b). configure RADIUS setting
HSG supports many options to authenticate users (see details). If we are using HSG RADIUS to authenticate users, we need to configure RADIUS server.
There're two main parts of a RADIUS settings:
- network part of RADIUS setting
- access profiles, user access data analytics, reporting, etc.
This sections covers #1 the network part of RADIUS setting, using CLI interface. Part #2 is covered in-depth by AAA section.
On the network part of RADIUS, using CLI, we will go into radius-server context:
mbox(config)# security radius-server
- client <nasip> key <psk> name <nasname> This adds the RADIUS client setting. RADIUS client naming is relative to RADIUS client-server architecture. It is often referred to NAS (network access server). When we use HSG as an all-in-one gateway with all modules (hotspot, RADIUS, captive portal) in one box, each module runs as separate process so they're "standalone" by itself (remember we can have each module run individually on separate dedicated box also), so the local hotspot access controller is a RADIUS client (or NAS) to the local RADIUS server (with a local IP of 127.0.0.1). When mbox is used as a RADIUS for other devices such as 3rd-party Wireless LAN Controller (WLC) for WPA-EAP authentication, the WLC must be added as a RADIUS client on HSG RADIUS server setting here.
- realm <realm> <delimiter> <suffix/prefix> <nostrip/strip> <radiuser-server-ip> <radiuskey> This configures realm setting for proxying authentication to upstream RADIUS server. HSG RADIUS is capable of forwarding/proxying user authentication requests to upstream/external RADIUS server, instead of checking its local database. The decision to forward to which upstream server is based on the realm setting. It's possible to for HSG to work with multiple upstream servers for users logging with different realms, eg. if users login with email@example.com, mbox will forward to StarHub RADIUS server; if users login with firstname.lastname@example.org, mbox will to M1 RADIUS; and xxx@singtel to SingTel RADIUS etc etc.
- data-lifetime <days> To keep <days> days of data online within HSG. mbox purges older data nightly so that the local HDD doesn't get exploded. There's an automated process running on mbox to check its storage, if the configured <days> is too long or this command is not configured, mbox will auto clean to keep the optimal days of data online on it's storage (up to 80% of its usage HDD capacity).
- data-reset This is a maintenance command to reset HSG RADIUS database default. Particularly for older mbox, the RADIUS database structure is quite different so it's necessary to reset to a new version. Note: mbox has to be online when you use this command, because it will connect to cloud repository to pull the latest default database. (see related info).
- start/stop HSG RADIUS server runs as a standalone module, so it has to be explicitly started. When there's a change of configuration for client or realm, it's necessary to restart the service (stop and start again).
Sample RADIUS Configurations (Wireless@SG):
!mbox access controller is a RADIUS client itself.
client 127.0.0.1 key changeme name LOCALHSG
!below are WLC using mbox for WPA-EAP authentication.
client 10.0.0.4 key changeme name WLC01
client 10.0.32.2 key changeme name WLC02
!below are proxy realm to forward to upstream RADIUS for WSG authentication
realm isp1 @ suffix nostrip <externalradiusip> <radiuskey>
realm isp2 @ suffix nostrip <externalradiusip> <radiuskey>
!below are proxy realm to forward to upstream RADIUS for WSGx/EAP-SIM authentication
realm wlan.mnc001.mcc525.3gppnetwork.org @ suffix nostrip <externalradiusip> <radiuskey>
!configured to keep the latest 30 days of data locally within mbox