SonicOS 7.1 Access Points
- SonicOS 7.1 Access Points
- About SonicOS
- About Access Points
- Settings
- Synchronize Access Points
- Provisioning Overview
- Creating/Modifying Provisioning Profiles
- Adding/Editing a Provisioning Profile - Getting Started
- General Settings for Provisioning Profiles
- 5GHz/2.4GHz Radio Basic Settings for Provisioning Profiles
- 5GHz/2.4GHz Radio Advanced Settings for Provisioning Profiles
- Sensor Settings for WIDP in Provisioning Profiles
- Mesh Network Settings for Provisioning Profiles
- 3G/4G/LTE WWAN Settings for Provisioning Profiles
- Bluetooth LE Settings for Provisioning Profiles
- Deleting Access Point Profiles
- Product Specific Configuration Notes
- Managing Access Point Objects
- Firmware Management
- Floor Plan View
- Station Status
- Intrusion Detection Services
- Advanced IDP
- Packet Capture
- Virtual Access Points
- RF Monitoring
- RF Analysis
- RF Spectrum
- FairNet
- Wi-Fi Multimedia
- 3G/4G/LTE WWAN
- Bluetooth LE Devices
- Radio Management
- SonicWall Support
About Local Radius Servers and EAP Authentication Balancing
This feature allows local SonicWave access points to provide local radius authentication service within selected SonicWaves and integrates with corporate directory services, including native LDAP systems and Active Directory. In this scenario, the SonicWave provides EAP authentication for clients and functions as both the authenticator and authentication server simultaneously. LDAP cache and TLS cache are supported for fast performance when reconnecting.
To configure this feature, you need:
- An interface in the WLAN zone with one or more local RADIUS servers configured in the subnet; these are the SonicWave local RADIUS servers
- WLAN zone configured with the Enable Local Radius Server option selected on the Radius Server screen; this option controls whether this feature is enabled or not.
- SonicWave profile with the following settings on the Radio Basic screen(s):
One of the WPA2 - EAP types selected for Authentication Type
The Radius Server Settings section is displayed where you can configure the local RADIUS server settings. See Configuring Radius Server Settings for details.
One of the Local Radius Server options selected for Authentication Balance Method.
Only remote radius server – Only use the remote RADIUS server for authentication.
Local radius server first – With this option selected, when a client tries to authenticate, a local RADIUS server is used first. If the authentication fails, the authentication request is sent to the remote RADIUS server.
Only local radius server – Only use the local RADIUS server for authentication.
Local radius server As Failover Mechanism – When the remote RADIUS server is down, the local RADIUS server are used automatically.
- NAT policy, Access Rule, Address Group, RADIUS pool - automatically configured.
When you enable a local radius server on a SonicWave, a NAT policy and access rule are automatically created. The SonicOS NAT module has failover and load balance methods, so a Radius server pool is supported. Additional SonicWaves with a local radius server configured can be added to this pool. More than one local radius server provides a failover mechanism and optimizes network performance.
The Enable Local Radius Server option and other settings are configured in the Radius Server screen available when configuring the WLAN zone, configured from the OBJECT | Match Objects > Zones page. This screen provides options for setting the number of RADIUS servers per interface, the server port, the client password, the TLS cache, and LDAP or Active Directory access settings. When you enable a local radius server on a SonicWave, the configured RADIUS server port and client password are used on that SonicWave.
The SonicWave DNS server must be able to resolve the name of the LDAP server or Active Directory server domain.
The Server Numbers Per Interface option controls the number of local RADIUS servers under one specific interface in this zone. Increasing this value means moreSonicWaves can be add to the RADIUS pool. The minimum value is 1, and the maximum is equal to maximum number of SonicWaves per interface in a WLAN Zone. Because the number configured for the option can be smaller than the number of connected SonicWaves, the specific SonicWaves configured as local radius servers is not fixed.
When the Enable Local Radius Server TLS Cache option is enabled, the client and the server can cache TLS session keys and use these to reduce the delay in time between an authentication request by a client and the response by the RADIUS server. Clients can also perform a fast reconnect. When enabled, you can set the Cache Lifetime option to the number of hours that cached entries are saved. The cache lifetime can be a number between one hour and 24 hours.
When the security appliance powers up, if Enable Local Radius server is enabled on the WLAN zone, an address object, the Radius Pool, a NAT policy, and an access rule should be created. The Radius Pool name is a combination of the interface name plus “Radius Pool,” for example, X2 Radius Pool. A new address object is automatically created for the SonicWave acting as a Radius server, which is named with the interface name and MAC address of the SonicWave, for example, X2 18:b1:69:7b:75:2e. This address object is added to the RADIUS Pool if seats are available.
If Enable Local Radius server is disabled, the SonicWave address object, Radius pool, NAT policy, and access rule are removed, and a Delete command by restApi is sent to the SonicWaves that are in the Radius pool to make the local Radius server go down.
If the WLAN zone is edited, the NAT policy and access rule are removed and re-created. The radius pool always exists unless Enable Local Radius server is disabled.
If the interface changes, the NAT policy, access rule, and radius pool are removed and created again if the interface is still bound to the WLAN Zone.
Was This Article Helpful?
Help us to improve our support portal