RADIUS server

1. Function Overview

The RADIUS server function manages user information and certificates, and performs authentication based on information notified from the client.
By combining with MAC authentication, 802.1X authentication, and Web authentication of this device, the authentication function can be realized with this device alone.
Also, when authenticating with a device other than this device, this device can be operated as an authentication server.

The basic performance of the RADIUS server function and the corresponding authentication method are as follows.

Basic performance

Item	Performance
Number of RADIUS clients that can be registered	100
Number of users that can be registered	2000
Key strength	2048 bit
Signature algorithm	SHA256
Certificate Authority name (default value)	swx-radius

Item

Performance

Number of RADIUS clients that can be registered

100

Number of users that can be registered

2000

Key strength

2048 bit

Signature algorithm

SHA256

Certificate Authority name (default value)

swx-radius

Supported authentication methods

Authentication method	Application
PAP	MAC authentication
EAP-MD5	IEEE802.1X authentication, MAC authentication, WEB authentication
EAP-TLS	IEEE802.1X authentication
EAP-TTLS	IEEE802.1X authentication
PEAP	IEEE802.1X authentication

Authentication method

Application

PAP

MAC authentication

EAP-MD5

IEEE802.1X authentication, MAC authentication, WEB authentication

EAP-TLS

IEEE802.1X authentication

EAP-TTLS

IEEE802.1X authentication

PEAP

IEEE802.1X authentication

2. Definition of Terms Used

PKI (Public Key Infrastructure)

Public key infrastructure. Includes digital certificates and certificate authorities (CAs) using public key cryptography.

Certificate authority (CA)

An organization that guarantees reliability. It is divided into a root Certificate Authority and an intermediate Certificate Authority.
It has a tree structure with the root Certificate Authority at the top and an intermediate Certificate Authority under it.

Intermediate certificate authority

Among Certificate Authorities (CAs), indicates a Certificate Authority whose reliability is guaranteed by a higher-level Certificate Authority (CA).

Root certificate authority

Among Certificate Authorities (CA), indicates a Certificate Authority whose reliability is guaranteed by itself.

Root certificate authority certificate

A public key certificate that has the same issuer and subject and has signed its own public key with its own private key. It is the root of a tree-structured certificate.

Digital certificate

Data that certifies that the public key issued by the Certificate Authority is the genuine issuer’s public key.
When the issuer makes a certificate request to the Certificate Authority (CA) together with the public key, the Certificate Authority (CA) issues a digital certificate after scrutinizing and confirming it.

EAP-MD5 authentication method (Message digest algorithm 5)

This is an authentication method that uses a user name and password. Authenticates by exchanging an MD5 hash value instead of a plain text password.

EAP-TLS authentication method (Transport Layer Security)

An authentication method used in IEEE 802.1X, a type of EAP implementation that authenticates by exchanging digital certificates after encrypting the transport layer between the user and the RADIUS server, instead of authenticating with a user ID and password. This is defined in RFC2716 and RFC5216.

EAP-TTLS authentication method (Tunneled TLS)

An authentication method used in IEEE 802.1X, a type of EAP implementation that establishes a TLS communication channel using the server’s digital certificate and authenticates the user with a password within the encrypted channel. This is defined in RFC5281.

PEAP authentication method (Protected EAP)

The operating principle is the same as EAP-TTLS (there is only a difference in the protocol in the encrypted tunnel). A TLS communication channel is established using the server’s digital certificate, and the user is authenticated with a password in the encrypted communication channel.

It is trusted

A certificate indicating that the public key belongs to the issuer has been issued by a trusted third party.

RADIUS server

The host device that provides the RADIUS server function, in this case, this device.
Authenticates connected users via a RADIUS server and manages authentication/authorization information such as user IDs, passwords, MAC addresses, and associated VLANs.

Server certificate

A certificate to state that the Certificate Authority (CA) has proved that the RADIUS server is trusted.

RADIUS client

Also called a NAS or an authenticator, it relays between the user connected to the LAN/SFP port and the authentication server, and controls access to the LAN based on the success or failure of authentication.

