Integrating RADIUS
  • 23 Sep 2021
  • Comments

Integrating RADIUS

  • Comments

Before you configure the controller make sure you have set up your RADIUS server and have purchased a license. You can contact support@nexudus.com to receive a licence.

We cannot provide network and IT support while you install or troubleshoot your network. The instructions we provide are simply guidelines for professionals with experience setting up RADIUS servers.

Enabling the RADIUS Integration in Nexudus

  1. Click Settings > Integrations > RADIUS
  2. Set the Enable toggle to YES. 
  3. Add your RADIUS license key.
  4. Click the Save Changes button.
The following sections break down the installation process for the most common controllers used with RADIUS.

Aruba Controller

Sign in to the Aruba Administration console at https://instant.arubanetworks.com:4343 and type your email and pin-code.



 

Go to Network > Edit and open the settings of a network that you should configure to use the Captive Portal with RADIUS authentication. Our example network is aruba qa.


 

Configure Client IP & VLAN Assignment. In our example, we keep the default settings.


 

Configuring the Security Level

  1. From the Splash page type drop-down list, select External.
  2. From the Captive portal profile drop-down list, select your network. In our example, the network is qa.
  3. From the Auth server 1 drop-down list, select your network.
  4. Set Accounting to Use authentication servers.
  5. Set Encryption to Disabled.


Editing the Captive portal profile


 

Number

Description

1

The Captive portal profile Edit button

  1. Next to Captive portal profile, click Edit.
  2. From the Type drop-down list, select Radius Authentication.
  3. In the IP or hostname text box, type http://XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Website > General on your Nexudus account.
  4. In the URL text box, type /en/splash.
  5. In the Port text box, type 443.
  6. From the Use https drop-down list, select Enabled.
  7. From the Captive Portal failure drop-down list, select Deny internet.
  8. From the Automatic URL Whitelisting drop-down list, select Enabled.
  9. Leave the Redirect URL text box empty.

Editing the Auth server 1


 

Number

Description

1

The Auth server 1 Edit button

  1. Next to Auth server 1, click Edit.
  2. In the IP address text box, type the IP address you want to allow access to.
  3. In the Auth port text box, type 5701.
  4. In the Accounting port text box, type 5702.
  5. In the Shared key text box, type your personal key.

Adding required IP addresses and host names to the whitelist

Click the Walled garden tab and enter the values from the RADIUS server.


 

Number

Description

1

The Walled Garden tab

2

The Whitelist section

Add all IP addresses and host-names above, including http://XYZ.spaces.nexudus.com/ to the whitelist.

Creating new roles

By default, your Aruba controller intercepts HTTPS traffic to all external servers breaking SSL connections. To prevent this, we need to create a new role permitting TCP connections to port 443 on external servers, for example, splash.ironwifi.com, google.com, or facebook.com.

  1. Select the Assign pre-authentication role checkbox.
  2. From the drop-down list, select create role.
  3. Create new roles that you can see in the screenshots.
  4. Click Finish to apply new settings.
 

Number

Description

1

New role added

2

Defining access rules for a role

3

Assigning pre-authentication role

 
 

Number

Description

1

New role added

2

Defining access rules for a role

3

Assigning pre-authentication role

4

The Finish button

Replacing the SSL certificate

To fix the SSL error, you need to replace the default invalid certificate.

You can generate a valid SSL certificate for free here. You can let the page generate a request to sign a certificate for you. You can also visit this page for detailed instructions on how to generate a request manually. Don't use a wildcard SSL certificate.

Copy the content of the downloaded files certificate.crt, ca_bundle.crt and private.key to a single file: aruba.pem.

Upload this file to your Aruba IAP and then do the following:

  1. Click on Maintenance > Certificates.
  2. From the Certificate type drop-down list, select Captive portal server.
  3. From the Certificate format drop-down list, select PAM.
  4. Click Upload Certificate to apply new settings.
aruba08.png

 

Number

Description

1

The Certificates tab

2

Certificate type and format drop-down lists

3

The Upload Certificate button

Cisco WLC

Before you configure the controller make sure you have set up your RADIUS server and have purchased a license.
 

Configuring Access Control rules for the WLC controller

  1. Log in the Cisco WLC web browser interface and go to Advanced Settings by clicking the configuration icon on top of the screen.
  2. Go to Security>Access Control Lists and add two new ACL rules to allow connections to the captive portal:

Source IP: any; Destination IP: 107.178.250.42, Mask: 255.255.255.255; Protocol: TCP; Dest Port: 443, Action: Permit.

Source IP: 107.178.250.42, Mask: 255.255.255.255; Destination IP: any; Protocol: TCP; Source Port: 443; Action: Permit.


