6-64 WS5100 Series Switch System Reference Guide
6.9.1.2Authentication of Terminal/Management User(s)
The local Radius server can be used to authenticate users. A normal user (with password) should be created in the local database. These users should not be a part of any group.
6.9.1.3Access Policy
Access policies are defined for a group created in local database. Each user is authorized based on the access policies defined for the groups to which the user belongs. Access policies allow the administrator to control access to a set of users based on the WLANs (essid).
Group to WLAN access is controlled by using a “Time of the day” access policy. Consider User1 who's a part of Group1, which is mapped to WLAN1 (ESSID of WLAN1). When the user tries to connect to WLAN1, the user is prompted to enter his/her credentials. Once the authentication and authorization phases are successful, only User1 is able to access WLAN1 for the allowed duration (but not any other WLAN). Each user group can be configured to be a part of one VLAN. All the users in that group are assigned the same VLAN ID if dynamic VLAN authorization has been enabled on the WLAN.
6.9.1.4Proxy to External Radius Server
Proxy realms are configured on the switch, which has the details of the external Radius server to which the corresponding realm users are to be proxied. The obtained user ID is parsed in a (user@realm, realm/user, user%realm, user\realm) format to determine which proxy Radius server is to be used.
6.9.1.5LDAP
An external data source based on LDAP can be used to authorize users. The Radius server looks for user credentials in the configured external LDAP server and authorizes the users. The switch supports two LDAP server configurations.
6.9.1.6Accounting
Accounting should be initiated by the Radius client. Once the Local/Onboard Radius server is started, it will listen for both authentication and accounting records.
6.9.2 Using the Switch’s Radius Server Versus an External Radius
The switch ships with a default configuration defining the local Radius Server as the primary authentication source (default users are admin with superuser privileges and operator with monitor privileges). No secondary authentication source is specified. However, Motorola recommends using an external Radius Server as the primary user authentication source and the local switch Radius Server as the secondary user authentication source. For information on configuring an external Radius Server, see Configuring External Radius Server Support on page
If an external Radius server is configured as the switch’s primary user authentication source and the switch’s local Radius Server is defined as an alternate method, the switch first tries to authenticate users using the external Radius Server. If the external Radius Server is unreachable, the switch reverts to the local Server’s user database to authenticate a user. However, if the external Radius server is reachable but rejects the user Using the Switch’s Radius Server Versus an External Radius Server or if the user is not found in the external Server’s database, the switch will not revert to the local Radius Server and the authentication attempt fails.
If the switch’s local Radius Server is configured as the primary authentication method and an external Radius Server is configured as an alternate method, the alternate external Radius Server will not be used a
