User's Manual
Table Of Contents
Deployment Guide 123
EXAMPLE 7: DEFINING AAA RADIUS SETTINGS
EXAMPLE 7: DEFINING AAA RADIUS SETTINGS
In this example, you define the connection settings for a RADIUS server so that HiveAPs can send RADIUS
authentication requests to the proper destination.
After corporate employees associate with HiveAPs, they gain network access by authenticating themselves to a
RADIUS server. The authentication process makes use of the IEEE 802.1X standard. Within this context, wireless
clients act as supplicants, HiveAPs as authenticators, and the RADIUS server as the authentication server. The roles
of each participant, packet exchanges, and connection details for the RADIUS server are shown in Figure 16.
Figure 16 IEEE 802.1X Authentication Process
1. Click Configuration > Authentication > AAA Client Settings > New > General, and then enter the following:
•RADIUS Name: RADIUS-Servers (You cannot use spaces in the RADIUS profile name.)
• Retry Interval: 1800 (Seconds)
Enter the period of time that a HiveAP waits before retrying a previously unresponsive primary RADIUS
server. If a primary RADIUS server does not respond to three consecutive attempts—where each attempt
consists of ten authentication requests sent every three seconds (30 seconds for a complete request)—and a
backup RADIUS server has been configured, the HiveAP sends further authentication requests to the backup
server. The default is 600 seconds (or 10 minutes). The minimum is 60 seconds and the maximum is
Note: You can define a HiveAP as a RADIUS server. A HiveAP RADIUS server only supports 802.1X authentication,
so you cannot use it to authenticate users through a captive web portal.
A supplicant (wireless client) makes an
association with an authenticator (HiveAP).
The authenticator checks the RADIUS code
indicating whether the supplicant is accepted
or rejected. (It also checks for attributes
indicating the user group for the supplicant).
The supplicant checks the EAP message.
The authenticator and supplicant exchange
EAP-Request/Identity and EAP-Response/
Identity messages.
Supplicant
(Wireless Client)
Authenticator
(HiveAP)
Authentication Servers
(RADIUS Servers)
1
2
The authentication server replies with either
a RADIUS Access-Accept or Access-Reject
message containing an EAP-Success or
EAP-Failure message.
The authenticator sends the EAP-Response/
Identity message as one or more attributes in
a RADIUS Access-Request message to the IP
address of the RADIUS authentication server.
3
4
5
. . . Depending on the authentication method—TLS, TTLS, PEAP—more exchanges might take place here . . .
Primary RADIUS Server
IP address: 10.1.1.15
Shared secret: J7ix2bbbLA
Authentication port: 1812
Server priority: First
Secondary RADIUS Server
IP address: 10.1.2.16
Shared secret: J8Dx2c13Mb
Authentication port: 1812
Server Priority: Second