You may also want to add the following IPs to your rules:

  • XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Website > General on your Nexudus account.
  • 107.178.250.42/32
  • 216.239.32.0/19
  • 64.233.160.0/19
  • 72.14.192.0/18
  • 209.85.128.0/17
  • 66.102.0.0/20
  • 74.125.0.0/16
  • 64.18.0.0/20
  • 207.126.144.0/20
  • 173.194.0.0/16


assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPk7GcX67xvasLdWQw_wlc_access_control_config.png
 
 

Configuring RADIUS Authentication

Go to Security > Web Auth > Web Login Page and change Web Authentication Type to External (redirect to external server). Add the External Webauth URL. The URL here should be http://XYZ.spaces.nexudus.com/en/splash. XYZ is the default domain name you can find in Settings > Website> General on your Nexudus account.

Go to Security > AAA > RADIUS>Authentication, add a new RADIUS Authentication server and enter the following:

  • IP address in the Server Address(Ipv4/Ipv6) text box.
  • In the Shared Secret text box, the Shared Secret from the details of the RADIUS server that you received when you created the server.
  • Your RADIUS ports in the Port Number text box.
assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPkhgjMkMmE8WCRDIP_wlc_radius_auth_config.png
 

Configuring RADIUS Accounting

Go to Security > AAA > RADIUS > Accounting, add a new RADIUS Accounting server and enter the following:

  • IP address in the Server Address(Ipv4/Ipv6) text box.
  • In the Shared Secret text box, the Shared Secret from the details of the RADIUS server that you received when you created the server.
  • Your RADIUS ports in the Port Number text box.
assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPlF-gnjVqqmoHD-Ht_wlc_radius_accounting_config.png

 

Configuring WLAN

Go to WLANs, select existing or create a new WLAN and then open the WLAN settings.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPmCsdNotsSdTCquXC_wlc_wlan_config.png

 

Click Security > Layer 2 and set Layer 2 Security to None.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPnUqOcIt0j6xlCUYH_wlc_wlan_layer2.png
 

Click Layer 3, select Web Policy from the Layer 3 Security drop-down list and then select Authentication. Select your new ACL from the Preauthentication ACL drop-down list.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPnwRwIXwGNz84WTcA_wlc_wlan_layer3.png
 

Click AAA Servers and select RADIUS authentication and accounting servers. You can also set Interim Interval to 180 seconds or higher. To save and apply new settings, click Save Configuration.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPpgnpcyHK2zGF8XYw_wlc_aaa_config_and_save.png
 

Number

Description

1

Authentication and Accounting Servers

2

Interim Interval

3

Save Configuration

Cisco Meraki

Configuring a Meraki controller to use the external Captive Portal authentication

Use the guide below to configure your Meraki virtual controller and the external Captive Portal with RADIUS authentication. When users connect to it and open their browser, a login screen appears where users can type their email and pin-code to connect to your network.‌

To configure your Meraki controller

  1. Sign-in to the Meraki cloud portal.
  2. Go to Wireless > Configure > SSIDs and define a network that you should configure to use the Captive Portal with RADIUS authentication.
  3. In the Association requirements section, select Open (no encryption).
  4. In the Splash page section, select Sign-on with and then select my RADIUS server from the drop-down list.
  5. Add new RADIUS authentication servers by clicking Add a server and enter the following:
  6. IP address in the Host section.
  7. Your RADIUS ports in the Port section.
  8. In the Secret section, the shared Secret from the details of the RADIUS server that you received when you created the server.
  9. In the Walled garden section, type the following ranges:
  • XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Website> General on your Nexudus account.
  • 107.178.250.42/32
  • 216.239.32.0/19
  • 64.233.160.0/19
  • 72.14.192.0/18
  • 209.85.128.0/17
  • 66.102.0.0/20
  • 74.125.0.0/16
  • 64.18.0.0/20
  • 207.126.144.0/20
  • 173.194.0.0/16

Go to Wireless > Configure > Splash page and add http://XYZ.spaces.nexudus.com/en/splash to the Custom splash URL section. XYZ is the default domain name you can find in Settings > Website> General on your Nexudus account.

You need to contact Meraki support to enable adding domain names to the Walled garden section.‌

You can use the screenshot below to help you with steps three, four, five and six

access_control.png


You can use the screenshot below to help you with step seven

custom_splash_url.png
 

The default splash page:

meraki_splash.png
 
 

Configuring A Meraki Controller for WPA-Enterprise 

Accounting servers are disabled by default when using splash pages for Meraki devices. This means that Nexudus does not receive regular updates when users are in the space. Use WPA-Enterprise authentication to support RADIUS accounting. You can also contact Meraki support to enable this feature when using splash pages.‌

Users need to type their email and pin-code to connect to your WiFi network when using this authentication method. Otherwise, they cannot gain network access.‌

Sign-in to the Meraki cloud portal and go to Wireless > Configure > SSIDs and define a network that you should configure to use the Captive Portal with RADIUS authentication.‌

In the Association requirements section, select WPA2-Enterprise with and then select my RADIUS server from the drop-down list.

network_access_meraki.png

 

In the Splash page section, select None (direct access).

splash_page_direct_access_none.png
 

Add new RADIUS authentication servers by clicking Add a server and enter the following:‌

  • IP address in the Host section.
  • Your RADIUS ports in the Port section.
  • In the Secret section, the shared Secret from the details of the RADIUS server that you received when you created the server.
meraki_enable_radius_and_accounting.png

 

Ruckus Controller

Configuring Ruckus Controller

This section describes the configuration of Ruckus Cloud for external Captive Portal and RADIUS server authentication.