User

A device that connects to a RADIUS client and requests authentication, or a supplicant that is software.
It is the minimum unit for identifying the person to be authenticated. There are data required for authentication and authorization, such as a unique user ID and password.

Client certificate (user certificate)

This certificate proves that the user described above is trusted by the Certificate Authority (CA).

3. Function Details

3.1. Root certificate authority

To use the RADIUS server function, you must first create a root Certificate Authority.
The root certificate authority is used for issuing and managing digital certificates. It can be created with the crypto pki generate ca command.
The certificate authority name can be specified in the crypto pki generate ca command argument, if omitted it becomes swx-radius.

The following certificates are issued and managed based on the root Certificate Authority.
All certificates have a key strength of 2048 bits and a signature algorithm of SHA256.

Root Certificate Authority certificate

Proves that this device is a trusted root Certificate Authority.
Issued at the same time that the root Certificate Authority is created.
The expiration date applies from 23:59:59 (JST) on December 31, 2037 from the date of certificate creation.

Server certificate

Proves that this device is a trusted server.
Issued at the same time that the root Certificate Authority is created.
The expiration date applies from 23:59:59 (JST) on December 31, 2037 from the date of certificate creation.

Client (user) certificate

Proves that the user is trusted.

Client revocation certificate

Proves that the client certificate has been revoked.

The root Certificate Authority is deleted or overwritten by the following operations.

It is deleted when the cold start command is executed.
It is deleted when the no crypto pki generate ca command is executed.
It is deleted when the stack enable command is executed.
It is deleted when the stack disable command is executed.
It is deleted when the erase startup-config command is executed.
It is overwritten when the crypto pki generate ca command is executed again.
It is overwritten when the restore system command is executed.
It is overwritten when the copy radius-server local command is executed.

[red]#It is necessary to keep the root certificate authority installed first consistent, so be careful not to delete it carelessly. #
Also, please take measures to back up the file in advance, in case it is deleted.

Once the root CA is deleted, even if the same CA name is set, it will be a different CA from before.
If you delete the root Certificate Authority before backup, you cannot add or revoke the certificate after that. You will have to reissue all the certificates from the beginning.

When the root certificate authority is created by the crypto pki generate ca command, it is automatically saved in the internal area, so there is no need to execute the write command.

3.2. RADIUS client settings

Use the nas command to specify the RADIUS clients that are permitted to access the RADIUS server.
You can specify an individual IP address or network address, and up to 100 addresses can be set.
RADIUS client operations are verified using the following products.

Yamaha network switch (SWX series)
Yamaha router (RTX series or NVR series)
Yamaha wireless access point (WLX series)

The settings of the RADIUS client set by the nas command are not displayed in the config by show running-config.
There is no need to execute the write command because it is automatically saved in a different area from the config, but it is necessary to execute the radius-server local refresh command to reflect it in the actual operation.
Use the show radius-server local nas command to confirm the settings.

3.3. User registration

User information for authentication is registered with the user command.
Up to 2000 records of user information can be registered.
Items that can be set with the user command are as follows.

Type

Item

Summary/Remarks

Mandatory

User ID

ID for uniquely identifying user information

Password

Password used in combination with user ID
If the client certificate is compressed, use this password for decompression.

Option

User name

Any character string can be set for user identification.

MAC address

Compared when the RADIUS client notifies the Calling-Station-Id, and if it does not match, it is not authenticated.

SSID

Compared when the RADIUS client notifies the Called-Station-Id, and if it does not match, it is not authenticated.

Mail address

This is the address for sending the certificate by mail.

Authentication method

The default is EAP-TLS, so you must specify it if you want to use another authentication method.

Period of certificate validity

This is valid only when the authentication method is EAP-TLS. If omitted, it will be 23:59:59 on December 31, 2037.

Dynamic VLAN-ID

Specify when using the dynamic VLAN function.

The user settings set by the user command are not displayed in the config by show running-config, etc.
There is no need to execute the write command because it is automatically saved in a different area from the config, but it is necessary to execute the radius-server local refresh command to reflect it in the actual operation.
Use the show radius-server local user command to confirm the settings.

