RADIUS server

RADIUS server

1. Function Overview

The RADIUS server function manages user information and certificates, and performs authentication based on information notified from the client.
By combining with MAC authentication, 802.1X authentication, and Web authentication of this device, the authentication function can be realized with this device alone.
Also, when authenticating with a device other than this device, this device can be operated as an authentication server.

image

The basic performance of the RADIUS server function and the corresponding authentication method are as follows.

  • Basic performance

    Item Performance

    Number of RADIUS clients that can be registered

    100

    Number of users that can be registered

    2000

    Key strength

    2048 bit

    Signature algorithm

    SHA256

    Certificate Authority name (default value)

    swx-radius

  • Supported authentication methods

    Authentication method Application

    PAP

    MAC authentication

    EAP-MD5

    IEEE802.1X authentication, MAC authentication, WEB authentication

    EAP-TLS

    IEEE802.1X authentication

    EAP-TTLS

    IEEE802.1X authentication

    PEAP

    IEEE802.1X authentication

2. Definition of Terms Used

PKI (Public Key Infrastructure)

Public key infrastructure. Includes digital certificates and certificate authorities (CAs) using public key cryptography.

Certificate authority (CA)

An organization that guarantees reliability. It is divided into a root Certificate Authority and an intermediate Certificate Authority.
It has a tree structure with the root Certificate Authority at the top and an intermediate Certificate Authority under it.

Intermediate certificate authority

Among Certificate Authorities (CAs), indicates a Certificate Authority whose reliability is guaranteed by a higher-level Certificate Authority (CA).

Root certificate authority

Among Certificate Authorities (CA), indicates a Certificate Authority whose reliability is guaranteed by itself.

Root certificate authority certificate

A public key certificate that has the same issuer and subject and has signed its own public key with its own private key. It is the root of a tree-structured certificate.

Digital certificate

Data that certifies that the public key issued by the Certificate Authority is the genuine issuer’s public key.
When the issuer makes a certificate request to the Certificate Authority (CA) together with the public key, the Certificate Authority (CA) issues a digital certificate after scrutinizing and confirming it.

EAP-MD5 authentication method (Message digest algorithm 5)

This is an authentication method that uses a user name and password. Authenticates by exchanging an MD5 hash value instead of a plain text password.

EAP-TLS authentication method (Transport Layer Security)

An authentication method used in IEEE 802.1X, a type of EAP implementation that authenticates by exchanging digital certificates after encrypting the transport layer between the user and the RADIUS server, instead of authenticating with a user ID and password. This is defined in RFC2716 and RFC5216.

EAP-TTLS authentication method (Tunneled TLS)

An authentication method used in IEEE 802.1X, a type of EAP implementation that establishes a TLS communication channel using the server’s digital certificate and authenticates the user with a password within the encrypted channel. This is defined in RFC5281.

PEAP authentication method (Protected EAP)

The operating principle is the same as EAP-TTLS (there is only a difference in the protocol in the encrypted tunnel). A TLS communication channel is established using the server’s digital certificate, and the user is authenticated with a password in the encrypted communication channel.

It is trusted

A certificate indicating that the public key belongs to the issuer has been issued by a trusted third party.

RADIUS server

The host device that provides the RADIUS server function, in this case, this device.
Authenticates connected users via a RADIUS server and manages authentication/authorization information such as user IDs, passwords, MAC addresses, and associated VLANs.

Server certificate

A certificate to state that the Certificate Authority (CA) has proved that the RADIUS server is trusted.

RADIUS client

Also called a NAS or an authenticator, it relays between the user connected to the LAN/SFP port and the authentication server, and controls access to the LAN based on the success or failure of authentication.

User

A device that connects to a RADIUS client and requests authentication, or a supplicant that is software.
It is the minimum unit for identifying the person to be authenticated. There are data required for authentication and authorization, such as a unique user ID and password.

Client certificate (user certificate)

This certificate proves that the user described above is trusted by the Certificate Authority (CA).

