Installation guide
Switch Security
6-73
6.9.1.2 Authentication of Terminal/Management User(s)
The local Radius server can be used to authenticate users. A normal user (with a password) should be created
in the local database. These users should not be a part of any group.
6.9.1.3 Access Policy
Access policies are defined for a group created in the local database. Each user is authorized based on the
access policies defined for the groups to which the user belongs. Access policies allow the administrator to
control access to a set of users based on the WLANs (ESSID).
Group to WLAN access is controlled using a “Time of the day” access policy.
Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1). When the user tries to
connect to WLAN1, the user is prompted to enter his/her credentials. Once the authentication and
authorization phases are successful, only User1 is able to access WLAN1 for the allowed duration (but not any
other WLAN). Each user group can be configured to be a part of one VLAN. All the users in that group are
assigned the same VLAN ID if dynamic VLAN authorization has been enabled on the WLAN.
6.9.1.4 Proxy to External Radius Server
Proxy realms are configured on the switch, which has the details of the external Radius server to which the
corresponding realm users are to be proxied. The obtained user ID is parsed in a (user@realm, realm/user,
user%realm, user/realm) format to determine which proxy Radius server is to be used.
6.9.1.5 LDAP
An external data source based on LDAP can be used to authorize users. The Radius server looks for user
credentials in the configured external LDAP server and authorizes users. The switch supports two LDAP server
configurations.
6.9.1.6 Accounting
Accounting should be initiated by the Radius client. Once the Local/Onboard Radius server is started, it will
listen for both authentication and accounting records.
6.9.2 Using the Switch’s Radius Server Versus an External Radius Server
The switch ships with a default configuration defining the local Radius Server as the primary authentication
source (default users are admin with superuser privileges and operator with monitor privileges). No secondary
authentication source is specified. However, Motorola recommends using an external Radius Server as the
primary user authentication source and the local switch Radius Server as the secondary user authentication
source. For information on configuring an external Radius Server, see Configuring External Radius Server
Support on page 4-43. To continue to instructions on how to configure the switch’s local Radius Server, see
Defining the Radius Configuration on page 6-74.
If an external Radius server is configured as the switch’s primary user authentication source and the switch’s
local Radius Server is defined as an alternate method, the switch first tries to authenticate users using the
external Radius Server. If an external Radius Server is unreachable, the switch reverts to the local Server’s user
database to authenticate users. However, if the external Radius server is reachable but rejects the user or if
the user is not found in the external Server’s database, the switch will not revert to the local Radius Server and
the authentication attempt fails.
If the switch’s local Radius Server is configured as the primary authentication method and an external Radius
Server is configured as an alternate method, the alternate external Radius Server will not be used as an