Configuring RADIUS Clients
This chapter describes the following
•
Overview
•
Adding RADIUS Clients
•
Editing RADIUS Clients
•
Deleting RADIUS Clients
Overview
Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol. Cisco NAC Guest Server uses the RADIUS protocol to authenticate and audit guests who login through RADIUS-capable network enforcement devices, such as Cisco Wireless LAN Controllers.
Although the Cisco NAC Appliance uses its own API and a different method for creating accounts and authenticating users, as described in Chapter 7, "Integrating with Cisco NAC Appliance,"it still uses RADIUS Accounting to record user activity and therefore still needs to be configured as a RADIUS client.
When a guest authenticates against a RADIUS client, such as the Wireless LAN Controller, the RADIUS client uses RADIUS Authentication to ask the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the amount of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires.
Note
The Cisco Wireless LAN Controller needs to be specifically configured to Allow AAA Override. This enables it to honor the session-timeout attribute returned to it by the Cisco NAC Guest Server.
In addition to authentication, the RADIUS client device reports details to the Cisco NAC Guest Server, such as the time the session started, time session ended, user IP address, and so on. This information is transported over the RADIUS Accounting protocol.
Tip
If there is a Firewall between the Cisco NAC Guest Server and the RADIUS client, you will need to allow traffic from UDP Port 1812 (RADIUS Authentication) and UDP Port 1813 (RADIUS Accounting) to pass.
Note
Any time you make a change to a RADIUS component on the Cisco NAC Guest Server, you will need to Restart the Radius service for the changes to become active.
Adding RADIUS Clients
Step 1
From the administration interface select Devices > Radius Clients from the left hand menu.
Figure 8-1 Radius Clients
Step 2
In the Radius Clients page (Figure 8-1), click the Add Radius button to add a RADIUS client.
Figure 8-2 Add Radius Client
Step 3
In the Add Radius Client page (Figure 8-2), type a descriptive Name for the RADIUS client.
Step 4
Type the IP Address of the RADIUS client. This needs to match the IP address from which the RADIUS request originates.
Step 5
Type a shared Secret for the RADIUS client. This must match the shared secret specified in the configuration of the RADIUS client.
Step 6
Retype the shared secret in the Confirm Secret field.
Step 7
Type a Description of the client and any other information needed.
Step 8
Click the Add Radius Client button.
Step 9
From the administration interface select Devices > Radius Clients (Figure 8-1)from the left hand menu.
Step 10
Click the Restart button to restart the RADIUS service to make the changes take effect.
Editing RADIUS Clients
Step 1
From the administration interface select Devices > Radius Clients from the left hand menu.
Figure 8-3 Radius Clients List
Step 2
In the Radius Clients page (Figure 8-3), select the Radius Client from the list and click the Edit Radius button
Figure 8-4 Edit Radius Client
Step 3
In the Edit Radius Client page (Figure 8-4), edit the IP Address of the Radius Client.
Step 4
Edit the shared secret used between the client and the Cisco NAC Guest Server in the Secret and Confirm Secret fields.
Step 5
Make any desired changes to the Description.
Step 6
Click Save Settings.
Step 7
From the administration interface select Devices > Radius Clients (Figure 8-1)from the left hand menu.
Step 8
Click the Restart button to restart the RADIUS service to make the changes take effect.
Deleting RADIUS Clients
Step 1
From the administration interface select Devices > Radius Clients from the left hand menu.
Figure 8-5 List Radius Clients
Step 2
In the Radius Clients page (Figure 8-5), select the Radius Client from the list
Step 3
Click the Delete Radius button and confirm the action.
Step 4
From the administration interface select Devices > Radius Clients (Figure 8-1)from the left hand menu.
Step 5
Click the Restart button to restart the RADIUS service to make the changes take effect.
Note
Any time you make a change to a RADIUS component, you will need to Restart the Radius service for the changes to become active.