3. Function Details

3.1. Root certificate authority

To use the RADIUS server function, you must first create a root Certificate Authority.
The root certificate authority is used for issuing and managing digital certificates. It can be created with the crypto pki generate ca command.
The certificate authority name can be specified in the crypto pki generate ca command argument, if omitted it becomes swx-radius.

The following certificates are issued and managed based on the root Certificate Authority.
All certificates have a key strength of 2048 bits and a signature algorithm of SHA256.

Root Certificate Authority certificate

Proves that this device is a trusted root Certificate Authority.
Issued at the same time that the root Certificate Authority is created.
The expiration date applies from 23:59:59 (JST) on December 31, 2037 from the date of certificate creation.

Server certificate

Proves that this device is a trusted server.
Issued at the same time that the root Certificate Authority is created.
The expiration date applies from 23:59:59 (JST) on December 31, 2037 from the date of certificate creation.

Client (user) certificate

Proves that the user is trusted.

Client revocation certificate

Proves that the client certificate has been revoked.

The root Certificate Authority is deleted or overwritten by the following operations.

  • It is deleted when the cold start command is executed.

  • It is deleted when the no crypto pki generate ca command is executed.

  • It is deleted when the stack enable command is executed.

  • It is deleted when the stack disable command is executed.

  • It is deleted when the erase startup-config command is executed.

  • It is overwritten when the crypto pki generate ca command is executed again.

  • It is overwritten when the restore system command is executed.

  • It is overwritten when the copy radius-server local command is executed.

[red]#It is necessary to keep the root certificate authority installed first consistent, so be careful not to delete it carelessly. #
Also, please take measures to back up the file in advance, in case it is deleted.

Once the root CA is deleted, even if the same CA name is set, it will be a different CA from before.
If you delete the root Certificate Authority before backup, you cannot add or revoke the certificate after that. You will have to reissue all the certificates from the beginning.

When the root certificate authority is created by the crypto pki generate ca command, it is automatically saved in the internal area, so there is no need to execute the write command.

3.2. RADIUS client settings

Use the nas command to specify the RADIUS clients that are permitted to access the RADIUS server.
You can specify an individual IP address or network address, and up to 100 addresses can be set.
RADIUS client operations are verified using the following products.

  • Yamaha network switch (SWX series)

  • Yamaha router (RTX series or NVR series)

  • Yamaha wireless access point (WLX series)

The settings of the RADIUS client set by the nas command are not displayed in the config by show running-config.
There is no need to execute the write command because it is automatically saved in a different area from the config, but it is necessary to execute the radius-server local refresh command to reflect it in the actual operation.
Use the show radius-server local nas command to confirm the settings.

3.3. User registration

User information for authentication is registered with the user command.
Up to 2000 records of user information can be registered.
Items that can be set with the user command are as follows.

Type

Item

Summary/Remarks

Mandatory

User ID

ID for uniquely identifying user information

Password

Password used in combination with user ID
If the client certificate is compressed, use this password for decompression.

Option

User name

Any character string can be set for user identification.

MAC address

Compared when the RADIUS client notifies the Calling-Station-Id, and if it does not match, it is not authenticated.

SSID

Compared when the RADIUS client notifies the Called-Station-Id, and if it does not match, it is not authenticated.

Mail address

This is the address for sending the certificate by mail.

Authentication method

The default is EAP-TLS, so you must specify it if you want to use another authentication method.

Period of certificate validity

This is valid only when the authentication method is EAP-TLS. If omitted, it will be 23:59:59 on December 31, 2037.

The user settings set by the user command are not displayed in the config by show running-config, etc.
There is no need to execute the write command because it is automatically saved in a different area from the config, but it is necessary to execute the radius-server local refresh command to reflect it in the actual operation.
Use the show radius-server local user command to confirm the settings.

