Several features require communication with a RADIUS authentication server. For example, when you configure Virtual Access Points (VAPs) on the AP, you can configure security methods that control wireless client access (see the Radio page). The Dynamic WEP and WPA Enterprise security methods use an external RADIUS server to authenticate clients. The MAC address filtering feature, where client access is restricted to a list, may also be configured to use a RADIUS server to control access. The Captive Portal feature also uses RADIUS to authenticate clients.
You can use the Radius Server page to configure the RADIUS servers that are used by these features. You can configure up to four globally available IPv4 or IPv6 RADIUS servers; however, you must select whether the RADIUS client operates in IPv4 or IPv6 mode with respect to the global servers. One of the servers always acts as a primary while the others act as backup servers.
Note In addition to using the global RADIUS servers, you can also configure each VAP to use a specific set of RADIUS servers. See the Networks page.
Configuring Global RADIUS Servers
To configure global RADIUS servers:
1. Select System Security > RADIUS Server in the navigation pane.
• Server IP Address Type—The IP version that the RADIUS server uses.
You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS server or servers of the address type you select in this field.
• Server IP Address 1 or Server IPv6 Address 1—The addresses for the primary global RADIUS server.
When the first wireless client tries to authenticate with the WAP device, the device sends an authentication request to the primary server. If the primary server responds to the authentication request, the WAP device continues to use this RADIUS server as the primary server, and authentication requests are sent to the address specified.
• Server IP Address (2 through 4) or Server IPv6 Address (2 through 4)—Up to three backup IPv4 or IPv6 RADIUS server addresses.
If authentication fails with the primary server, each configured backup server is tried in sequence.
• Key 1—The shared secret key that the WAP device uses to authenticate to the primary RADIUS server.
You can use from 1 to 64 standard alphanumeric and special characters. The key is case sensitive and must match the key configured on the RADIUS server. The text you enter appears as asterisks.
• Key (2 through 4)—The RADIUS key associated with the configured backup RADIUS servers. The server at Server IP (IPv6) Address 2 uses Key 2, the server at Server IP (IPv6) Address-3 uses Key 3, and so on.
• Enable RADIUS Accounting—Enables tracking and measuring of the resources a particular user has consumed, such as system time, amount of data transmitted and received, and so on.
If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers.
3. Click Save. The changes are saved to the Startup Configuration.