51
AP-2500 Authentication Methods
Internal Authentication with RADIUS
In this configuration, the AP-2500 provides all of the authentication services described in Internal Authentication, but it
also communicates with a Remote Authentication Dial-In User Service (RADIUS) server on the network to determine if
a user is valid. RADIUS is an authentication and accounting protocol that is used by many ISPs. The RADIUS server
maintains a large central list of subscribers and their attributes (such as the maximum bandwidth allowed for a specific
customer) that it communicates back to the AP-2500. The RADIUS server can also perform accounting functions to
record a user’s login activity to facilitate billing.
RADIUS is a proven carrier-class protocol to perform accurate time and volume-based billing. The RADIUS protocols
are defined in RFCs 2865 (Authentication) and 2866 (Accounting). These RFCs are available at
http://www.rfc-editor.org/.
NOTE
In RADIUS terminology, the AP is referred to as a RADIUS Client or as a Network Access Server (NAS).
Authentication Procedure
The following diagram illustrates how a client is authenticated when the AP’s RADIUS client is enabled.
Figure 3-3 Internal Authentication with RADIUS
1. Client connects to AP and launches Web browser. The AP adds the client to its Current Subscribers Table with
State set to “Pending”.
2. AP redirects client to the AP’s internal login page or to a Portal Page.
• The AP redirects the customer when it receives an HTTP request from the customer’s browser.
• If the browser’s default home page is loaded in the browser’s cache, the customer may not be redirected to
the login screen. But the customer will be redirected the first time he tries to access a new Web site.
• The customer must try to access a valid Web site to call up the login screen. Entering an unreachable URL or
invalid Web address will not bring up the login screen.
• Customers who try to access e-mail first will not have a connection. Customers need to login via a Web
browser first.