3.4. Restricting the authentication method

The authentication method can be restricted by the authentication command.
The authentication method is not restricted by default, but you can use it when you want to temporarily disable a specific authentication method.

3.5. Enabling the RADIUS server function

To enable the RADIUS server function, use the radius-server local enable command.
Set the RADIUS client and user information, and enable the RADIUS server function after the necessary preparations are completed.

3.6. Reflecting settings in operation

If you add/change/delete the settings related to the RADIUS server, execute the radius-server local refresh command to reflect them in actual operation.
The commands reflected in the actual operation by the radius-server local refresh command are as follows.

  • authentication command

  • nas command

  • reauth interval command

  • user command

When you add/change/delete settings related to the RADIUS server in Web GUI, processing equivalent to the radius-server local refresh command is automatically performed.

3.7. Issue client certificate

Use the certificate user command to issue a client certificate to a user who performs authentication using a certificate (a user whose authentication method is EAP-TLS with the user command).
Each user can hold up to two client certificates, and issuing a third client certificate will cause the older client certificate to expire.
If you specify an individual user ID with the certificate user command, a client certificate for the specified user is issued.
If you do not specify individual user IDs in the certificate user command, client certificates are issued for all users that meet any of the following conditions.

Conditions for batch issuance of client certificates

  • Client certificate has never been issued

  • The password or expiration date has changed since the client certificate was issued

It takes about 15 seconds to issue a client certificate. Although the certificate user command issues client certificates in the background, be aware that batch issuing client certificates for multiple users can be time consuming.
To cancel the issuance of a client certificate partway through, use the certificate abort command.

The method to export an issued client certificate is as follows.

  • Specify the mail option in the certificate user command
    The client certificate can be sent to the specified mail address at the same time that the client certificate is issued.
    The client certificate is ZIP compressed and can be decompressed with the password of the user command.
    For details on sending a client certificate by mail, refer to Sending a certificate by mail.

  • certificate export sd command
    You can copy the client certificate of any user or all users to a microSD card to export it.
    If a client certificate of any user is compressed and exported by the compress option, it can be decompressed with the password of the user command.
    If the client certificate for all users is compressed and exported together using the compress option, it can be decompressed without a password.

  • certificate export mail command
    The client certificate of any user or all users can be sent to the mail address set by the user command.
    The client certificate is ZIP compressed and can be decompressed with the password of the user command.

  • Access the device with Web GUI
    The client certificate can be downloaded for any or all users.
    Although it is ZIP compressed, no password is required for decompression.

3.8. Revoking a client certificate

To prevent authentication for the user who issued the client certificate, you must issue a revocation certificate.
When a revocation certificate is issued to any user, the revocation certificate is referenced in the authentication process and reflected in the authentication result.
Revocation certificates are issued by the following process.

  • Execute the certificate revoke id command
    A revocation certificate is issued for the client certificate with the specified certificate ID.

  • Execute the certificate revoke user command
    Revocation certificates are issued for all client certificates of the specified user.

  • Change the authentication method from EAP-TLS to other (PAP, PEAP, EAP-MD5, EAP-TTLS) with the user command
    Revocation certificates are issued for all client certificates of the target user.
    If you change the authentication method of the target user to EAP-TLS again, it will be subject to the issue of client certificates.

  • Deletion of user command
    Revocation certificates are issued for all client certificates of the target user.
    If you register a user again with the same user ID as the target user, it will be subject to the issue of client certificates.

  • Issue a third client certificate with the certificate user command
    A revocation certificate is issued for the target user’s older client certificate.

  • Importing user information according to Importing and exporting user information
    If a user is deleted due to an import, a revocation certificate is issued for all client certificates of the deleted user.

3.9. Sending a certificate by mail

To use the client certificate mail transmission described in Issuing a client certificate, the following preparations are required in advance.
The settings described here are the minimum settings. Make the necessary settings according to the usage.

