RADIUS server
RADIUS server
1. Function Overview
The RADIUS server function manages user information and certificates, and performs authentication based on information notified from the client.
By combining with MAC authentication, 802.1X authentication, and Web authentication of this device, the authentication function can be realized with this device alone.
Also, when authenticating with a device other than this device, this device can be operated as an authentication server.
The basic performance of the RADIUS server function and the corresponding authentication method are as follows.
-
Basic performance
Item Performance Number of RADIUS clients that can be registered
100
Number of users that can be registered
2000
Key strength
2048 bit
Signature algorithm
SHA256
Certificate Authority name (default value)
swx-radius
-
Supported authentication methods
Authentication method Application PAP
MAC authentication
EAP-MD5
IEEE802.1X authentication, MAC authentication, WEB authentication
EAP-TLS
IEEE802.1X authentication
EAP-TTLS
IEEE802.1X authentication
PEAP
IEEE802.1X authentication
2. Definition of Terms Used
PKI (Public Key Infrastructure)
Public key infrastructure. Includes digital certificates and certificate authorities (CAs) using public key cryptography.
Certificate authority (CA)
An organization that guarantees reliability. It is divided into a root Certificate Authority and an intermediate Certificate Authority.
It has a tree structure with the root Certificate Authority at the top and an intermediate Certificate Authority under it.
Intermediate certificate authority
Among Certificate Authorities (CAs), indicates a Certificate Authority whose reliability is guaranteed by a higher-level Certificate Authority (CA).
Root certificate authority
Among Certificate Authorities (CA), indicates a Certificate Authority whose reliability is guaranteed by itself.
Root certificate authority certificate
A public key certificate that has the same issuer and subject and has signed its own public key with its own private key. It is the root of a tree-structured certificate.
Digital certificate
Data that certifies that the public key issued by the Certificate Authority is the genuine issuer’s public key.
When the issuer makes a certificate request to the Certificate Authority (CA) together with the public key, the Certificate Authority (CA) issues a digital certificate after scrutinizing and confirming it.
EAP-MD5 authentication method (Message digest algorithm 5)
This is an authentication method that uses a user name and password. Authenticates by exchanging an MD5 hash value instead of a plain text password.
EAP-TLS authentication method (Transport Layer Security)
An authentication method used in IEEE 802.1X, a type of EAP implementation that authenticates by exchanging digital certificates after encrypting the transport layer between the user and the RADIUS server, instead of authenticating with a user ID and password. This is defined in RFC2716 and RFC5216.
EAP-TTLS authentication method (Tunneled TLS)
An authentication method used in IEEE 802.1X, a type of EAP implementation that establishes a TLS communication channel using the server’s digital certificate and authenticates the user with a password within the encrypted channel. This is defined in RFC5281.
PEAP authentication method (Protected EAP)
The operating principle is the same as EAP-TTLS (there is only a difference in the protocol in the encrypted tunnel). A TLS communication channel is established using the server’s digital certificate, and the user is authenticated with a password in the encrypted communication channel.
It is trusted
A certificate indicating that the public key belongs to the issuer has been issued by a trusted third party.
RADIUS server
The host device that provides the RADIUS server function, in this case, this device.
Authenticates connected users via a RADIUS server and manages authentication/authorization information such as user IDs, passwords, MAC addresses, and associated VLANs.
Server certificate
A certificate to state that the Certificate Authority (CA) has proved that the RADIUS server is trusted.
RADIUS client
Also called a NAS or an authenticator, it relays between the user connected to the LAN/SFP port and the authentication server, and controls access to the LAN based on the success or failure of authentication.
User
A device that connects to a RADIUS client and requests authentication, or a supplicant that is software.
It is the minimum unit for identifying the person to be authenticated. There are data required for authentication and authorization, such as a unique user ID and password.
Client certificate (user certificate)
This certificate proves that the user described above is trusted by the Certificate Authority (CA).
3. Function Details
3.1. Root certificate authority
To use the RADIUS server function, you must first create a root Certificate Authority.
The root certificate authority is used for issuing and managing digital certificates. It can be created with the crypto pki generate ca command.
The certificate authority name can be specified in the crypto pki generate ca command argument, if omitted it becomes swx-radius.
