• SonicOS8
• About Access Points
• Settings
  • Synchronize Access Points
  • Provisioning Overview
  • Creating/Modifying Provisioning Profiles
    • Adding/Editing a Provisioning Profile - Getting Started
    • General Settings for Provisioning Profiles
    • 5GHz/2.4GHz Radio Basic Settings for Provisioning Profiles
      • Radio Settings
      • Wireless Security
      • Protected Management Frames (PMF Option)
      • About Local Radius Servers and EAP Authentication Balancing
      • Configuring Radius Server Settings
      • ACL Enforcement
      • Remote MAC Address Access Control Settings
    • 5GHz/2.4GHz Radio Advanced Settings for Provisioning Profiles
      • Configuring the RSSI Threshold
      • Configuring IEEE802.11r Settings for Secure Fast Roaming
      • Configuring IEEE802.11k Settings for Dynamic Radio Management
      • Configuring IEEE802.11v Settings for Dynamic Environment Management
    • Sensor Settings for WIDP in Provisioning Profiles
    • Mesh Network Settings for Provisioning Profiles
      • Setting Up a Mesh Network
      • Enabling a Multi-hop Mesh Network
      • Active/Active Clustering Full Mesh
    • 3G/4G/LTE WWAN Settings for Provisioning Profiles
      • Manually Configuring the 3G/4G/LTE WWAN Profile
      • Configuring Load Balancing among Multiple USB Modems
    • Bluetooth LE Settings for Provisioning Profiles
    • Deleting Access Point Profiles
    • Product Specific Configuration Notes
  • Managing Access Point Objects
    • Deleting Access Point Objects
    • Rebooting Access Point Objects
    • Modifying Access Point Objects
• Firmware Management
  • About Firmware Management
  • Obtaining the Latest SonicWall Firmware
  • Downloading Firmware from a Specific URL
  • Uploading Firmware to an Access Point
• Floor Plan View
  • Managing the Floor Plans
    • Selecting a Floor Plan
    • Creating a Floor Plan
    • Editing a Floor Plan
  • Managing Access Points
    • Available Devices
    • Added Access Points
    • Removing Access Points
    • Export Image
    • Context Menu
• Station Status
• Intrusion Detection Services
  • Scanning Access Points
  • Authorizing Access Points
• Advanced IDP
  • Enabling Wireless IDP on a Profile
  • Configuring Wireless IDP Settings
  • Viewing KRACK Sniffer Packets
• Packet Capture
• Virtual Access Points
  • Before Configuring VAPs
    • Determining Your VAP Needs
    • Determining Security Configurations
    • Sample Network Definitions
    • Prerequisites
    • VAP Configuration Worksheet
  • Access Point VAP Configuration Task List
  • Virtual Access Point Groups
  • Virtual Access Point Objects
    • General Tab
    • Advanced Tab
  • Virtual Access Point Profiles
    • Virtual Access Point Schedule Settings
    • Virtual Access Point Profile Settings
    • Remote MAC Address Access Control Settings
    • ACL Enforcement
    • IEEE802.11R Settings
    • IEEE802.11K Settings
    • IEEE802.11V Settings
    • Agile Multiband Settings
• RF Monitoring
  • Prerequisites
  • RF Monitoring Summary
  • 802.11 General Frame Setting
  • 802.11 Management Frame Setting
  • 802.11 Data Frame Setting
  • Discovered RF Threat Stations
  • Adding a Threat Station to the Watch List
  • Practical RF Monitoring Field Applications
    • Using Sensor ID to Determine RF Threat Location
    • Using RSSI to Determine RF Threat Proximity
• RF Analysis
  • Using RF Analysis on SonicWall Access Points
    • Understanding the RF Score
    • Channel Utilization Graphs and Information
    • Viewing Overloaded Channels
    • RFA Highly Interfered Channels
• RF Spectrum
• FairNet
  • Supported Platforms
  • FairNet Features
  • Management Interface Overview
  • Configuring FairNet
• Wi-Fi Multimedia
  • WMM Access Categories
  • Assigning Traffic to Access Categories
  • Configuring Wi-Fi Multimedia Parameters
    • Configuring WMM
    • Creating a WMM Profile for an Access Point
• 3G/4G/LTE WWAN
• Bluetooth LE Devices
  • Viewing BLE Scanned Data
• Radio Management
  • Configuring Radio Management
  • Configuring Dynamic Channel Selection Settings
• SonicWall Support
  • About This Document

About Local Radius Servers and EAP Authentication Balancing

This feature allows local SonicWave access points to provide local radius authentication service within selected SonicWaves and integrates with corporate directory services, including native LDAP systems and Active Directory. In this scenario, the SonicWave provides EAP authentication for clients and functions as both the authenticator and authentication server simultaneously. LDAP cache and TLS cache are supported for fast performance when reconnecting.