  1. Set SMTP server

    1. Specify the SMTP server with the mail server smtp host command.

  2. Specify the mail template

    1. Specify the template ID with the mail template command and switch to the template setting mode.

    2. Specify the mail server ID of the SMTP server set by the mail server smtp host command with the send server command.

    3. Specify the sender mail address with the send from command.

  3. Specify the mail template to use for sending certificate mails

    1. Specify the ID of the mail template created above with the mail send certificate command.

The subject and body of the mail are as follows. The format cannot be changed.

Subject

Certification Publishment

Body

Certification is published.
Name             : [*NAME parameter of the user command]
Account          : [*USERID parameter of the user command]
MAC address      : XX:XX:XX:XX:XX:XX
Expire           : YYYY/MM/DD

3.10. Checking settings and certificates

  • Checking the RADIUS client settings
    Use the show radius-server local nas command.

    Yamaha# show radius-server local nas 192.168.100.0/24
    host                                    key
    --------------------------------------------------------------------------------------------------------
    192.168.100.0/24                        abcde
  • Checking the user settings
    Use the show radius-server local user command.

    Yamaha# show radius-server local user
    
    Total     1
    
    userid                           name                             vlan mode
    --------------------------------------------------------------------------------
    00a0de000000                     Yamaha                              1 eap-md5
    Yamaha# show radius-server local user detail 00a0de000000
    
    Total     1
    
    userid      : 00a0de000000
    password    : secretpassword
    mode        : eap-md5
    name        : Yamaha
    vlan        :    1
  • Checking the status of client certificate issuance processing
    Use the show radius-server local certificate status command.

    Yamaha# show radius-server local certificate status
    certificate process: xxxx/ zzzz processing...
  • Checking the list of client certificates
    Use the show radius-server local certificate list command.

    Yamaha# show radius-server local certificate list detail Taro
    
    userid                           certificate number                                enddate
    ---------------------------------------------------------------------------------------------
    Yamaha                           Yamaha-DF598EE9B44D22CC                           2018/12/31
                                     Yamaha-DF598EE9B44D22CD                           2019/12/31
  • Checking the revocation certificate
    Use the show radius-server local certificate revoke command.

    Yamaha# show radius-server local certificate revoke
    
    userid                           certificate number                                reason
    ---------------------------------------------------------------------------------------------
    Yamaha                           Yamaha-DF598EE9B44D22CC                           expired
    Yamaha                           Yamaha-DF598EE9B44D22CD                           revoked

3.11. Mail notification of expiration of client certificate

A mail notification can be sent before the client certificate expires.
The following preparations are required in advance to use advance mail notification.
The settings described here are the minimum settings. Make the necessary settings according to the usage.

  1. Set SMTP server

    1. Specify the SMTP server with the mail server smtp host command.

  2. Specify the mail template

    1. Specify the template ID with the mail template command and switch to the template setting mode.

    2. Specify the mail server ID of the SMTP server set by the mail server smtp host command with the send server command.

    3. Specify the sender mail address with the send from command.

  3. Specify the mail template to use for the certificate expiration advance mail notification

    1. Specify the ID of the mail template created above with the mail send certificate-notify command.

  4. Specify when to send a certificate expiration advance mail notification

    1. Specify the number of days before the expiration date to send the mail notification with the mail certificate expire-notify command.

Confirmation of the certificates that are subject to the client certificate expiration advance mail notification is performed every day at 23:59:59.

The subject and body of the mail are as follows. The format cannot be changed.

Subject

Certification expiration

Body

Your certificate will expire in [残り日数] days.
Name             : [*NAME parameter of the user command]
Account          : [*USERID parameter of the user command]
MAC address      : XX:XX:XX:XX:XX:XX
Expire           : YYYY/MM/DD

3.12. Importing and exporting user information

  • Exporting
    User information can be exported from the web GUI as a CSV file.
    Users can be registered collectively by appending them to the exported CSV format file.
    User information exported by this device cannot be imported using a Yamaha wireless access point (WLX series).

