When Guest-Access or WPA2-Enterprise/802.1x is used for authentication of wireless clients, the Wi-Fi network is responsible for looking up the users credentials on a RADIUS server. These RADIUS packets can be generated either from the Access Point or from the Wireless Controller.
There are specific scenarios under which either of those two cases can be used:
- RADIUS from the Access Point: If the wireless controller is on the cloud (ie. cnMaestro at cloud.cambiumnetworks.com) or remote, usually it would not have access to the RADIUS server, since most administrators would keep the RADIUS server accessible only to their internal network, not exposed to the internet. In this case the APs WIL talk RADIUS messages directly with the server. The downside is the RADIUS server can expect any AP to be the wireless client, so its 'clients table' has to either have the subnet, or list the IP address of each AP.
- RADIUS from the Controller: If the wireless controller is on-premises with the AP, or co-located with the RADIUS server on a data-center while managing remote APs, instead of the APs trying to reach the server, the Wireless Controller would be the right point of origin for all the RADIUS packets to that server. The RADIUS server also just needs the one IP address of the controller in its clients table in this scenario.
The cnPilot APs managed through cnMaestro support both of these approaches, and depending on the network topology the administrator can configure his network either way. The default mode of operation is to have the APs originate the RADIUS packets. but if the controller is local (cnMaestro on-premises), an option to have RADIUS go through the controller can be enabled in WLAN Configuration:
No special ports need to be opened between the APs and controllers for this. All the AP-cnMaestro RADIUS communication also happens over the same secure HTTPS tunnel setup for all other control and management messages.
Another option useful in some special cases is to proxy the RADIUS packets from a deployment of a number of APs through a single Access Point. This specific Access Points IP address can be configured from the CLI on the AP (or device-overrides in cnMaestro) as follows:
wireless wlan 1 radius-server proxy-ip 192.168.1.20