The following certificates are issued and managed based on the root Certificate Authority.
All certificates have a key strength of 2048 bits and a signature algorithm of SHA256.
Root Certificate Authority certificate |
Proves that this device is a trusted root Certificate Authority. |
Server certificate |
Proves that this device is a trusted server. |
Client (user) certificate |
Proves that the user is trusted. |
Client revocation certificate |
Proves that the client certificate has been revoked. |
The root Certificate Authority is deleted or overwritten by the following operations.
-
It is deleted when the cold start command is executed.
-
It is deleted when the no crypto pki generate ca command is executed.
-
It is deleted when the stack enable command is executed.
-
It is deleted when the stack disable command is executed.
-
It is deleted when the erase startup-config command is executed.
-
It is overwritten when the crypto pki generate ca command is executed again.
-
It is overwritten when the restore system command is executed.
-
It is overwritten when the copy radius-server local command is executed.
[red]#It is necessary to keep the root certificate authority installed first consistent, so be careful not to delete it carelessly. #
Also, please take measures to back up the file in advance, in case it is deleted.
Once the root CA is deleted, even if the same CA name is set, it will be a different CA from before.
If you delete the root Certificate Authority before backup, you cannot add or revoke the certificate after that. You will have to reissue all the certificates from the beginning.
When the root certificate authority is created by the crypto pki generate ca command, it is automatically saved in the internal area, so there is no need to execute the write command.
3.2. RADIUS client settings
Use the nas command to specify the RADIUS clients that are permitted to access the RADIUS server.
You can specify an individual IP address or network address, and up to 100 addresses can be set.
RADIUS client operations are verified using the following products.
-
Yamaha network switch (SWX series)
-
Yamaha router (RTX series or NVR series)
-
Yamaha wireless access point (WLX series)
The settings of the RADIUS client set by the nas command are not displayed in the config by show running-config.
There is no need to execute the write command because it is automatically saved in a different area from the config, but it is necessary to execute the radius-server local refresh command to reflect it in the actual operation.
Use the show radius-server local nas command to confirm the settings.
3.3. User registration
User information for authentication is registered with the user command.
Up to 2000 records of user information can be registered.
Items that can be set with the user command are as follows.
Type |
Item |
Summary/Remarks |
Mandatory |
User ID |
ID for uniquely identifying user information |
Password |
Password used in combination with user ID |
Option |
User name |
Any character string can be set for user identification. |
|
MAC address |
Compared when the RADIUS client notifies the Calling-Station-Id, and if it does not match, it is not authenticated. |
|
SSID |
Compared when the RADIUS client notifies the Called-Station-Id, and if it does not match, it is not authenticated. |
|
Mail address |
This is the address for sending the certificate by mail. |
|
Authentication method |
The default is EAP-TLS, so you must specify it if you want to use another authentication method. |
|
Period of certificate validity |
This is valid only when the authentication method is EAP-TLS. If omitted, it will be 23:59:59 on December 31, 2037. |
The user settings set by the user command are not displayed in the config by show running-config, etc.
There is no need to execute the write command because it is automatically saved in a different area from the config, but it is necessary to execute the radius-server local refresh command to reflect it in the actual operation.
Use the show radius-server local user command to confirm the settings.
3.4. Restricting the authentication method
The authentication method can be restricted by the authentication command.
The authentication method is not restricted by default, but you can use it when you want to temporarily disable a specific authentication method.
3.5. Enabling the RADIUS server function
To enable the RADIUS server function, use the radius-server local enable command.
Set the RADIUS client and user information, and enable the RADIUS server function after the necessary preparations are completed.
3.6. Reflecting settings in operation
If you add/change/delete the settings related to the RADIUS server, execute the radius-server local refresh command to reflect them in actual operation.
The commands reflected in the actual operation by the radius-server local refresh command are as follows.
-
authentication command
-
nas command
-
reauth interval command
-
user command
When you add/change/delete settings related to the RADIUS server in Web GUI, processing equivalent to the radius-server local refresh command is automatically performed.
3.7. Issue client certificate
Use the certificate user command to issue a client certificate to a user who performs authentication using a certificate (a user whose authentication method is EAP-TLS with the user command).
Each user can hold up to two client certificates, and issuing a third client certificate will cause the older client certificate to expire.