  • Importing
    User information can be imported from the web GUI.
    When importing user information, client certificates being issued due to the import can be issued at one time as a batch.
    When importing information for a large number of users, it may take time before the information is reflected in actual operations.
    User information exported by a Yamaha wireless access point (WLX series) can be imported to this device.
    However, user information cannot be imported if it includes characters that cannot be used in the unit. In that case, add each user separately.
    For details about characters not allowed by the unit, refer to Points of Caution.

3.13. Backing up and restoring all RADIUS server related information

This device can back up and restore all RADIUS server related information including the root Certificate Authority.

  • Backup
    By specifying the microSD card as the export destination with the copy radius-server local command, all the RADIUS server related information can be backed up to the microSD card.
    The same backup can be performed from the Web GUI. We recommend that you make a backup in case of device failure.
    The backup file contains the setting information of the following three commands, but does not include the setting information related to other RADIUS server functions. Therefore, it is recommended that you back up configuration files along with backup files.

    • crypto pki generate ca command

    • user command

    • nas command

    Not all RADIUS server-related information backed up by this device can be restored using a Yamaha wireless access point (WLX series).

  • Restoration
    By specifying the internal config number as the export destination with the copy radius-server local command, the data backed up above can be restored from the microSD card.
    In addition, the same restoration can be performed from the Web GUI, and it is possible to restore data obtained with any model of the SWX series.
    Note that if you perform restoration while the root Certificate Authority has been created, the root Certificate Authority will be overwritten.

3.14. Restoring RADIUS server information backed up by a Yamaha wireless access point (WLX series)

This unit can be used to restore RADIUS server information backed up by a Yamaha wireless access point (WLX series). The information can only be restored via the Web GUI.
RADIUS server functions used to operate a Yamaha wireless access point (WLX series) can be transferred to the given unit by executing the following procedure.

  1. Restore the data backed up by a Yamaha wireless access point (WLX series) port in the unit.
    For the WLX402 model, the backed up data (ZIP file) can be obtained from the RADIUS server settings page on the Web GUI.
    For the WLX313 model, the backed up data (ZIP file) can be obtained from the settings (save/restore) page on the Web GUI.

  2. Use the nas command or Web GUI to specify the RADIUS client.

  3. Specify the VLAN interface to use for RADIUS authentication by the radius-server local interface command or via the Web GUI.

  4. To send an authentication certificate via mail or send prior mail notification about the certificate expiration date, specify mail settings.

  5. Enable RADIUS server functions using the radius-server local enable command or the Web GUI.

  6. Apply the RADIUS information to actual operations using the radius-server local refresh command.

The procedure above eliminates the need to reissue a client certificate and can be used to transfer RADIUS server functions to the unit from a Yamaha wireless access point (WLX series).
If RADIUS server functions are transferred to the unit from a Yamaha wireless access point (WLX series), then the revocation certificate expiration date is automatically updated to 20 years from the date/time the functions are received.
The following data backed up via a Yamaha wireless access point (WLX series) can be restored.

  • Root certificate authority

  • Root certificate

  • Server certificate

  • Client certificate

  • Revocation certificate

  • User information

RADIUS client settings and other information not indicated above are not restored and must be set separately.
Users with information that includes characters not allowed by the unit cannot be restored. In that case, add each user separately.
For details about characters not allowed by the unit, refer to Points of Caution.
Certificate Authority names can be restored even if they include characters not allowed by the unit. However, disallowed characters are shown converted to the underscore (_) character in config files.

3.15. SYSLOG output information

The following information is output to the SYSLOG as a RADIUS server function.
The prefix is [RADIUSD].

Type Message Description

INFO

RADIUS server started.

The RADIUS server function process has started.

INFO

RADIUS server stopped.

The RADIUS server function process has stopped.

INFO

Authentication succeeded.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address })

User authentication succeeded.

INFO

Authentication failed.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address })

User authentication failed.