3.4. Restricting the authentication method

The authentication method can be restricted by the authentication command.
The authentication method is not restricted by default, but you can use it when you want to temporarily disable a specific authentication method.

3.5. Enabling the RADIUS server function

To enable the RADIUS server function, use the radius-server local enable command.
Set the RADIUS client and user information, and enable the RADIUS server function after the necessary preparations are completed.

3.6. Reflecting settings in operation

If you add/change/delete the settings related to the RADIUS server, execute the radius-server local refresh command to reflect them in actual operation.
The commands reflected in the actual operation by the radius-server local refresh command are as follows.

authentication command
nas command
reauth interval command
user command

When you add/change/delete settings related to the RADIUS server in Web GUI, processing equivalent to the radius-server local refresh command is automatically performed.

3.7. Issue client certificate

Use the certificate user command to issue a client certificate to a user who performs authentication using a certificate (a user whose authentication method is EAP-TLS with the user command).
Each user can hold up to two client certificates, and issuing a third client certificate will cause the older client certificate to expire.
If you specify an individual user ID with the certificate user command, a client certificate for the specified user is issued.
If you do not specify individual user IDs in the certificate user command, client certificates are issued for all users that meet any of the following conditions.

Conditions for batch issuance of client certificates

Client certificate has never been issued
The password or expiration date has changed since the client certificate was issued

It takes about 15 seconds to issue a client certificate. Although the certificate user command issues client certificates in the background, be aware that batch issuing client certificates for multiple users can be time consuming.
To cancel the issuance of a client certificate partway through, use the certificate abort command.

The method to export an issued client certificate is as follows.

Specify the mail option in the certificate user command
The client certificate can be sent to the specified mail address at the same time that the client certificate is issued.
The client certificate is ZIP compressed and can be decompressed with the password of the user command.
For details on sending a client certificate by mail, refer to Sending a certificate by mail.
certificate export sd command
You can copy the client certificate of any user or all users to a microSD card to export it.
If a client certificate of any user is compressed and exported by the compress option, it can be decompressed with the password of the user command.
If the client certificate for all users is compressed and exported together using the compress option, it can be decompressed without a password.
certificate export mail command
The client certificate of any user or all users can be sent to the mail address set by the user command.
The client certificate is ZIP compressed and can be decompressed with the password of the user command.
Access the device with Web GUI
The client certificate can be downloaded for any or all users.
Although it is ZIP compressed, no password is required for decompression.

3.8. Revoking a client certificate

To prevent authentication for the user who issued the client certificate, you must issue a revocation certificate.
When a revocation certificate is issued to any user, the revocation certificate is referenced in the authentication process and reflected in the authentication result.
Revocation certificates are issued by the following process.

Execute the certificate revoke id command
A revocation certificate is issued for the client certificate with the specified certificate ID.
Execute the certificate revoke user command
Revocation certificates are issued for all client certificates of the specified user.
Change the authentication method from EAP-TLS to other (PAP, PEAP, EAP-MD5, EAP-TTLS) with the user command
Revocation certificates are issued for all client certificates of the target user.
If you change the authentication method of the target user to EAP-TLS again, it will be subject to the issue of client certificates.
Deletion of user command
Revocation certificates are issued for all client certificates of the target user.
If you register a user again with the same user ID as the target user, it will be subject to the issue of client certificates.
Issue a third client certificate with the certificate user command
A revocation certificate is issued for the target user’s older client certificate.
Importing user information according to Importing and exporting user information
If a user is deleted due to an import, a revocation certificate is issued for all client certificates of the deleted user.

3.9. Sending a certificate by mail

To use the client certificate mail transmission described in Issuing a client certificate, the following preparations are required in advance.
The settings described here are the minimum settings. Make the necessary settings according to the usage.