If you specify an individual user ID with the certificate user command, a client certificate for the specified user is issued.
If you do not specify individual user IDs in the certificate user command, client certificates are issued for all users that meet any of the following conditions.
Conditions for batch issuance of client certificates
-
Client certificate has never been issued
-
The password or expiration date has changed since the client certificate was issued
It takes about 15 seconds to issue a client certificate. Although the certificate user command issues client certificates in the background, be aware that batch issuing client certificates for multiple users can be time consuming.
To cancel the issuance of a client certificate partway through, use the certificate abort command.
The method to export an issued client certificate is as follows.
-
Specify the mail option in the certificate user command
The client certificate can be sent to the specified mail address at the same time that the client certificate is issued.
The client certificate is ZIP compressed and can be decompressed with the password of the user command.
For details on sending a client certificate by mail, refer to Sending a certificate by mail. -
certificate export sd command
You can copy the client certificate of any user or all users to a microSD card to export it.
If a client certificate of any user is compressed and exported by the compress option, it can be decompressed with the password of the user command.
If the client certificate for all users is compressed and exported together using the compress option, it can be decompressed without a password. -
certificate export mail command
The client certificate of any user or all users can be sent to the mail address set by the user command.
The client certificate is ZIP compressed and can be decompressed with the password of the user command. -
Access the device with Web GUI
The client certificate can be downloaded for any or all users.
Although it is ZIP compressed, no password is required for decompression.
3.8. Revoking a client certificate
To prevent authentication for the user who issued the client certificate, you must issue a revocation certificate.
When a revocation certificate is issued to any user, the revocation certificate is referenced in the authentication process and reflected in the authentication result.
Revocation certificates are issued by the following process.
-
Execute the certificate revoke id command
A revocation certificate is issued for the client certificate with the specified certificate ID. -
Execute the certificate revoke user command
Revocation certificates are issued for all client certificates of the specified user. -
Change the authentication method from EAP-TLS to other (PAP, PEAP, EAP-MD5, EAP-TTLS) with the user command
Revocation certificates are issued for all client certificates of the target user.
If you change the authentication method of the target user to EAP-TLS again, it will be subject to the issue of client certificates. -
Deletion of user command
Revocation certificates are issued for all client certificates of the target user.
If you register a user again with the same user ID as the target user, it will be subject to the issue of client certificates. -
Issue a third client certificate with the certificate user command
A revocation certificate is issued for the target user’s older client certificate. -
Importing user information according to Importing and exporting user information
If a user is deleted due to an import, a revocation certificate is issued for all client certificates of the deleted user.
3.9. Sending a certificate by mail
To use the client certificate mail transmission described in Issuing a client certificate, the following preparations are required in advance.
The settings described here are the minimum settings. Make the necessary settings according to the usage.
-
Set SMTP server
-
Specify the SMTP server with the mail server smtp host command.
-
-
Specify the mail template
-
Specify the template ID with the mail template command and switch to the template setting mode.
-
Specify the mail server ID of the SMTP server set by the mail server smtp host command with the send server command.
-
Specify the sender mail address with the send from command.
-
-
Specify the mail template to use for sending certificate mails
-
Specify the ID of the mail template created above with the mail send certificate command.
-
The subject and body of the mail are as follows. The format cannot be changed.
Subject |
Certification Publishment |
Body |
Certification is published. Name : [*NAME parameter of the user command] Account : [*USERID parameter of the user command] MAC address : XX:XX:XX:XX:XX:XX Expire : YYYY/MM/DD |
3.10. Checking settings and certificates
-
Checking the RADIUS client settings
Use the show radius-server local nas command.Yamaha# show radius-server local nas 192.168.100.0/24 host key -------------------------------------------------------------------------------------------------------- 192.168.100.0/24 abcde
-
Checking the user settings
Use the show radius-server local user command.Yamaha# show radius-server local user Total 1 userid name vlan mode -------------------------------------------------------------------------------- 00a0de000000 Yamaha 1 eap-md5
Yamaha# show radius-server local user detail 00a0de000000 Total 1 userid : 00a0de000000 password : secretpassword mode : eap-md5 name : Yamaha vlan : 1
-
Checking the status of client certificate issuance processing
Use the show radius-server local certificate status command.Yamaha# show radius-server local certificate status certificate process: xxxx/ zzzz processing...