INFO

MAC address is not allowed.User-ID:{ User ID } MAC:{ MAC address }

User authentication failed because the MAC address is incorrect.

INFO

Connected NAS is not allowed.IP:{ IP address }

An authentication request was received from an unauthorized RADIUS client.

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations Operating commands

radius-server local enable

Setting of local RADIUS server function

radius-server local interface

Access interface settings

crypto pki generate ca

Generate root Certificate Authority

radius-server local-profile

RADIUS configuration mode

authentication

Authentication method setting

nas

RADIUS client (NAS) settings

user

Authentication user settings

reauth interval

Re-authentication interval settings

radius-server local refresh

Set data reflected on local RADIUS server

certificate user

Issue client certificate

certificate abort

Suspend client certificate issuance

certificate revoke id

Revoke client certificate with the specified certificate ID

certificate revoke user

Revoke client certificate for specified user

certificate export sd

Export client certificate (SD copy)

certificate export mail

Export client certificate (mail transmission)

copy radius-server local

Copy RADIUS data

show radius-server local nas

Show RADIUS client (NAS)

show radius-server local user

Show authentication user information

show radius-server local certificate status

Show issuance status of client certificate

show radius-server local certificate list

Show list of client certificates

show radius-server local certificate revoke

Show revocation list of client certificates

5. Setting Examples

5.1. Using RADIUS server functions and port authentication function simultaneously

Use a local RADIUS server to configure supplicants A, B, and C to authenticate with MAC, IEEE802.1X, and Web authentication, respectively.

image

  1. Enable the local RADIUS server with the network switch and register the user.

    Yamaha# configure terminal
    Yamaha(config)# crypto pki generate ca
    Generate CA? (y/n): y
    Finished
    Yamaha(config)# radius-server local-profile
    Yamaha(config-radius)# user 00a0de000001 00a0de000001 auth peap
    Yamaha(config-radius)# user 8021xuser 8021xpass auth peap
    Yamaha(config-radius)# user webuser webpass auth peap
    Yamaha(config-radius)# exit
    Yamaha(config)# radius-server local enable
    Yamaha(config)# exit
    Yamaha# radius-server local refresh
  2. Assign an IP address to VLAN #1 for web authentication

    Yamaha# configure terminal
    Yamaha(config)# interface vlan1
    Yamaha(config-if)# ip-address 192.168.100.240/24
  3. Enable MAC authentication, IEEE802.1X authentication, and Web authentication on LAN port #1.

    Yamaha# configure terminal
    Yamaha(config)# aaa authentication auth-mac
    Yamaha(config)# auth-mac auth-user unformatted lower-case
    Yamaha(config)# aaa authentication dot1x
    Yamaha(config)# aaa authentication auth-web
    Yamaha(config)# interface port1.1
    Yamaha(config-if)# auth host-mode multi-supplicant
    Yamaha(config-if)# auth-mac enable
    Yamaha(config-if)# dot1x port-control auto
    Yamaha(config-if)# auth-web enable
  4. Set the RADIUS server used for the authentication function.

    Yamaha# configure terminal
    Yamaha(config)# radius-server host 127.0.0.1 key secret_local

5.2. Using RADIUS server functions for authentication of users logging in to a Yamaha router

If accessing a Yamaha router from a TELNET client, user login authentication and administrator privilege authentication are performed by the Yamaha network switch RADIUS server.
That enables user login using the user ID “user1” and password “password1”.
Users can be promoted to administrator using the password “admin”.

image

■ Yamaha network switch settings

  1. Specify the IP address in the interface.

    Yamaha# configure terminal
    Yamaha(config)# interface vlan1
    Yamaha(config-if)# ip address 192.168.100.240/24
    Yamaha(config-if)# exit
  2. Generate a root Certificate Authority.

    Yamaha(config)#crypto pki generate ca
    Generate CA? (y/n): y
    Finished
  3. Specify the RADIUS servers.