Set SMTP server
1. Specify the SMTP server with the mail server smtp host command.
Specify the mail template
1. Specify the template ID with the mail template command and switch to the template setting mode.
2. Specify the mail server ID of the SMTP server set by the mail server smtp host command with the send server command.
3. Specify the sender mail address with the send from command.
Specify the mail template to use for sending certificate mails
1. Specify the ID of the mail template created above with the mail send certificate command.

The subject and body of the mail are as follows. The format cannot be changed.

Subject

Certification Publishment

Body

Certification is published.
Name             : [userコマンドのNAMEパラメーター]
Account          : [userコマンドのUSERIDパラメーター]
MAC address      : XX:XX:XX:XX:XX:XX
Expire           : YYYY/MM/DD

3.10. Checking settings and certificates

Checking the RADIUS client settings
Use the show radius-server local nas command.

Yamaha# show radius-server local nas 192.168.100.0/24
host                                    key
--------------------------------------------------------------------------------------------------------
192.168.100.0/24                        abcde

Checking the user settings
Use the show radius-server local user command.

Yamaha# show radius-server local user

Total     1

userid                           name                             vlan mode
--------------------------------------------------------------------------------
00a0de000000                     Yamaha                              1 eap-md5

Yamaha# show radius-server local user detail 00a0de000000

Total     1

userid      : 00a0de000000
password    : secretpassword
mode        : eap-md5
name        : Yamaha
vlan        :    1

Checking the status of client certificate issuance processing
Use the show radius-server local certificate status command.
```
Yamaha# show radius-server local certificate status
certificate process: xxxx/ zzzz processing...
```

Checking the list of client certificates
Use the show radius-server local certificate list command.

Yamaha# show radius-server local certificate list detail Taro

userid                           certificate number                                enddate
---------------------------------------------------------------------------------------------
Yamaha                           Yamaha-DF598EE9B44D22CC                           2018/12/31
                                 Yamaha-DF598EE9B44D22CD                           2019/12/31

Checking the revocation certificate
Use the show radius-server local certificate revoke command.

Yamaha# show radius-server local certificate revoke

userid                           certificate number                                reason
---------------------------------------------------------------------------------------------
Yamaha                           Yamaha-DF598EE9B44D22CC                           expired
Yamaha                           Yamaha-DF598EE9B44D22CD                           revoked

3.11. Mail notification of expiration of client certificate

A mail notification can be sent before the client certificate expires.
The following preparations are required in advance to use advance mail notification.
The settings described here are the minimum settings. Make the necessary settings according to the usage.

Set SMTP server
1. Specify the SMTP server with the mail server smtp host command.
Specify the mail template
1. Specify the template ID with the mail template command and switch to the template setting mode.
2. Specify the mail server ID of the SMTP server set by the mail server smtp host command with the send server command.
3. Specify the sender mail address with the send from command.
Specify the mail template to use for the certificate expiration advance mail notification
1. Specify the ID of the mail template created above with the mail send certificate-notify command.
Specify when to send a certificate expiration advance mail notification
1. Specify the number of days before the expiration date to send the mail notification with the mail certificate expire-notify command.

Confirmation of the certificates that are subject to the client certificate expiration advance mail notification is performed every day at 23:59:59.

The subject and body of the mail are as follows. The format cannot be changed.

Subject

Certification expiration

Body

Your certificate will expire in [残り日数] days.
Name             : [userコマンドのNAMEパラメーター]
Account          : [userコマンドのUSERIDパラメーター]
MAC address      : XX:XX:XX:XX:XX:XX
Expire           : YYYY/MM/DD

3.12. Importing and exporting user information

Exporting
User information can be exported from the web GUI as a CSV file.
Users can be registered collectively by appending them to the exported CSV format file.
User information exported by this device cannot be imported using a Yamaha wireless access point (WLX series).
Importing
User information can be imported from the web GUI.
When importing user information, client certificates being issued due to the import can be issued at one time as a batch.
When importing information for a large number of users, it may take time before the information is reflected in actual operations.
User information exported by a Yamaha wireless access point (WLX series) can be imported to this device.
However, user information cannot be imported if it includes characters that cannot be used in the unit. In that case, add each user separately.
For details about characters not allowed by the unit, refer to Points of Caution.

