Configuring the WLAN parameters / Selecting approved stations for the WLAN
Parent topic: Selecting approved stations for the WLAN

WLAN and RADIUS

RADIUS is used for user authentication and accounting. For further information on this protocol, refer to the section RADIUS.

When using a RADIUS server for the authentication of WLAN clients, the RADIUS server uses the MAC address to check client authorizations.





Note: To use the RADIUS functionality for WLAN clients, go to the LEPS-MAC section and set the filter function to the option "Transfer data from the listed stations, authenticate all other data via RADIUS or filter it out".

In LANconfig, the configuration is performed under Wireless LAN > Stations/LEPS. Here you configure the RADIUS server settings and the RADIUS backup server settings.





Server address
Enter the IP address (IPv4, IPv6) or the hostname of the RADIUS server used for central user management.
Server port
Specify here the port used for communication to your RADIUS server (default: 1,812).
Attribute values
LCOS facilitates the configuration of the RADIUS attributes used to communicate with a RADIUS server (for authentication and accounting). The attributes are specified in a semicolon-separated list of attribute numbers or names along with a corresponding value in the following form: <Attribute_1>=<Value_1>;<Attribute_2>=<Value_2> As the number of characters is limited, the name can abbreviated. The abbreviation must be unique, however. Examples:
  • NAS-Port=1234 is not allowed, because the attribute is not unique (NAS-Port, NAS-Port-Id or NAS-Port-Type).
  • NAS-Id=ABCD is allowed, because the attribute is unique (NAS-Identifier).
Attribute values can be used to specify names or RFC-compliant numbers. For the device , the specifications Service-Type=Framed and Service-Type=2 are identical. Specifying a value in quotation marks ("<Value>") allows you to specify special characters such as spaces, semicolons or equals signs. The quotation mark in a value requires a leading backslash (\"), as does the backslash itself (\\). The following variables are permitted as values:
%n
Device name
%e
Serial number of the device
%%
Percent sign
%{name}
Original name of the attribute as transferred by the RADIUS application. This allows attributes to be set with the original RADIUS attributes, for example: Called-Station-Id=%{NAS-Identifier} sets the attribute Called-Station-Id to the value with the attribute NAS-Identifier.
Secret
Specify here the key to be used for coding data. The key must also be configured on the RADIUS server.
Backup server address
Enter the IP address (IPv4, IPv6) or the hostname of the backup RADIUS server used for central user management.
Backup server port
Specify here the port used for communication to your backup RADIUS server (default: 1,812).
Source address
The device automatically determines the correct source IP address for the destination network. To use a fixed source IP address instead, enter it symbolically or directly here.

RADIUS server password source

Select whether you want to use a Secret or the MAC address as the password source for the RADIUS server.

RADIUS accounting





A RADIUS server that is to be used for accounting requires the appropriate configuration. The configuration is carried out with LANconfig under Wireless LAN > Stations/LEPS > RADIUS accounting. Configure the settings for a RADIUS accounting server here.





Profile name
Name of the RADIUS server performing the accounting for WLAN clients. The name entered here is used to reference that server from other tables.
Backup profile
Enter the name of the RADIUS backup server used for the accounting of WLAN clients if the actual accounting server is not available. This allows you to specify a "backup chaining" of multiple backup servers.
Server address
Here you enter the IPv4 or IPv6 address or the hostname of the RADIUS server used by the RADIUS client for the accounting of WLAN clients.
  • The RADIUS client automatically detects which address type is involved.
  • You also need to set the general values for retry and timeout in the RADIUS section.
Port
Port for communication with the RADIUS server during accounting (default: 1,812).
Attribute values
Here you can assign user-defined values to RADIUS attributes. The individual name-value pairs must have the form <Name>=<Value>, and they are separated by semicolons. <Name> identifies the RADIUS attribute by its name or number. The associated attribute names can be found in the corresponding RADIUS RFCs. Attribute names can be abbreviated as long as the identifiers are unequivocal. Attribute values can be set in quotation marks to allow the use of spaces or semicolons in the value definitions. To use a quotation mark as a character, use a leading backslash. To use the backslash itself as a character, use a double backslash. It is also possible to use a number of placeholders:
  • %n – replaced by the configured device name.
  • %e – replaced with the serial number of the device as displayed in the device system info.
  • %% – replaced by a single % character.
  • %{name} – replaced by the original value of the corresponding RADIUS attribute. Any new / re-definitions within this attribute list are ignored. The identifier can be truncated as long as it remains unique.
For more information about RADIUS attributes, please see RADIUS attributes.
Secret
Enter the key (shared secret) for access to the accounting server here. Ensure that this key is consistent with that specified in the accounting server.
Source address
Here you have the option to configure a sender address for the device to use in place of the one that would otherwise be used automatically for this target address. If you have configured loopback addresses, you can specify them here as source address. You can enter an address in various forms:
  • Name of the IP network (ARF network), whose address should be used.
  • "INT" for the address of the first intranet.
  • "DMZ" for the address of the first DMZ
    Important: If there is an interface called "DMZ", its address will be taken in this case.
  • LB0 … LBF for one of the 16 loopback addresses or its name.
  • Furthermore, any IPv4 or PIv6 address can be entered in the usual form.
Important: If the source address set here is a loopback address, these will be used unmasked on the remote client.
Protocol
Select the protocol. Either RADIUS or RADSEC. For more information about RADSEC, please see RADSEC.
Accounting Interim Interval
The accounting function in the device can be used to check the budgets of associated wireless LAN clients, among other things. Wireless Internet Service Providers (WISPs) use this option as a part of their accounting procedure. Accounting periods generally switch at the end of the month. A suitable action will cause the accounting session to be restarted at this time. Existing WLAN connections remain intact. A cron job can be used to automate this restart by calling the function do /Setup/WLAN/RADIUS-Accounting/Restart-Accounting.
Excluded VLAN
Here you enter the ID of the VLAN that the device is to exclude from RADIUS accounting. The RADIUS server then receives no information about the traffic in that VLAN.
Parent topic: Selecting approved stations for the WLAN

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo