Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W-IAP92 » Manual Viewer

Dell PowerConnect W-IAP92 Dell Instant 6.2.0.0-3.2.0.0 User Guide - Page 113

Configuring an External RADIUS Server

View all Dell PowerConnect W-IAP92 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 113 highlights

EAP-Generic Token Card (GTC)- This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the W-IAP as a backup to an external authentication server. EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)- This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the backend authentication server. If you are using the W-IAP's internal database for user authentication, you need to add the names and passwords of the users to be authenticated. If you are using an LDAP server for user authentication, you need to configure the LDAP server on the Virtual Controller, and configure user IDs and passwords. If you are using a RADIUS server for user authentication, you need to configure the RADIUS server on the Virtual Controller. Configuring an External RADIUS Server To configure an external RADIUS server for a wireless network: 1. Click New in the Networks tab and select the appropriate Primary usage. 2. Click Next to continue. 3. Use the VLAN tab to specify how the clients on this network get their IP address and VLAN. 4. Click Next to continue. 5. In the Security tab, slide the bar to Enterprise and update the following fields: a. Key Management- Select the type of key for encryption and authentication. b. Termination- Select Enabled to terminate the EAP portion of 802.1X authentication on the access point instead of RADIUS server. c. Authentication server 1- Select New from the drop-down list to authenticate user credentials for the RADIUS server at run time and update the following fields: l RADIUS Server n Name- Enter the name of the new external RADIUS server. n IP address- Enter the IP address of the external RADIUS server. n Auth port- Enter the authorization port number of the external RADIUS server. The port number is set to 1812 by default. n Accounting port- Enter the accounting port number. This port is used to send accounting records to the RADIUS server. The port number is set to 1813 by default n Shared key- Enter a shared key for communicating with the external RADIUS server. n Timeout- Indicates the timeout for one RADIUS request. The W-IAP retries to send the request several times (as configured in the "Retry count") before the user gets disconnected. e.g. If the "Timeout" is 5 sec, "Retry counter" is 3, user is disconnected after 20 sec ("Timeout" x "Retry counter + 1). The default value is 5 seconds. n Retry count- Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to server group, and the default value is 3 requests. n RFC 3576- When enabled, the Access Points process RFC 3576-compliant Change of Authorization (CoA) and Disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas CoA messages modify session authorization attributes such as data filters. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.0 | User Guide 113 | Authentication

Section	Page
Contents	3
About This Guide	15
Dell PowerConnect W-Instant Access Point Overview	15
Supported Devices	15
Objective	15
Intended Audience	16
Conventions	16
Contacting Support	16
Initial Configuration	17
Initial Setup	17
Pre-Installation Checklist	17
Connecting a W-IAP	18
Assigning an IP Address to the W-IAP	18
Connecting to a Provisioning Wi-Fi Network	18
Disabling the Provisioning Wi-Fi Network	20
Assigning a Static IP	20
Log in to the Dell W-Series Instant UI	21
Specifying a Country Code	21
W-IAP Cluster	22
Dell W-Instant User Interface	23
Understanding the Dell W-Series Instant UI Layout	23
Banner	24
Search	24
Tabs	24
Networks Tab	24
Access Points Tab	25
Clients Tab	25
Links	26
New Version Available	27
Settings	27
RF	29
PEF	30
WIP	30
VPN	31
Wired	31
Maintenance	32
Support	32
Help	32
Logout	33
Monitoring	33
Info	33
RF Dashboard	34
Usage Trends	35
Spectrum	36
Overview (Device list)	36
Channel Utilization and Monitoring	36
Channel Details	37
Alerts	37
Client Alerts	37
Fault History	38
Active Faults	38
IDS	39
Configuration	39
AirGroup	40
Language	40
Dell PowerConnect W-AirWave Setup	40
Pause/Resume	41
Views	41
Wireless Network	43
Network Types	43
Employee Network	44
Adding an Employee Network	44
Voice Network	53
Adding a Voice Network	53
Guest Network	60
Adding a Guest Network	60
Editing a Network	68
Deleting a Network	68
Number of WLAN SSIDs Supported	68
Enabling the Extended SSID Option	69
VLAN Pooling	69
Managing W-IAPs	71
Preferred Band	71
Auto Join Mode	71
Disabling Auto Join Mode	71
Terminal Access	72
LED Display	72
TFTP Dump Server	72
Extended SSID	73
Deny Inter User Bridging and Deny Local Routing	73
Syslog Server	73
Syslog Facility Levels	74
Adding a W-IAP to the Network	74
Removing a W-IAP from the Network	75
Editing W-IAP Settings	75
Changing W-IAP Name	75
Changing IP Address of the W-IAP	76
Configuring Adaptive Radio Management	78
Configuring Uplink Management VLAN	79
Configuring Wired Bridging on Ethernet 0	79
Migrating to a Dell PowerConnect W-Series Mobility Controller Managed Network	80
Converting a W-IAP to RAP Mode	80
Converting a W-IAP to CAP	83
Converting a W-IAP to Standalone Mode	83
Converting Back to a W-IAP	84
Rebooting the W-IAP	84
Firmware Image Server in Cloud Network	86
Upgrade Using Dell PowerConnect W-AirWave and Image Server	86
Image Management Using Cloud Server	86
Image Management Using Dell PowerConnect W-AirWave	86
Automatic Firmware Image Check and Upgrade	87
Upgrading to New Version	88
Manual	88
Automatic	90
Layer-3 Mobility	91
Overview	91
Configuring a Mobility Domain	92
Home Agent Load Balancing	95
Spectrum Monitor	97
Creating Spectrum Monitors and Hybrid APs	97
Converting W-IAPs into Hybrid W-IAPs	97
Converting a W-IAP to a Spectrum Monitor	98
Spectrum Data	100
Overview - Device List	100
Non Wi-Fi Interferers	101
Channel Metrics	103
Channel Details	104
Spectrum Alerts	105
Time Management	107
NTP Server	107
Configuring an NTP Server	107
Daylight Saving Time	108
Enabling Daylight Saving Time	108
Virtual Controller	109
Master Election Protocol	109
Preference to an IAP with 3G/4G Card	109
Preference to a W-IAP with Non-Default IP	109
Virtual Controller IP Address	110
Specifying Name and IP Address for the Virtual Controller	110
Configuring the DHCP Server	110
Authentication	111
Authentication Methods in Dell W-Instant	111
802.1X Authentication	111
Internal RADIUS Server	112
External RADIUS Server	112
Authentication Terminated on W-IAP	112
Configuring an External RADIUS Server	113
Enabling RADIUS Server Support	115
Authentication Survivability	115
RADIUS Server Authentication with VSA	118
List of Supported VSA	118
Management Authentication Settings	120
Captive Portal	121
Internal Captive Portal	121
Configuring Internal Captive Portal Authentication when Adding a Guest Network	122
Configuring Internal Captive Portal Authentication when Editing a Guest Network	123
Configuring Internal Captive Portal with External RADIUS Server Authenticatio...	124
Customizing a Splash Page	125
Disabling Captive Portal Authentication	126
External Captive Portal	127
Configuring External Captive Portal Authentication when Adding a Guest Network	127
Configuring External Captive Portal Authentication when Editing a Guest Network	129
External Captive Portal Authentication using ClearPass Guest	131
Creating a Web Login page in the ClearPass Guest	131
Configuring the RADIUS Server in Instant	131
WISPr Authentication	132
Configuring WISPr Authentication	132
MAC Authentication	133
Configuring MAC Authentication	134
Walled Garden Access	134
Creating a Walled Garden Access	134
MAC + 802.1X Authentication	136
Configuring MAC + 802.1X Authentication	136
MAC + Captive Portal Authentication	137
Configuring MAC + Captive Portal Authentication	137
Wired Authentication on a W-IAP	138
Certificates	138
Loading Certificates using Dell W-Series Instant UI	139
Loading Certificates using Dell PowerConnect W-AirWave	140
Encryption	143
Encryption Types Supported in Dell W-Instant	143
WEP	143
TKIP	143
AES	143
Encryption Recommendations	143
Understanding WPA and WPA2	144
Recommended Authentication and Encryption Combinations	144
Role Derivation	145
User Roles	145
Creating a New User Role	145
Creating Role Assignment Rules	147
MAC-Address Attribute	147
DHCP Option and DHCP Fingerprinting	148
802.1X-Authentication-Type	148
User VLAN Derivation	149
User VLAN Derivation	149
Vendor Specific Attributes (VSA)	149
VLAN Derivation Rule	150
Configuring VLAN Derivation Rules on a W-IAP	150
User Role	151
Configuring a User Role	151
SSID Profile	152
Configuring VLAN Derivation Rules Using an SSID Profile	153
Instant Firewall	155
Service Options	156
Destination Options	158
Examples for Access Rules	158
Allow TCP Service to a Particular Network	158
Allow POP3 Service to a Particular Server	159
Deny FTP Service except to a Particular Server	160
Deny bootp Service except to a Particular Network	161
Content Filtering	163
Enabling Content Filtering	163
Enterprise Domains	164
OS Fingerprinting	167
Adaptive Radio Management	169
ARM Features	169
Channel or Power Assignment	169
Voice Aware Scanning	169
Load Aware Scanning	169
Band Steering Mode	169
Airtime Fairness Mode	170
Airtime Fairness Modes	170
Access Point Control	171
Customize Valid Channels	171
Min Transmit Power	171
Max Transmit Power	171
Client Aware	171
Scanning	171
Wide Channel Bands	171
Monitoring the Network with ARM	172
ARM Metrics	172
Configuring Administrator Assigned Radio Settings for W-IAP	172
Configuring Radio Profiles in Instant	173
Intrusion Detection System	177
Rogue AP Detection and Classification	177
Wireless Intrusion Protection (WIP)	177
Containment Methods	181
SNMP	183
SNMP Parameters for W-IAP	183
SNMP Traps	185
Ethernet Downlink	187
Ethernet Downlink Overview	187
Ethernet Downlink Profile Parameters	187
Assigning a Profile to the Ethernet Port	190
Hierarchical Deployment	193
Deployment	193
Uplink Configuration	195
Uplink Interface Configuration	195
Ethernet Uplink	195
3G/4G Uplink	196
Types of Modems	196
Provisioning 3G/4G Uplink Manually	198
Provisioning 3G Uplink Automatically	199
Provisioning a 3G/4G Switch Network	199
Wi-Fi Uplink	200
Provisioning Wi-Fi Uplink	200
Provisioning 3G/4G and Wi-Fi Uplink with Factory Setting	200
Uplink Management	201
Enforce Uplink	201
Uplink Preemption	201
Uplink Switchover	201
Uplink Switching Based on VPN Status	201
Uplink Switching Based on Internet Connectivity Status	202
PPPoE	202
Configuring PPPoE	202
Dell PowerConnect W-AirWave Integration and Management	205
Dell PowerConnect W-AirWave Features	205
Image Management	205
W-IAP and Client Monitoring	205
Template-based Configuration	205
Trending Reports	206
Intrusion Detection System	206
Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConne...	206
RF Visualization Support for Dell W-Instant	207
Configuring Dell PowerConnect W-AirWave	207
Creating your Organization String	207
About Shared Key	208
Entering the Organization String and AMP Information into the W-IAP	208
Dell PowerConnect W-AirWave Discovery through DHCP Option	208
Standard DHCP option 60 and 43 on Windows Server 2008	208
Alternate Method for Defining Vendor-Specific DHCP Options	212
AirGroup	215
Introducing AirGroup	215
What is Bonjour and Zero Configuration Networking?	215
WLANs and Bonjour	216
AirGroup Solution	216
AirGroup Features	217
Dell PowerConnect W-ClearPass Policy Manager and ClearPass Guest Features	217
AirGroup Architecture	217
How Does AirGroup Work?	218
Use Case: Higher Education Wireless LAN	219
The AirGroup Solution Components	219
Configuring AirGroup on W-Instant	220
Using the Dell W-Series Instant UI	220
Enabling or Disabling AirGroup	220
Disallow Role	221
Disallow VLAN	222
Configuring AirGroup-CPPM Interface in W-Instant	223
Creating a RADIUS Server	223
Assign a Server to AirGroup	224
Configure CPPM to Enforce Registration	225
Change of Authorization (CoA)	225
AirGroup Monitoring	226
Troubleshooting and Log Messages	226
Monitoring	229
Virtual Controller View	229
Monitoring Link	230
Info	230
RF Dashboard	230
Usage Trends	230
Client Alerts Link	232
IDS Link	232
Network View	232
Info	233
Usage Trends	233
Dell W-Instant Access Point View	235
Info	235
RF Dashboard	235
Overview	236
Client View	243
Info	244
RF Dashboard	244
RF Trends	244
Mobility Trail	247
Alert Types and Management	249
Alert Types	249
Policy Enforcement Firewall	251
Authentication Servers	251
Users for Internal Server	251
Roles	252
Extended Voice and Video Functionalities	253
QoS for Microsoft Office OCS and Apple Facetime	253
Microsoft OCS	254
Apple Facetime	254
Client Blacklisting	255
Types of Client Blacklisting	256
Manual Blacklisting	256
Adding a Client to the Manual Blacklist	256
Dynamic Blacklisting	257
Authentication Failure Blacklisting	257
Session Firewall Based Blacklisting	257
PEF Settings	258
Firewall ALG Configuration	258
Firewall-based Logging	259
VPN Configuration	261
VPN Configuration	261
Fast Failover	262
Routing Profile Configuration	262
DHCP Server Configuration	263
NAT DHCP Configuration	264
Distributed L2 DHCP Configuration	265
Distributed L3 DHCP Configuration	266
Centralized L2 DHCP Configuration	267
User Database	269
Adding a User	269
Editing User Settings	270
Deleting a User	270
Regulatory Domain	271
Country Codes List	271
Controller Configuration for VPN	277
Whitelist DB Configuration	277
VPN Local Pool Configuration	277
W-IAP VPN Profile Configuration	278
Dell PowerConnect W-ClearPass Configuration for AirGroup	279
Dell PowerConnect W-ClearPass Setup	279
Testing	283
Troubleshooting	283
IAP-VPN	285
Licensing Requirements	285
VPN Configuration	286
Creating a W-IAP Whitelist	286
Controller Whitelist DB	286
External Whitelist DB	286
VPN Local Pool Configuration	287
VPN Profile Configuration	287
Radius Proxy for VPN Connected IAPs	287
Viewing Branch Status	288
Example	288
Troubleshooting	289
Viewing Logs	289
Support Commands	289
Abbreviations	295