3.13. Backing up and restoring all RADIUS server related information

This device can back up and restore all RADIUS server related information including the root Certificate Authority.

Backup
By specifying the microSD card as the export destination with the copy radius-server local command, all the RADIUS server related information can be backed up to the microSD card.
The same backup can be performed from the Web GUI. We recommend that you make a backup in case of device failure.
The backup file contains the setting information of the following three commands, but does not include the setting information related to other RADIUS server functions. Therefore, it is recommended that you back up configuration files along with backup files.
- crypto pki generate ca command
- user command
- nas command
Not all RADIUS server-related information backed up by this device can be restored using a Yamaha wireless access point (WLX series).
Restoration
By specifying the internal config number as the export destination with the copy radius-server local command, the data backed up above can be restored from the microSD card.
In addition, the same restoration can be performed from the Web GUI, and it is possible to restore data obtained with any model of the SWX series.
Note that if you perform restoration while the root Certificate Authority has been created, the root Certificate Authority will be overwritten.

3.14. Restoring RADIUS server information backed up by a Yamaha wireless access point (WLX series)

This unit can be used to restore RADIUS server information backed up by a Yamaha wireless access point (WLX series). The information can only be restored via the Web GUI.
RADIUS server functions used to operate a Yamaha wireless access point (WLX series) can be transferred to the given unit by executing the following procedure.

Restore the data backed up by a Yamaha wireless access point (WLX series) port in the unit.
For the WLX402 model, the backed up data (ZIP file) can be obtained from the RADIUS server settings page on the Web GUI.
For the WLX313 model, the backed up data (ZIP file) can be obtained from the settings (save/restore) page on the Web GUI.
Use the nas command or Web GUI to specify the RADIUS client.
Specify the VLAN interface to use for RADIUS authentication by the radius-server local interface command or via the Web GUI.
To send an authentication certificate via mail or send prior mail notification about the certificate expiration date, specify mail settings.
Enable RADIUS server functions using the radius-server local enable command or the Web GUI.
Apply the RADIUS information to actual operations using the radius-server local refresh command.

The procedure above eliminates the need to reissue a client certificate and can be used to transfer RADIUS server functions to the unit from a Yamaha wireless access point (WLX series).
If RADIUS server functions are transferred to the unit from a Yamaha wireless access point (WLX series), then the revocation certificate expiration date is automatically updated to 20 years from the date/time the functions are received.
The following data backed up via a Yamaha wireless access point (WLX series) can be restored.

Root certificate authority
Root certificate
Server certificate
Client certificate
Revocation certificate
User information

RADIUS client settings and other information not indicated above are not restored and must be set separately.
Users with information that includes characters not allowed by the unit cannot be restored. In that case, add each user separately.
For details about characters not allowed by the unit, refer to Points of Caution.
Certificate Authority names can be restored even if they include characters not allowed by the unit. However, disallowed characters are shown converted to the underscore (_) character in config files.

3.15. SYSLOG output information

The following information is output to the SYSLOG as a RADIUS server function.
The prefix is [RADIUSD].

Type	Message	Description
INFO	RADIUS server started.	The RADIUS server function process has started.
INFO	RADIUS server stopped.	The RADIUS server function process has stopped.
INFO	Authentication succeeded.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address })	User authentication succeeded.
INFO	Authentication failed.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address })	User authentication failed.
INFO	MAC address is not allowed.User-ID:{ User ID } MAC:{ MAC address }	User authentication failed because the MAC address is incorrect.
INFO	Connected NAS is not allowed.IP:{ IP address }	An authentication request was received from an unauthorized RADIUS client.

Type

Message

Description

INFO

RADIUS server started.

The RADIUS server function process has started.

INFO

RADIUS server stopped.

The RADIUS server function process has stopped.

INFO

Authentication succeeded.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address })

User authentication succeeded.

INFO

Authentication failed.: [{ User ID }/<via Auth-Type = { Authentication method }>] (from client port { Port number } cli { MAC address })

User authentication failed.

