How to Configure 802.1x to Secure the Wireless Environment with an External RADIUS Server?

Zyxel_KathyLin
Zyxel_KathyLin Posts: 54  Zyxel Employee
edited August 2021 in WirelessLAN FAQ

The example instructs how to set up NXC controller with an external radius server. When station wants to connect with AP, you can use an AAA server to provide access control to your network. In this example, the radius server is external but not embedded in NXC controller, and the Radius server is set ready for authentication.

Configure Radius Server Setting

1     Go to CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and then click Edit. Set the Server Address, and Authentication Port is 1812. Enter the Key for Radius server and click OK.

2     Go to CONFIGURATION > Object > Auth. Method, click #1 default, and then click Edit. Change the Method to group radius. Click OK to save.

Configure AP Profile

1     Configure AP profile to use 802.1x authentication and user needs to log in with their ID and Password when connecting to AP’s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.

In General Settings, enter the Profile Name and select Security Mode to wpa2.

In Radius Settings, select Internal that means the authentication needs NXC to communicate with external radius server.

In Authentication Settings, select 802.1x and Auth. Method is default. Click OK.

2     Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for connection with 802.1x security. Key-in the Profile Name and SSID, and change Security Profile to RadiusTest which sets in step1. Click OK to save.


3     Go to CONFIGURATION > Wireless > AP Management > AP Group, click default to Edit. Change SSID to RadiusTest in the SSID Profile. Click Override Member AP Setting to apply the SSID to AP and click Yes in the pop-up window. Click OK.

Test the Result

1     Before connecting the SSID, the computer needs to do some settings to make connection successfully.

Opening Network and Sharing Center in computer, click Set up a new connection or network for building up a new network.

2     Select Manually connect to a wireless network. Click Next.

3     Key-in the SSID Network name and change the Security type to WAP2-Enterprise, and the Encryption type is AES. Click Next.

4     Select Change connection settings.

5     Change Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings.

6     Uncheck Validate server certificate and click Configure.

7     Uncheck the checkbox in the pop-up window. Click OK.

8     Back to the security setting page and click Advanced settings.

9     Check Specify authentication mode. Click OK to save.

10  Select to the SSID, RadiusTest, for wireless connection. Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is setup successfully.

What Could Go Wrong

1     There are two kinds of Radius Server Types in security profile setting. Internal means the authentication is doing between NXC controller and Radius server. The Radius server needs to add NXC controller as trusted client.

2     External means the authentication is doing between Managed AP and Radius server. The Radius server needs to add the managed AP as trusted client.