beautypg.com

2 authentication of terminal/management user(s), 3 access policy, 4 proxy to external radius server – Motorola Series Switch WS5100 User Manual

Page 288: 5 ldap, 6 accounting

background image

6-64 WS5100 Series Switch System Reference Guide

6.9.1.2 Authentication of Terminal/Management User(s)

The local Radius server can be used to authenticate users. A normal user (with password) should be created
in the local database. These users should not be a part of any group.

6.9.1.3 Access Policy

Access policies are defined for a group created in local database. Each user is authorized based on the
access policies defined for the groups to which the user belongs. Access policies allow the administrator to
control access to a set of users based on the WLANs (essid).

Group to WLAN access is controlled by using a “Time of the day” access policy. Consider User1 who's a part
of Group1, which is mapped to WLAN1 (ESSID of WLAN1). When the user tries to connect to WLAN1, the
user is prompted to enter his/her credentials. Once the authentication and authorization phases are
successful, only User1 is able to access WLAN1 for the allowed duration (but not any other WLAN). Each
user group can be configured to be a part of one VLAN. All the users in that group are assigned the same
VLAN ID if dynamic VLAN authorization has been enabled on the WLAN.

6.9.1.4 Proxy to External Radius Server

Proxy realms are configured on the switch, which has the details of the external Radius server to which the
corresponding realm users are to be proxied. The obtained user ID is parsed in a (user@realm, realm/user,
user%realm, user\realm) format to determine which proxy Radius server is to be used.

6.9.1.5 LDAP

An external data source based on LDAP can be used to authorize users. The Radius server looks for user
credentials in the configured external LDAP server and authorizes the users. The switch supports two LDAP
server configurations.

6.9.1.6 Accounting

Accounting should be initiated by the Radius client. Once the Local/Onboard Radius server is started, it will
listen for both authentication and accounting records.

6.9.2 Using the Switch’s Radius Server Versus an External Radius

The switch ships with a default configuration defining the local Radius Server as the primary authentication
source (default users are admin with superuser privileges and operator with monitor privileges). No
secondary authentication source is specified. However, Motorola recommends using an external Radius
Server as the primary user authentication source and the local switch Radius Server as the secondary user
authentication source. For information on configuring an external Radius Server, see

Configuring External

Radius Server Support on page 4-36

. To continue to instructions on how to configure the switch’s local Radius

Server, see

Defining the Radius Configuration on page 6-65

.

If an external Radius server is configured as the switch’s primary user authentication source and the switch’s
local Radius Server is defined as an alternate method, the switch first tries to authenticate users using the
external Radius Server. If the external Radius Server is unreachable, the switch reverts to the local Server’s
user database to authenticate a user. However, if the external Radius server is reachable but rejects the user
Using the Switch’s Radius Server Versus an External Radius Server or if the user is not found in the external
Server’s database, the switch will not revert to the local Radius Server and the authentication attempt fails.

If the switch’s local Radius Server is configured as the primary authentication method and an external Radius
Server is configured as an alternate method, the alternate external Radius Server will not be used a