    Yamaha(config)# radius-server local-profile
    Yamaha(config-radius)# nas 192.168.100.1 key yamaha
    Yamaha(config-radius)# user user1 password1 auth pap
    Yamaha(config-radius)# user *administrator admin auth pap
    Yamaha(config-radius)# exit
  4. Specify interfaces to which RADIUS clients can connect.

    Yamaha(config)# radius-server local interface vlan1
  5. Enable RADIUS server functions.

    Yamaha(config)# radius-server local enable
    Yamaha(config)#exit
  6. Apply RADIUS server settings to actual operations.

    Yamaha#radius-server local refresh
    Yamaha#

■ Yamaha router settings

login radius use on
administrator radius auth on
ip lan1 address 192.168.100.1/24
radius auth on
radius auth server 192.168.100.240
radius auth port 1812
radius secret yamaha

5.3. Using RADIUS server functions for MAC authentication of Yamaha wireless access points (WLX series)

The Yamaha network switch RADIUS server is used to authenticate the MAC address of supplicants connected to a Yamaha wireless access point.

image

■ Yamaha network switch settings

  1. Specify the IP address in the interface.

    Yamaha# configure terminal
    Yamaha(config)# interface vlan2
    Yamaha(config-if)# ip address 192.168.200.240/24
    Yamaha(config-if)# exit
  2. Generate a root Certificate Authority.

    Yamaha(config)#crypto pki generate ca
    Generate CA? (y/n): y
    Finished
  3. Specify the RADIUS servers.

    Yamaha(config)# radius-server local-profile
    Yamaha(config-radius)# nas 192.168.200.100 key yamaha
    Yamaha(config-radius)# user 00a0de000001 00a0de000001 auth pap ssid wlx
    Yamaha(config-radius)# exit
  4. Specify interfaces permitted to connect to RADIUS clients.

    Yamaha(config)# radius-server local interface vlan2
  5. Enable RADIUS server functions.

    Yamaha(config)# radius-server local enable
    Yamaha(config)#exit
  6. Apply RADIUS server settings to actual operations.

    Yamaha#radius-server local refresh
    Yamaha#

■ Yamaha wireless AP (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.

ip vlan-id 1 address 192.168.200.100/24
airlink slect 1
airlink ssid wlx
airlink radius auth on
airlink radius server 192.168.200.240
airlink radius secret yamaha
airlink enable 1

5.4. Using RADIUS server functions to connect to a Yamaha wireless access point (WLX series) using a certificate

A supplicant with a certificate issued by the Yamaha network switch installed is used to authenticate connections to a Yamaha wireless access point.

image

■ Yamaha network switch settings

  1. Specify the IP address in the interface.

    Yamaha(config)# interface vlan2
    Yamaha(config-if)# ip address 192.168.120.240/24
    Yamaha(config-if)# exit
  2. Generate a root Certificate Authority.

    Yamaha(config)#crypto pki generate ca
    Generate CA? (y/n): y
    Finished
  3. Specify the RADIUS servers.

    Yamaha(config)# radius-server local-profile
    Yamaha(config-radius)# nas 192.168.120.100 key yamaha1
    Yamaha(config-radius)# nas 192.168.130.100 key yamaha2
    Yamaha(config-radius)# user user1 pass1 ssid wlxA
    Yamaha(config-radius)# user user2 pass2 ssid wlxB
    Yamaha(config-radius)# user user3 pass3 ssid wlxC
    Yamaha(config-radius)# user user4 pass4 ssid wlxD
    Yamaha(config-radius)# exit
  4. Specify interfaces permitted to connect to RADIUS clients.

    Yamaha(config)# radius-server local interface vlan2
    Yamaha(config)# radius-server local interface vlan3
  5. Enable RADIUS server functions.

    Yamaha(config)# radius-server local enable
    Yamaha(config)# exit
  6. Issue client certificates.
    Install the issued certificates in supplicants A to D, respectively.

