BelAir20E User Guide
Wi-Fi AP Security
April 2, 2012
Confidential
Document Number BDTM02201-A01 Standard
To use this feature, you must configure your RADIUS server to have a list of all
allowed clients. Each entry in this list includes a user name and a password. The
user name and the password must be set to the client’s MAC address. The
delimiter
parameter specifies whether the RADIUS packets use a colon (:), a
dash (-) or nothing as a delimiter when specifying a MAC address.
To reduce the message exchanges between the AP and RADIUS server, an AP
maintains two cache tables: one for all allowed clients and another for all
disallowed clients. When the AP receives a client’s association request, it first
searches both tables. If the client’s information is in the allowed table, the AP
bypasses RADIUS pre- authentication. If the client is in the disallowed table, it is
rejected immediately. Cache entries in either table expire in two minutes.
The feature can be enabled or disabled on each SSID. Use the
/wifi-<n>-<m>/
show ssid table
command to determine
<ssid_index>
.
The default setting is
disabled
.
RADIUS Assigned
VLAN
The BelAir20E can create VLANs as instructed by the RADIUS server. When
this feature is activated, the RADIUS server instructs the BelAir20E to tag the
authenticated packets to use the specified VLAN.
This feature has no BelAir CLI commands. To activate this feature, you must
provision the following attributes on your RADIUS server:
• RA_TUNNEL_TYPE, set to
13
• RA_TUNNEL_MEDIUM_TYPE, set to
6
• RA_TUNNEL_PRIVATE_GROUP_ID, configure to contain the VLAN to be
created.
Refer to
RADIUS Accounting
/interface/wifi-<n>-<m>/set ssid <ssid_index> radius
([accounting {enable|disable}]
[nas-id <name>]
[delimiter {none|colon|dash}]
[append {none|ssid}]
These commands let you manage RADIUS accounting for wireless clients.
By default RADIUS accounting is disabled.
The
nas-id <name>
parameters specify the RADIUS Network Access Server
(NAS) identifier. The default value for
<name>
is
belair
.