-
Checking the list of client certificates
Use the show radius-server local certificate list command.Yamaha# show radius-server local certificate list detail Taro userid certificate number enddate --------------------------------------------------------------------------------------------- Yamaha Yamaha-DF598EE9B44D22CC 2018/12/31 Yamaha-DF598EE9B44D22CD 2019/12/31
-
Checking the revocation certificate
Use the show radius-server local certificate revoke command.Yamaha# show radius-server local certificate revoke userid certificate number reason --------------------------------------------------------------------------------------------- Yamaha Yamaha-DF598EE9B44D22CC expired Yamaha Yamaha-DF598EE9B44D22CD revoked
3.11. Mail notification of expiration of client certificate
A mail notification can be sent before the client certificate expires.
The following preparations are required in advance to use advance mail notification.
The settings described here are the minimum settings. Make the necessary settings according to the usage.
-
Set SMTP server
-
Specify the SMTP server with the mail server smtp host command.
-
-
Specify the mail template
-
Specify the template ID with the mail template command and switch to the template setting mode.
-
Specify the mail server ID of the SMTP server set by the mail server smtp host command with the send server command.
-
Specify the sender mail address with the send from command.
-
-
Specify the mail template to use for the certificate expiration advance mail notification
-
Specify the ID of the mail template created above with the mail send certificate-notify command.
-
-
Specify when to send a certificate expiration advance mail notification
-
Specify the number of days before the expiration date to send the mail notification with the mail certificate expire-notify command.
-
Confirmation of the certificates that are subject to the client certificate expiration advance mail notification is performed every day at 23:59:59.
The subject and body of the mail are as follows. The format cannot be changed.
Subject |
Certification expiration |
Body |
Your certificate will expire in [残り日数] days. Name : [*NAME parameter of the user command] Account : [*USERID parameter of the user command] MAC address : XX:XX:XX:XX:XX:XX Expire : YYYY/MM/DD |
3.12. Importing and exporting user information
-
Exporting
User information can be exported from the web GUI as a CSV file.
Users can be registered collectively by appending them to the exported CSV format file.
User information exported by this device cannot be imported using a Yamaha wireless access point (WLX series). -
Importing
User information can be imported from the web GUI.
When importing user information, client certificates being issued due to the import can be issued at one time as a batch.
When importing information for a large number of users, it may take time before the information is reflected in actual operations.
User information exported by a Yamaha wireless access point (WLX series) can be imported to this device.
However, user information cannot be imported if it includes characters that cannot be used in the unit. In that case, add each user separately.
For details about characters not allowed by the unit, refer to Points of Caution.
3.13. Backing up and restoring all RADIUS server related information
This device can back up and restore all RADIUS server related information including the root Certificate Authority.
-
Backup
By specifying the microSD card as the export destination with the copy radius-server local command, all the RADIUS server related information can be backed up to the microSD card.
The same backup can be performed from the Web GUI. We recommend that you make a backup in case of device failure.
The backup file contains the setting information of the following three commands, but does not include the setting information related to other RADIUS server functions. Therefore, it is recommended that you back up configuration files along with backup files.-
crypto pki generate ca command
-
user command
-
nas command
Not all RADIUS server-related information backed up by this device can be restored using a Yamaha wireless access point (WLX series).
-
-
Restoration
By specifying the internal config number as the export destination with the copy radius-server local command, the data backed up above can be restored from the microSD card.
In addition, the same restoration can be performed from the Web GUI, and it is possible to restore data obtained with any model of the SWX series.
Note that if you perform restoration while the root Certificate Authority has been created, the root Certificate Authority will be overwritten.
3.14. Restoring RADIUS server information backed up by a Yamaha wireless access point (WLX series)
This unit can be used to restore RADIUS server information backed up by a Yamaha wireless access point (WLX series). The information can only be restored via the Web GUI.
RADIUS server functions used to operate a Yamaha wireless access point (WLX series) can be transferred to the given unit by executing the following procedure.
-
Restore the data backed up by a Yamaha wireless access point (WLX series) port in the unit.
For the WLX402 model, the backed up data (ZIP file) can be obtained from the RADIUS server settings page on the Web GUI.