    Yamaha# certificate user user1
    Yamaha# certificate user user2
    Yamaha# certificate user user3
    Yamaha# certificate user user4
  7. Apply RADIUS server settings to actual operations.

    Yamaha# radius-server local refresh

■ Yamaha wireless AP1 (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.

ip vlan-id 2 address 192.168.120.100/24
 airlink select 1
  airlink ssid wlxA
  airlink vlan-id 2
  airlink radius auth on
  airlink radius server 192.168.120.240
  airlink radius secret yamaha1
 airlink enable 1
 airlink select 2
  airlink ssid wlxB
  airlink vlan-id 2
  airlink radius auth on
  airlink radius server 192.168.120.240
  airlink radius secret yamaha1
 airlink enable 2

■ Yamaha wireless AP2 (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.

ip vlan-id 3 address 192.168.130.100/24
 airlink select 1
  airlink ssid wlxC
  airlink vlan-id 3
  airlink radius auth on
  airlink radius server 192.168.130.240
  airlink radius secret yamaha2
 airlink enable 1
 airlink select 2
  airlink ssid wlxD
  airlink vlan-id 3
  airlink radius auth on
  airlink radius server 192.168.130.240
  airlink radius secret yamaha2
 airlink enable 2

6. Points of Caution

  • In the RADIUS server function, the time of the internal clock of this device is used for processing such as authentication processing and certificate issuance.
    Therefore, it is necessary to always keep the internal clock of this device at the correct time. Time synchronization with NTP server is recommended.

  • It is necessary to keep the root Certificate Authority consistent from its creation, so be careful not to delete it carelessly.
    If it is deleted, the issued client certificates cannot be used, and client certificates must be reissued for all users.
    Also, almost all settings related to the RADIUS server function will be deleted.

  • Even if you create a root Certificate Authority with the same name on a Yamaha network switch of the same model number, that root Certificate Authority will be a different one.
    Client certificates can only be used with Yamaha network switch authentication that has the root Certificate Authority used at the time of generation.
    To maintain the same root Certificate Authority in multiple devices, see Backing up and restoring all RADIUS server related information.

  • Authentication cannot be performed even if a RADIUS client connects to an IPv6 link-local address.

  • The characters permitted in user or other information by Yamaha network switches is different than permitted by Yamaha wireless access points (WLX series). Those differences are indicated below.
    (The characters in red are disallowed only by Yamaha network switches)

    Item

    Yamaha network switch restrictions

    Yamaha wireless access point restrictions

    Root certificate authority name
    (CA-NAME option for crypto pki generate ca command)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘/’
    ‘[’
    ‘]’
    ‘?’
    ‘ ’ (space)
    ‘”’ (double quote)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘/’
    ‘[’
    ‘]’

    RADIUS client shared password
    (SECRET parameter of nas command)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘[’
    ‘]’
    ‘?’
    ‘ ’ (space)
    ‘”’ (double quote)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘[’
    ‘]’

    User ID in user information
    (USERID parameter of user command)
    When the authentication method is EAP-TLS

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘/’
    ‘[’
    ‘]’

    ':'

    ‘<’
    ‘*’
    ‘>’
    ‘|’
    ‘?’
    ‘ ’ (space)
    ‘”’ (double quote)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘/’
    ‘[’
    ‘]’

    User ID in user information
    (USERID parameter of user command)

    When the authentication method is PAP or PEAP

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘[’
    ‘]’
    ‘?’
    ‘ ’ (space)
    ‘”’ (double quote)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘[’
    ‘]’

    Password in user information
    (PASSWORD parameter of user command)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘[’
    ‘]’
    ‘?’
    ‘ ’ (space)
    ‘”’ (double quote)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘\’ (backslash)
    ‘[’
    ‘]’

    Name in user information
    (NAME option of user command)

    The following single-byte alphanumeric characters and symbols cannot be used.
    ‘?’
    ‘ ’ (space)
    ‘”’ (double quote)

    All single-byte alphanumeric characters and symbols can be used.