To configure this feature, you need:

• An interface in the WLAN zone with one or more local RADIUS servers configured in the subnet; these are the SonicWave local RADIUS servers
• WLAN zone configured with the Enable Local Radius Server option selected on the Radius Server screen; this option controls whether this feature is enabled or not.
• SonicWave profile with the following settings on the Radio Basic screen(s):

  • One of the WPA2 - EAP types selected for Authentication Type

    The Radius Server Settings section is displayed where you can configure the local RADIUS server settings. See Configuring Radius Server Settings for details.

  • One of the Local Radius Server options selected for Authentication Balance Method.

    

    Only remote radius server – Only use the remote RADIUS server for authentication.

    Local radius server first – With this option selected, when a client tries to authenticate, a local RADIUS server is used first. If the authentication fails, the authentication request is sent to the remote RADIUS server.

    Only local radius server – Only use the local RADIUS server for authentication.

    Local radius server As Failover Mechanism – When the remote RADIUS server is down, the local RADIUS server are used automatically.

  • NAT policy, Access Rule, Address Group, RADIUS pool - automatically configured.

When you enable a local radius server on a SonicWave, a NAT policy and access rule are automatically created. The SonicOS NAT module has failover and load balance methods, so a Radius server pool is supported. Additional SonicWaves with a local radius server configured can be added to this pool. More than one local radius server provides a failover mechanism and optimizes network performance.

The Enable Local Radius Server option and other settings are configured in the Radius Server screen available when configuring the WLAN zone, configured from the OBJECT | Match Objects > Zones page. This screen provides options for setting the number of RADIUS servers per interface, the server port, the client password, the TLS cache, and LDAP or Active Directory access settings. When you enable a local radius server on a SonicWave, the configured RADIUS server port and client password are used on that SonicWave.

The SonicWave DNS server must be able to resolve the name of the LDAP server or Active Directory server domain.

The Server Numbers Per Interface option controls the number of local RADIUS servers under one specific interface in this zone. Increasing this value means moreSonicWaves can be add to the RADIUS pool. The minimum value is 1, and the maximum is equal to maximum number of SonicWaves per interface in a WLAN Zone. Because the number configured for the option can be smaller than the number of connected SonicWaves, the specific SonicWaves configured as local radius servers is not fixed.

When the Enable Local Radius Server TLS Cache option is enabled, the client and the server can cache TLS session keys and use these to reduce the delay in time between an authentication request by a client and the response by the RADIUS server. Clients can also perform a fast reconnect. When enabled, you can set the Cache Lifetime option to the number of hours that cached entries are saved. The cache lifetime can be a number between one hour and 24 hours.

When the security appliance powers up, if Enable Local Radius server is enabled on the WLAN zone, an address object, the Radius Pool, a NAT policy, and an access rule should be created. The Radius Pool name is a combination of the interface name plus “Radius Pool,” for example, X2 Radius Pool. A new address object is automatically created for the SonicWave acting as a Radius server, which is named with the interface name and MAC address of the SonicWave, for example, X2 18:b1:69:7b:75:2e. This address object is added to the RADIUS Pool if seats are available.

If Enable Local Radius server is disabled, the SonicWave address object, Radius pool, NAT policy, and access rule are removed, and a Delete command by restApi is sent to the SonicWaves that are in the Radius pool to make the local Radius server go down.

If the WLAN zone is edited, the NAT policy and access rule are removed and re-created. The radius pool always exists unless Enable Local Radius server is disabled.

If the interface changes, the NAT policy, access rule, and radius pool are removed and created again if the interface is still bound to the WLAN Zone.