Match case Limit results 1 per page

EAP-Generic Token Card (GTC)— This EAP method permits the transfer of unencrypted

usernames and passwords from client to server. The main uses for EAP-GTC are one-time token

cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You

can also enable caching of user credentials on the W-IAP as a backup to an external

authentication server.

EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)— This EAP method is

widely supported by Microsoft clients. A RADIUS server must be used as the backend

authentication server.

If you are using the W-IAP’s internal database for user authentication, you need to add the names

and passwords of the users to be authenticated. If you are using an LDAP server for user

authentication, you need to configure the LDAP server on the Virtual Controller, and configure

user IDs and passwords. If you are using a RADIUS server for user authentication, you need to

configure the RADIUS server on the Virtual Controller.

Configuring an External RADIUS Server

To configure an external RADIUS server for a wireless network:

Click

New

in the

Networks

tab and select the appropriate

Primary usage

Click

to continue.

Use the

VLAN

tab to specify how the clients on this network get their IP address and VLAN.

Click

to continue.

In the

Security

tab, slide the bar to

Enterprise

and update the following fields:

Key Management

— Select the type of key for encryption and authentication.

Termination

— Select Enabled to terminate the EAP portion of 802.1X authentication on

the access point instead of RADIUS server.

Authentication server 1

— Select

New

from the drop-down list to authenticate user

credentials for the RADIUS server at run time and update the following fields:

RADIUS Server

Name— Enter the name of the new external RADIUS server.

IP address— Enter the IP address of the external RADIUS server.

Auth port— Enter the authorization port number of the external RADIUS server. The

port number is set to 1812 by default.

Accounting port— Enter the accounting port number. This port is used to send

accounting records to the RADIUS server. The port number is set to 1813 by default

Shared key— Enter a shared key for communicating with the external RADIUS server.

Timeout— Indicates the timeout for one RADIUS request. The W-IAP retries to send

the request several times (as configured in the "Retry count") before the user gets

disconnected. e.g. If the "Timeout" is 5 sec, "Retry counter" is 3, user is disconnected

after 20 sec ("Timeout" x "Retry counter + 1). The default value is 5 seconds.

Retry count— Specify a number between 1 and 5. Indicates the maximum number of

authentication requests that are sent to server group, and the default value is 3

requests.

RFC 3576— When enabled, the Access Points process RFC 3576-compliant Change

of Authorization (CoA) and Disconnect messages from the RADIUS server.

Disconnect messages cause a user session to be terminated immediately, whereas CoA

messages modify session authorization attributes such as data filters.

Dell PowerConnect W-Series Instant Access Point

6.2.0.0-3.2.0.0

User Guide

113

Authentication