Filter
Top Products
CHAPTER
8-1
Cisco NAC Guest Server Installation and Configuration Guide
OL-15986-01
8
Configuring RADIUS Clients
This chapter describes the following
• Overview
• Adding RADIUS Clients
• Editing RADIUS Clients
• Deleting RADIUS Clients
Overview
Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and
accounting) protocol. Cisco NAC Guest Server uses the RADIUS protocol to authenticate and audit
guests who login through RADIUS-capable network enforcement devices, such as Cisco Wireless LAN
Controllers.
Although the Cisco NAC Appliance uses its own API and a different method for creating accounts and
authenticating users, as described in
Chapter 7, “Integrating with Cisco NAC Appliance,”it still uses
RADIUS Accounting to record user activity and therefore still needs to be configured as a RADIUS
client.
When a guest authenticates against a RADIUS client, such as the Wireless LAN Controller, the RADIUS
client uses RADIUS authentication to ask the Cisco NAC Guest Server whether the user authentication
is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that
the user is valid and the amount of time remaining before the user session expires. The RADIUS client
must honor the session-timeout attribute to remove the guest when the guest account time expires.
Note The Cisco Wireless LAN Controller needs to be specifically configured to Allow AAA Override. This
enables it to honor the session-timeout attribute returned to it by the Cisco NAC Guest Server.
In addition to authentication, the RADIUS client device reports details to the Cisco NAC Guest Server,
such as the time the session started, time session ended, user IP address, and so on. This information is
transported over the RADIUS Accounting protocol.
Tip If there is a Firewall between the Cisco NAC Guest Server and the RADIUS client, you will need to allow
traffic from UDP Port 1812 (RADIUS authentication) and UDP Port 1813 (RADIUS accounting) to pass.