INFO

MAC address is not allowed.User-ID:{ User ID } MAC:{ MAC address }

User authentication failed because the MAC address is incorrect.

INFO

Connected NAS is not allowed.IP:{ IP address }

An authentication request was received from an unauthorized RADIUS client.

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations	Operating commands
radius-server local enable	Setting of local RADIUS server function
radius-server local interface	Access interface settings
crypto pki generate ca	Generate root Certificate Authority
radius-server local-profile	RADIUS configuration mode
authentication	Authentication method setting
nas	RADIUS client (NAS) settings
user	Authentication user settings
reauth interval	Re-authentication interval settings
radius-server local refresh	Set data reflected on local RADIUS server
certificate user	Issue client certificate
certificate abort	Suspend client certificate issuance
certificate revoke id	Revoke client certificate with the specified certificate ID
certificate revoke user	Revoke client certificate for specified user
certificate export sd	Export client certificate (SD copy)
certificate export mail	Export client certificate (mail transmission)
copy radius-server local	Copy RADIUS data
show radius-server local nas	Show RADIUS client (NAS)
show radius-server local user	Show authentication user information
show radius-server local certificate status	Show issuance status of client certificate
show radius-server local certificate list	Show list of client certificates
show radius-server local certificate revoke	Show revocation list of client certificates

Operations

Operating commands

radius-server local enable

Setting of local RADIUS server function

radius-server local interface

Access interface settings

crypto pki generate ca

Generate root Certificate Authority

radius-server local-profile

RADIUS configuration mode

authentication

Authentication method setting

nas

RADIUS client (NAS) settings

user

Authentication user settings

reauth interval

Re-authentication interval settings

radius-server local refresh

Set data reflected on local RADIUS server

certificate user

Issue client certificate

certificate abort

Suspend client certificate issuance

certificate revoke id

Revoke client certificate with the specified certificate ID

certificate revoke user

Revoke client certificate for specified user

certificate export sd

Export client certificate (SD copy)

certificate export mail

Export client certificate (mail transmission)

copy radius-server local

Copy RADIUS data

show radius-server local nas

Show RADIUS client (NAS)

show radius-server local user

Show authentication user information

show radius-server local certificate status

Show issuance status of client certificate

show radius-server local certificate list

Show list of client certificates

show radius-server local certificate revoke

Show revocation list of client certificates

5. Setting Examples

5.1. Using RADIUS server functions and port authentication function simultaneously

Use a local RADIUS server to configure supplicants A, B, and C to authenticate with MAC, IEEE802.1X, and Web authentication, respectively.

Enable the local RADIUS server with the network switch and register the user.

Yamaha# configure terminal
Yamaha(config)# crypto pki generate ca
Generate CA? (y/n): y
Finished
Yamaha(config)# radius-server local-profile
Yamaha(config-radius)# user 00a0de000001 00a0de000001 auth peap
Yamaha(config-radius)# user 8021xuser 8021xpass auth peap
Yamaha(config-radius)# user webuser webpass auth peap
Yamaha(config-radius)# exit
Yamaha(config)# radius-server local enable
Yamaha(config)# exit
Yamaha# radius-server local refresh

Assign an IP address to VLAN #1 for web authentication

Yamaha# configure terminal
Yamaha(config)# interface vlan1
Yamaha(config-if)# ip-address 192.168.100.240/24

Enable MAC authentication, IEEE802.1X authentication, and Web authentication on LAN port #1.

Yamaha# configure terminal
Yamaha(config)# aaa authentication auth-mac
Yamaha(config)# auth-mac auth-user unformatted lower-case
Yamaha(config)# aaa authentication dot1x
Yamaha(config)# aaa authentication auth-web
Yamaha(config)# interface port1.1
Yamaha(config-if)# auth host-mode multi-supplicant
Yamaha(config-if)# auth-mac enable
Yamaha(config-if)# dot1x port-control auto
Yamaha(config-if)# auth-web enable

Set the RADIUS server used for the authentication function.