For the WLX313 model, the backed up data (ZIP file) can be obtained from the settings (save/restore) page on the Web GUI. -
Use the nas command or Web GUI to specify the RADIUS client.
-
Specify the VLAN interface to use for RADIUS authentication by the radius-server local interface command or via the Web GUI.
-
To send an authentication certificate via mail or send prior mail notification about the certificate expiration date, specify mail settings.
-
Enable RADIUS server functions using the radius-server local enable command or the Web GUI.
-
Apply the RADIUS information to actual operations using the radius-server local refresh command.
The procedure above eliminates the need to reissue a client certificate and can be used to transfer RADIUS server functions to the unit from a Yamaha wireless access point (WLX series).
If RADIUS server functions are transferred to the unit from a Yamaha wireless access point (WLX series), then the revocation certificate expiration date is automatically updated to 20 years from the date/time the functions are received.
The following data backed up via a Yamaha wireless access point (WLX series) can be restored.
-
Root certificate authority
-
Root certificate
-
Server certificate
-
Client certificate
-
Revocation certificate
-
User information
RADIUS client settings and other information not indicated above are not restored and must be set separately.
Users with information that includes characters not allowed by the unit cannot be restored. In that case, add each user separately.
For details about characters not allowed by the unit, refer to Points of Caution.
Certificate Authority names can be restored even if they include characters not allowed by the unit. However, disallowed characters are shown converted to the underscore (_) character in config files.
3.15. SYSLOG output information
The following information is output to the SYSLOG as a RADIUS server function.
The prefix is [RADIUSD].
Type | Message | Description |
---|---|---|
INFO |
RADIUS server started. |
The RADIUS server function process has started. |
INFO |
RADIUS server stopped. |
The RADIUS server function process has stopped. |
INFO |
Authentication succeeded.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address }) |
User authentication succeeded. |
INFO |
Authentication failed.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address }) |
User authentication failed. |
INFO |
MAC address is not allowed.User-ID:{ User ID } MAC:{ MAC address } |
User authentication failed because the MAC address is incorrect. |
INFO |
Connected NAS is not allowed.IP:{ IP address } |
An authentication request was received from an unauthorized RADIUS client. |
4. Related Commands
Related commands are indicated below.
For details on the commands, refer to the Command Reference.
Operations | Operating commands |
---|---|
radius-server local enable |
Setting of local RADIUS server function |
radius-server local interface |
Access interface settings |
crypto pki generate ca |
Generate root Certificate Authority |
radius-server local-profile |
RADIUS configuration mode |
authentication |
Authentication method setting |
nas |
RADIUS client (NAS) settings |
user |
Authentication user settings |
reauth interval |
Re-authentication interval settings |
radius-server local refresh |
Set data reflected on local RADIUS server |
certificate user |
Issue client certificate |
certificate abort |
Suspend client certificate issuance |
certificate revoke id |
Revoke client certificate with the specified certificate ID |
certificate revoke user |
Revoke client certificate for specified user |
certificate export sd |
Export client certificate (SD copy) |
certificate export mail |
Export client certificate (mail transmission) |
copy radius-server local |
Copy RADIUS data |
show radius-server local nas |
Show RADIUS client (NAS) |
show radius-server local user |
Show authentication user information |
show radius-server local certificate status |
Show issuance status of client certificate |
show radius-server local certificate list |
Show list of client certificates |
show radius-server local certificate revoke |
Show revocation list of client certificates |
5. Setting Examples
5.1. Using RADIUS server functions and port authentication function simultaneously
Use a local RADIUS server to configure supplicants A, B, and C to authenticate with MAC, IEEE802.1X, and Web authentication, respectively.
-
Enable the local RADIUS server with the network switch and register the user.
Yamaha# configure terminal Yamaha(config)# crypto pki generate ca Generate CA? (y/n): y Finished Yamaha(config)# radius-server local-profile Yamaha(config-radius)# user 00a0de000001 00a0de000001 auth peap Yamaha(config-radius)# user 8021xuser 8021xpass auth peap Yamaha(config-radius)# user webuser webpass auth peap Yamaha(config-radius)# exit Yamaha(config)# radius-server local enable Yamaha(config)# exit Yamaha# radius-server local refresh
-
Assign an IP address to VLAN #1 for web authentication
Yamaha# configure terminal Yamaha(config)# interface vlan1 Yamaha(config-if)# ip-address 192.168.100.240/24
-
Enable MAC authentication, IEEE802.1X authentication, and Web authentication on LAN port #1.
