Working with AAA Servers

You can configure the controller to use external AAA servers to authenticate users.

To add and manage AAA servers that the controller can use to authenticate users, follow these steps:

  1. Go to Administration > Admins and Roles.
  2. Select the AAA tab.
  3. Click Create.
    The Create Administrator AAA Server page appears.
    Figure 1. Creating an Administrator AAA Server

  4. Configure the following:
    1. Name: Type a name for the RADIUS server.
    2. Type: Select the type of AAA server that you have on the network. Options include:
      • RADIUS
      • TACACS+
      • Active Directory
      • LDAP
    3. Realm/Service: Enter the realm or service. Multiple realms or services are supported, which must be separated with a comma.
      Note: As the user login format (User Account + @ + Realm) includes the special character, the at symbol (@), the User Account must not include the at symbol (@) separately on AAA server.
    4. Default Role Mapping: Enable the option so that the AAA users can be automatically mapped to a default local admin user/group permission even if the AAA server does not use mapping attributes. If you disable the option, the AAA admin must be mapped to a local SZ Admin user with matching AAA attributes.
      • On a RADIUS server, the user data can use the VSA Ruckus-WSG-User attribute with a value depending on the SZ users or permissions you want the RADIUS user to map.
      • On a TACACS+ server, the user data can use the user-name attribute with the user1 or user2 or user3 value depending on the SZ users or permissions you want the TACACS+ user to map.
      • On an AD or LDAP server, the user data can belong to the group cn=Ruckus-WSG-{SZAdminName} (for example, cn=Ruckus-WSG-user1 depending on the SZ users or permissions you want the Active Directory or LDAP user to map.
      Note: You can use the mapping attributes on AAA and enable the Default Role Mapping at the same time, but the mapping attributes override the Default Role Mapping.
    5. Backup RADIUS: Select the Enable backup RADIUS server check box if a secondary RADIUS server exists on the network. Configure the settings in Step 7.
    6. In the Primary Server section, configure the settings of the primary RADIUS server, TACACS+ server, Active Directory and LDAP.
      • IP Address: Type the IP address of the AAA server.
      • Port: Type the UDP port that the RADIUS server is using. The default port is 1812.
      • Shared Secret: Type the shared secret.
      • Confirm Secret: Retype the shared secret to confirm.
      • Windows Domain name: Type the domain name for the Windows server.
      • Base Domain Name: Type the name of the base domain.
      • Admin Domain Name: Type the domain name for the administrator.
      • Admin Password: Type the administrator password.
      • Confirm Password: Re-type the password to confirm.
      • Key Attribute: Type the key attribute such as UID.
      • Search Filter: Type filter by which you want to search such as objectClass=*.
    7. In the Secondary Server section, configure the settings of the secondary RADIUS server.
      • IP Address: Type the IP address of the AAA server.
      • Port: Type the UDP port that the RADIUS server is using. The default port is 1812.
      • Shared Secret: Type the shared secret.
      • Confirm Secret: Retype the shared secret to confirm.
    8. Click OK.
Note: You can also edit, clone and delete the server by selecting the options Configure, Clone and Delete respectively, from the Administrator tab.