Yamaha# configure terminal
Yamaha(config)# radius-server host 127.0.0.1 key secret_local

5.2. Using RADIUS server functions for authentication of users logging in to a Yamaha router

If accessing a Yamaha router from a TELNET client, user login authentication and administrator privilege authentication are performed by the Yamaha network switch RADIUS server.
As the login user, you will be able to log in using user ID: user1 and password: password1.
You will be able to elevate to administrator privileges using the password: admin.

■ Yamaha network switch settings

Specify the IP address in the interface.

Yamaha# configure terminal
Yamaha(config)# interface vlan1
Yamaha(config-if)# ip address 192.168.100.240/24
Yamaha(config-if)# exit

Generate a root Certificate Authority.

Yamaha(config)#crypto pki generate ca
Generate CA? (y/n): y
Finished

Specify the RADIUS servers.

Yamaha(config)# radius-server local-profile
Yamaha(config-radius)# nas 192.168.100.1 key yamaha
Yamaha(config-radius)# user user1 password1 auth pap
Yamaha(config-radius)# user *administrator admin auth pap
Yamaha(config-radius)# exit

Specify interfaces to which RADIUS clients can connect.
```
Yamaha(config)# radius-server local interface vlan1
```

Enable RADIUS server functions.

Yamaha(config)# radius-server local enable
Yamaha(config)#exit

Apply RADIUS server settings to actual operations.
```
Yamaha#radius-server local refresh
Yamaha#
```

■ Yamaha router settings

login radius use on
administrator radius auth on
ip lan1 address 192.168.100.1/24
radius auth on
radius auth server 192.168.100.240
radius auth port 1812
radius secret yamaha

5.3. Using RADIUS server functions for MAC authentication of Yamaha wireless access points (WLX series)

The Yamaha network switch RADIUS server is used to authenticate the MAC address of supplicants connected to a Yamaha wireless access point.

■ Yamaha network switch settings

Specify the IP address in the interface.

Yamaha# configure terminal
Yamaha(config)# interface vlan2
Yamaha(config-if)# ip address 192.168.200.240/24
Yamaha(config-if)# exit

Generate a root Certificate Authority.

Yamaha(config)#crypto pki generate ca
Generate CA? (y/n): y
Finished

Specify the RADIUS servers.

Yamaha(config)# radius-server local-profile
Yamaha(config-radius)# nas 192.168.200.100 key yamaha
Yamaha(config-radius)# user 00a0de000001 00a0de000001 auth pap ssid wlx
Yamaha(config-radius)# exit

Specify interfaces permitted to connect to RADIUS clients.
```
Yamaha(config)# radius-server local interface vlan2
```

Enable RADIUS server functions.

Yamaha(config)# radius-server local enable
Yamaha(config)#exit

Apply RADIUS server settings to actual operations.
```
Yamaha#radius-server local refresh
Yamaha#
```

■ Yamaha wireless AP (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.

ip vlan-id 1 address 192.168.200.100/24
airlink slect 1
airlink ssid wlx
airlink radius auth on
airlink radius server 192.168.200.240
airlink radius secret yamaha
airlink enable 1

5.4. Using RADIUS server functions to connect to a Yamaha wireless access point (WLX series) using a certificate

A supplicant with a certificate issued by the Yamaha network switch installed is used to authenticate connections to a Yamaha wireless access point.

■ Yamaha network switch settings

Specify the IP address in the interface.

Yamaha(config)# interface vlan2
Yamaha(config-if)# ip address 192.168.120.240/24
Yamaha(config-if)# exit

Generate a root Certificate Authority.

Yamaha(config)#crypto pki generate ca
Generate CA? (y/n): y
Finished

Specify the RADIUS servers.

Yamaha(config)# radius-server local-profile
Yamaha(config-radius)# nas 192.168.120.100 key yamaha1
Yamaha(config-radius)# nas 192.168.130.100 key yamaha2
Yamaha(config-radius)# user user1 pass1 ssid wlxA
Yamaha(config-radius)# user user2 pass2 ssid wlxB
Yamaha(config-radius)# user user3 pass3 ssid wlxC
Yamaha(config-radius)# user user4 pass4 ssid wlxD
Yamaha(config-radius)# exit

Specify interfaces permitted to connect to RADIUS clients.