Sign-in to the Ruckus Cloud portal and create a new Network. Select Cloudpath as the authentication method.

assets_-LZFtxNPXnGfu3w0vzug_-La-u3g53TvSMnHhyEc__-La02B_MbDhBWbwOHojS_image.png


Configure RADIUS server details, Splash page URL, and Walled Garden list, then add the following IPs to your walled garden:

*XYZ.spaces.nexudus.com

107.178.250.42/32

216.239.32.0/19

64.233.160.0/19

72.14.192.0/18

209.85.128.0/17

66.102.0.0/20

74.125.0.0/16

64.18.0.0/20

207.126.144.0/20

173.194.0.0/16

* You can find the subdomain of your Nexudus account by clicking Settings > Website > Default web address.


 

SonicWall 

Assumptions

  • SonicWall Access Point is setup and running the latest firmware.
  • 802.1x SSID is already configured.
  • DHCP and DNS are appropriately configured.
  • SonicWall Access Point can communicate with the Radius servers.
  • The Guest SSID VLAN can communicate with Radius servers.
  • All systems are appropriately licensed.

Instructions

Sign in to SonicWall Administration Interface. Go to Network > Zones > WLAN.

image__34_.png

 

Leave the "General" options default and click Guest Services


image__35_.png
 

Check Enable Guest Services and Enable External Guest Authentication. Change the Max Guests value to 255.


image__36_.png
 

Select Auth Pages tab and enter "/api/pages/xxxxxx/" to all input fields. "xxxxxx" is your Splash page identifier as provided by us.


image__37_.png
 

Review other settings and click OK to save changes.


image__38_.png

 

The last step is to allow remote connections on your Firewall. We need to be able to connect to the SonicWall Guest Services to authorize connected clients. Guest Services are listed on port 4043 and the radius server will try to connect to the URL in this format:‌

https://SOURCE_IP_ADDRESS:4043

* SOURCE_IP_ADDRESS - IP address that we have received the authentication request from‌.

We will be connecting directly from the web server, so no further changes are required in your SonicWall firewall rules.‌

Common Errors

We need to be able to connect to your Access Point to authorize connecting device. If not successful, the Captive Portal will return different error codes in the error_message parameter.‌

sonicwall_gw_connection_failed - our servers could not connect to your SonicWall AP. Make sure the Access Point Guest Services port is reachable over the internet, check your firewall settings and port forwarding rules if necessary. Guest Services are listed on port 4043/TCP by default and you can override this value using the Controller URL parameter in the Captive Portal settings in our Console.


Ubiquiti UniFi Controller

Configuring UniFi Controller for external Captive Portal authentication

This option will present users with a splash page. It relies on your WiFi network to be open or to use a shared WiFi password. When users connect to it and open their browser, they will be presented with a login screen where to type their email and PIN code to connect to your network. You can also configure this appliance to use Enterprise Authentication using the instructions in the section below.‌

  1. Provide the public IP of your UniFi controller. The RADIUS servers need to be able to directly connect to your Controller (SW, Cloud Key) to authorize connecting devices. Controller URL is usually in format like this https://your_public_static_ip:8443. Make sure it is the PUBLIC IP address and it's reachable through the Internet (not internal address like 192.168.*.*, 172.16.*.*, or 10.*.*.*).
  2. You might need to configure port forwarding on your Internet router and firewall. If you are not sure, please contact your ISP provider. This article may help you doing this. The source IPs connecting to your controllers are 35.184.225.240, or 35.201.240.80, or 35.195.230.167.
  3. Sign in to your UniFi Controller.
  4. In Wireless network settings change the Security to Open and enable Guest services.
  5. Navigate to Guest services settings.
  6. Select External Captive Portal.
  7. Enter 107.178.250.42 in the IP address input field.
  8. Check the redirect using hostname checkbox and enter the Splash pageURL here. You should have been provided the URL by the Nexudus team together with a license. 
  9. Add 107.178.250.42/32 to the Pre-Authorization Access list


Apply settings and try with your phone or computer.

image__40_.png


image__41_.png



 

Configuring UniFi Controller for WPA-Enterprise

  1. Navigate to Wireless Networks and change Security to WPA-Enterprise. Add new RADIUS Authentication Servers and enter IP Address, Port and Shared Secret from the details of the Radius Server provided when you created the Radius Server above.
  2. Make sure you use the same IP for both the Auth and Accounting servers. If you add a secondary Auth and Accounting servers then use the secondary IP provided.
  3. Optional: Enable Interim Update.
image__43_.png



Was this article helpful?