Yamaha# configure terminal Yamaha(config)# aaa authentication auth-mac Yamaha(config)# auth-mac auth-user unformatted lower-case Yamaha(config)# aaa authentication dot1x Yamaha(config)# aaa authentication auth-web Yamaha(config)# interface port1.1 Yamaha(config-if)# auth host-mode multi-supplicant Yamaha(config-if)# auth-mac enable Yamaha(config-if)# dot1x port-control auto Yamaha(config-if)# auth-web enable
-
Set the RADIUS server used for the authentication function.
Yamaha# configure terminal Yamaha(config)# radius-server host 127.0.0.1 key secret_local
5.2. Using RADIUS server functions for authentication of users logging in to a Yamaha router
If accessing a Yamaha router from a TELNET client, user login authentication and administrator privilege authentication are performed by the Yamaha network switch RADIUS server.
That enables user login using the user ID “user1” and password “password1”.
Users can be promoted to administrator using the password “admin”.
■ Yamaha network switch settings
-
Specify the IP address in the interface.
Yamaha# configure terminal Yamaha(config)# interface vlan1 Yamaha(config-if)# ip address 192.168.100.240/24 Yamaha(config-if)# exit
-
Generate a root Certificate Authority.
Yamaha(config)#crypto pki generate ca Generate CA? (y/n): y Finished
-
Specify the RADIUS servers.
Yamaha(config)# radius-server local-profile Yamaha(config-radius)# nas 192.168.100.1 key yamaha Yamaha(config-radius)# user user1 password1 auth pap Yamaha(config-radius)# user *administrator admin auth pap Yamaha(config-radius)# exit
-
Specify interfaces to which RADIUS clients can connect.
Yamaha(config)# radius-server local interface vlan1
-
Enable RADIUS server functions.
Yamaha(config)# radius-server local enable Yamaha(config)#exit
-
Apply RADIUS server settings to actual operations.
Yamaha#radius-server local refresh Yamaha#
■ Yamaha router settings
login radius use on administrator radius auth on ip lan1 address 192.168.100.1/24 radius auth on radius auth server 192.168.100.240 radius auth port 1812 radius secret yamaha
5.3. Using RADIUS server functions for MAC authentication of Yamaha wireless access points (WLX series)
The Yamaha network switch RADIUS server is used to authenticate the MAC address of supplicants connected to a Yamaha wireless access point.
■ Yamaha network switch settings
-
Specify the IP address in the interface.
Yamaha# configure terminal Yamaha(config)# interface vlan2 Yamaha(config-if)# ip address 192.168.200.240/24 Yamaha(config-if)# exit
-
Generate a root Certificate Authority.
Yamaha(config)#crypto pki generate ca Generate CA? (y/n): y Finished
-
Specify the RADIUS servers.
Yamaha(config)# radius-server local-profile Yamaha(config-radius)# nas 192.168.200.100 key yamaha Yamaha(config-radius)# user 00a0de000001 00a0de000001 auth pap ssid wlx Yamaha(config-radius)# exit
-
Specify interfaces permitted to connect to RADIUS clients.
Yamaha(config)# radius-server local interface vlan2
-
Enable RADIUS server functions.
Yamaha(config)# radius-server local enable Yamaha(config)#exit
-
Apply RADIUS server settings to actual operations.
Yamaha#radius-server local refresh Yamaha#
■ Yamaha wireless AP (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.
ip vlan-id 1 address 192.168.200.100/24 airlink slect 1 airlink ssid wlx airlink radius auth on airlink radius server 192.168.200.240 airlink radius secret yamaha airlink enable 1
5.4. Using RADIUS server functions to connect to a Yamaha wireless access point (WLX series) using a certificate
A supplicant with a certificate issued by the Yamaha network switch installed is used to authenticate connections to a Yamaha wireless access point.
■ Yamaha network switch settings
-
Specify the IP address in the interface.