Yamaha(config)# radius-server local interface vlan2
Yamaha(config)# radius-server local interface vlan3

Enable RADIUS server functions.

Yamaha(config)# radius-server local enable
Yamaha(config)# exit

Issue client certificates.
Install the issued certificates in supplicants A to D, respectively.

Yamaha# certificate user user1
Yamaha# certificate user user2
Yamaha# certificate user user3
Yamaha# certificate user user4

Apply RADIUS server settings to actual operations.
```
Yamaha# radius-server local refresh
```

■ Yamaha wireless AP1 (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.

ip vlan-id 2 address 192.168.120.100/24
 airlink select 1
  airlink ssid wlxA
  airlink vlan-id 2
  airlink radius auth on
  airlink radius server 192.168.120.240
  airlink radius secret yamaha1
 airlink enable 1
 airlink select 2
  airlink ssid wlxB
  airlink vlan-id 2
  airlink radius auth on
  airlink radius server 192.168.120.240
  airlink radius secret yamaha1
 airlink enable 2

■ Yamaha wireless AP2 (WLX402) settings
Note: Only for settings related to authentication. Configure other settings, such as for wireless functions, separately according to the given environment.

ip vlan-id 3 address 192.168.130.100/24
 airlink select 1
  airlink ssid wlxC
  airlink vlan-id 3
  airlink radius auth on
  airlink radius server 192.168.130.240
  airlink radius secret yamaha2
 airlink enable 1
 airlink select 2
  airlink ssid wlxD
  airlink vlan-id 3
  airlink radius auth on
  airlink radius server 192.168.130.240
  airlink radius secret yamaha2
 airlink enable 2

6. Points of Caution

In the RADIUS server function, the time of the internal clock of this device is used for processing such as authentication processing and certificate issuance.
Therefore, it is necessary to always keep the internal clock of this device at the correct time. Time synchronization with NTP server is recommended.
It is necessary to keep the root Certificate Authority consistent from its creation, so be careful not to delete it carelessly.
If it is deleted, the issued client certificates cannot be used, and client certificates must be reissued for all users.
Also, almost all settings related to the RADIUS server function will be deleted.
Even if you create a root Certificate Authority with the same name on a Yamaha network switch of the same model number, that root Certificate Authority will be a different one.
Client certificates can only be used with Yamaha network switch authentication that has the root Certificate Authority used at the time of generation.
To maintain the same root Certificate Authority in multiple devices, see Backing up and restoring all RADIUS server related information.
Authentication cannot be performed even if a RADIUS client connects to an IPv6 link-local address.

The characters permitted in user or other information by Yamaha network switches is different than permitted by Yamaha wireless access points (WLX series). Those differences are indicated below.
(The characters in red are disallowed only by Yamaha network switches)

Item

Yamaha network switch restrictions

Yamaha wireless access point restrictions

Root certificate authority name
(CA-NAME option for crypto pki generate ca command)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’

RADIUS client shared password
(SECRET parameter of nas command)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’

User ID in user information
(USERID parameter of user command)
When the authentication method is EAP-TLS

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’

':'

‘<’
‘*’
‘>’
‘|’
‘?’
‘ ’ (space)
‘”’ (double quote)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘/’
‘[’
‘]’

User ID in user information
(USERID parameter of user command)

When the authentication method is PAP or PEAP

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’

Password in user information
(PASSWORD parameter of user command)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’
‘?’
‘ ’ (space)
‘”’ (double quote)

The following single-byte alphanumeric characters and symbols cannot be used.
‘\’ (backslash)
‘[’
‘]’

Name in user information
(NAME option of user command)

The following single-byte alphanumeric characters and symbols cannot be used.
‘?’
‘ ’ (space)
‘”’ (double quote)

All single-byte alphanumeric characters and symbols can be used.

7. Related Documentation

Interface Control Functions: Port Authentication