Manualshelf

Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentWM20 Controller
71727374757677787980
FreeRADIUS and Security
Summit WM20 Technical Reference Guide, Software Version 4.274
shortname = SWC001
}
In this case the RADIUS client is a Summit WM Controller at 10.0.0.10. Since the controller has many IP
addresses, some physical and some virtual, there is confusion over which IP address to use as the
RADIUS client address. The answer is that whatever interface the controller will use to send the packet
to the RADIUS server. In the CLI of the controller, use the ping <target> command to determine which
interface will be used if it is not obvious. If the path to the RADIUS server changes based upon OSPF
routing updates then it is best to enter all possibilities into this file.
The secret parameter will be asked for during the configuration of the Summit WM WLAN equipment
and is typically referred to as the ‘shared secret’.
users file
Example for Captive Portal Authentication
The users file is used for entering static information that can be used for authentication. The simplest
form of an entry is:
"username" Auth-Type := local, User-Password == "aDRM123"
This type of entry can be used for CHAP authentication types. This entry can also be used for PAP-type
authentication types provided that the pap definition in the modules section of the radiusd.conf file has
the encryption_scheme set to ‘clearrather than the default of ‘crypt’.
Attributes can be added to the user definition in this file. An example for a captive portal environment
would be:
"username" Auth-Type := local, User-Password == "aDRM123"
Filter-Id = "filter1",
Session-Timeout = 10
In this example the filter-id ‘filter1’ is returned to the Summit WM Controller and a session timeout of
10 minutes is returned. If the Summit WM Controller has a filter defined that matches the returned
Filter-Id attribute then it will be used. In addition, if the session is successfully authenticated then the
session on the Summit WM Controller has an absolute limit of 10 minutes at which point re-
authentication will be necessary.
Example for MAC-based Authentication
Users can also be defined directly as type PAP, for example, for MAC-based authentication the Summit
WM Controller sends both the username and the password as the MAC address by default, so it is
typical to see a device entered into the users file as follows:
#vocera badge example
"0009EF003BAF" Auth-Type := PAP, User-Password == "0009EF003BAF"
The only difference with overwrite is that the password does not have to be the MAC address of the
device, but rather it can be anything the administrator configures (and matches on the Summit WM
Controller).
To use the Challenge Handshake Access Protocol (CHAP) which prevents the password from ever
being transmitted between the Summit WM Controller and the RADIUS server switch the Auth-Type