RADIUS Server Policy includes the RADIUS Server configuration along with specific User Pools. During a WAN outage, each Independent Access Point will be fully capable of authenticating EAP or Hotspot users locally providing no interruption to Wireless services at the remote site."
This implies to just enable the RADIUS server policy in the AP profile and forget about it. 🙂
Best regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-20-2017 09:51 AM
Well, let's tear it down
From RADIUS perspective the MAC address associated with the user account is not known - with RADIUS onboard-self every AP runs own database of account / MAC combinations with accounting on its own. When you roam, you go for re-association based on WNMP but then you hit the edge of EAP authentication and RADIUS server will start to send challenges instead of recognizing the client MAC.
In my opinion this is unnecessary mess you can easily avoid by mapping the RADIUS to either RFDM or centralized controller. Moreover, if Vendran wants to use Captive portal, that would bring extra layer of complexity.
I'd definitely go for elegant option A and rather use multiple (per-site) user group / user pool.
Regards,
Ondrej
- RADIUS runs locally on every AP = unique RADIUS user pool per AP roaming presumes presence of known authentication = not possible due different RADIUS databases
From RADIUS perspective the MAC address associated with the user account is not known - with RADIUS onboard-self every AP runs own database of account / MAC combinations with accounting on its own. When you roam, you go for re-association based on WNMP but then you hit the edge of EAP authentication and RADIUS server will start to send challenges instead of recognizing the client MAC.
In my opinion this is unnecessary mess you can easily avoid by mapping the RADIUS to either RFDM or centralized controller. Moreover, if Vendran wants to use Captive portal, that would bring extra layer of complexity.
I'd definitely go for elegant option A and rather use multiple (per-site) user group / user pool.
Regards,
Ondrej
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-20-2017 09:51 AM
Ondrej, what do you mean with no roaming? If we use internal AAA on a AP, we can't roam seamless? Each AP change need to reauthenticate?
Vedran, for the printing, you can get user and password in cleartext from the config. Just copy and paste it. With this data you can create your own "voucher".
Vedran, for the printing, you can get user and password in cleartext from the config. Just copy and paste it. With this data you can create your own "voucher".