Yamaha(config)# interface vlan2 Yamaha(config-if)# ip address 192.168.120.240/24 Yamaha(config-if)# exit
-
Generate a root Certificate Authority.
Yamaha(config)#crypto pki generate ca Generate CA? (y/n): y Finished
-
Specify the RADIUS servers.
Yamaha(config)# radius-server local-profile Yamaha(config-radius)# nas 192.168.120.100 key yamaha1 Yamaha(config-radius)# nas 192.168.130.100 key yamaha2 Yamaha(config-radius)# user user1 pass1 ssid wlxA Yamaha(config-radius)# user user2 pass2 ssid wlxB Yamaha(config-radius)# user user3 pass3 ssid wlxC Yamaha(config-radius)# user user4 pass4 ssid wlxD Yamaha(config-radius)# exit
-
Specify interfaces permitted to connect to RADIUS clients.
Yamaha(config)# radius-server local interface vlan2 Yamaha(config)# radius-server local interface vlan3
-
Enable RADIUS server functions.
Yamaha(config)# radius-server local enable Yamaha(config)# exit
-
Issue client certificates.
Install the issued certificates in supplicants A to D, respectively.Yamaha# certificate user user1 Yamaha# certificate user user2 Yamaha# certificate user user3 Yamaha# certificate user user4
-
Apply RADIUS server settings to actual operations.
Yamaha# radius-server local refresh
■ Yamaha wireless AP1 (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.
ip vlan-id 2 address 192.168.120.100/24 airlink select 1 airlink ssid wlxA airlink vlan-id 2 airlink radius auth on airlink radius server 192.168.120.240 airlink radius secret yamaha1 airlink enable 1 airlink select 2 airlink ssid wlxB airlink vlan-id 2 airlink radius auth on airlink radius server 192.168.120.240 airlink radius secret yamaha1 airlink enable 2
■ Yamaha wireless AP2 (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.
ip vlan-id 3 address 192.168.130.100/24 airlink select 1 airlink ssid wlxC airlink vlan-id 3 airlink radius auth on airlink radius server 192.168.130.240 airlink radius secret yamaha2 airlink enable 1 airlink select 2 airlink ssid wlxD airlink vlan-id 3 airlink radius auth on airlink radius server 192.168.130.240 airlink radius secret yamaha2 airlink enable 2
6. Points of Caution
-
In the RADIUS server function, the time of the internal clock of this device is used for processing such as authentication processing and certificate issuance.
Therefore, it is necessary to always keep the internal clock of this device at the correct time. Time synchronization with NTP server is recommended. -
It is necessary to keep the root Certificate Authority consistent from its creation, so be careful not to delete it carelessly.
If it is deleted, the issued client certificates cannot be used, and client certificates must be reissued for all users.
Also, almost all settings related to the RADIUS server function will be deleted. -
Even if you create a root Certificate Authority with the same name on a Yamaha network switch of the same model number, that root Certificate Authority will be a different one.
Client certificates can only be used with Yamaha network switch authentication that has the root Certificate Authority used at the time of generation.
To maintain the same root Certificate Authority in multiple devices, see Backing up and restoring all RADIUS server related information. -
Authentication cannot be performed even if a RADIUS client connects to an IPv6 link-local address.
-
The characters permitted in user or other information by Yamaha network switches is different than permitted by Yamaha wireless access points (WLX series). Those differences are indicated below.
(The characters in red are disallowed only by Yamaha network switches)Item
Yamaha network switch restrictions
Yamaha wireless access point restrictions
Root certificate authority name
(CA-NAME option for crypto pki generate ca command)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’RADIUS client shared password
(SECRET parameter of nas command)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’User ID in user information
(USERID parameter of user command)
When the authentication method is EAP-TLSThe following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’
':'
‘<’
‘*’
‘>’
‘|’
‘?’
‘ ’ (space)
‘”’ (double quote)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’User ID in user information
(USERID parameter of user command)
When the authentication method is PAP or PEAPThe following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’Password in user information
(PASSWORD parameter of user command)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’Name in user information
(NAME option of user command)The following single-byte alphanumeric characters and symbols cannot be used.
‘?’
‘ ’ (space)
‘”’ (double quote)All single-byte alphanumeric characters and symbols can be used.