{
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "header_page_title",
"items": [
{
"type": "h1",
"text": "RADIUS"
},
{
"type": "p",
"text": "FreeRADIUS server configuration and shared secret."
}
]
},
{
"type": "raw_html",
"html": ""
},
{
"type": "info_bar",
"variant": "info",
"text": "You should only enable RADIUS if you also configure your managed switch and/or Wireless Access Points to consult RADIUS for device placement onto VLANs. RADIUS will be disabled if there are no RADIUS Clients (authenticators) specified on the DHCP Reservations page."
},
{
"type": "raw_html",
"html": "%RADIUS_STATUS_BAR%"
},
{
"type": "card",
"label": "Shared Secret",
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "p",
"text": "Enter this secret in your equipment/controller as the RADIUS shared secret. It authenticates your network equipment to this router's RADIUS server."
},
{
"type": "pre_block",
"text": "%RADIUS_SECRET%"
},
{
"type": "p",
"text": "Use this router's IP address on the equipment's VLAN as the RADIUS server address. Authentication port: 1812. Accounting port: 1813."
},
{
"type": "button_row",
"items": [
{
"type": "button_danger",
"action": "/action/radius/regenerate",
"method": "post",
"text": "Regenerate"
}
]
}
]
},
{
"type": "card",
"label": "Options",
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "form",
"action": "/action/radius/options_save",
"method": "post",
"items": [
{
"type": "field",
"label": "MAC Address Format",
"name": "mac_format",
"input_type": "select",
"value": "%RADIUS_MAC_FORMAT%",
"options": [
{"value": "aabbccddeeff", "label": "aabbccddeeff"},
{"value": "aa-bb-cc-dd-ee-ff", "label": "aa-bb-cc-dd-ee-ff"},
{"value": "aa:bb:cc:dd:ee:ff", "label": "aa:bb:cc:dd:ee:ff"},
{"value": "AABBCCDDEEFF", "label": "AABBCCDDEEFF"},
{"value": "AA-BB-CC-DD-EE-FF", "label": "AA-BB-CC-DD-EE-FF"},
{"value": "AA:BB:CC:DD:EE:FF", "label": "AA:BB:CC:DD:EE:FF"}
],
"hint": "Must match your equipment/controller's expected format."
},
{
"type": "button_row",
"items": [
{
"type": "button_primary",
"action": "/action/radius/options_save",
"method": "post",
"text": "Save"
},
{
"type": "button_cancel",
"text": "Cancel"
}
]
}
]
}
]
},
{
"type": "card",
"label": "Known Clients",
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "raw_html",
"html": "%RADIUS_PRO_NOTE%"
},
{
"type": "form",
"action": "/action/radius/auth_mode_save",
"method": "post",
"items": [
{
"type": "field",
"label": "Authentication Mode",
"name": "auth_mode",
"input_type": "select",
"value": "%RADIUS_AUTH_MODE%",
"options": "%RADIUS_AUTH_MODE_OPTIONS%",
"hint": "_"
},
{
"type": "raw_html",
"html": ""
},
{
"type": "field",
"label": "Username/Password Protocol",
"name": "eap_protocol",
"input_type": "select",
"value": "%RADIUS_EAP_PROTOCOL%",
"options": "%RADIUS_EAP_PROTOCOL_OPTIONS%",
"hint": "_"
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "field",
"label": "Inner Protocol",
"name": "inner_protocol",
"input_type": "select",
"value": "%RADIUS_INNER_PROTOCOL%",
"options": "%RADIUS_INNER_PROTOCOL_OPTIONS%",
"hint": "_"
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "field",
"label": "",
"name": "tunneled_reply",
"input_type": "checkbox",
"checkbox_label": "Propagate inner tunnel reply attributes",
"value": "%RADIUS_TUNNELED_REPLY%",
"hint": "Copies VLAN and authorization attributes from the inner EAP exchange to the outer RADIUS Access-Accept. Required by some switches for VLAN assignment to work correctly."
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "field",
"label": "",
"name": "include_length",
"input_type": "checkbox",
"checkbox_label": "Include Length",
"value": "%RADIUS_INCLUDE_LENGTH%",
"hint": "Include the total length of message in every packet."
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "raw_html",
"html": ""
},
{
"type": "field",
"label": "",
"name": "mab_first",
"input_type": "checkbox",
"checkbox_label": "Try MAB first before prompting supplicant",
"value": "%RADIUS_MAB_FIRST%",
"hint": "RADIUS checks the device's MAC address first. Known devices (those with a DHCP reservation) are admitted immediately without waiting for 802.1X negotiation or credential entry. Unknown devices fall through to 802.1X."
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "raw_html",
"html": ""
},
{
"type": "field_row",
"cols": 2,
"items": [
{
"type": "field",
"label": "Default Session Duration",
"name": "default_session_value",
"input_type": "number",
"min": 0,
"value": "%RADIUS_DEFAULT_SESSION_VALUE%",
"hint": "How long a client session lasts before reauthentication is required. 0 = no session limit."
},
{
"type": "field",
"label": "Unit",
"name": "default_session_unit",
"input_type": "select",
"value": "%RADIUS_DEFAULT_SESSION_UNIT%",
"options": [
{"value": "hours", "label": "Hours"},
{"value": "days", "label": "Days"}
]
}
]
},
{
"type": "field_row",
"cols": 2,
"items": [
{
"type": "field",
"label": "Default Expiration Duration",
"name": "default_expiration_value",
"input_type": "number",
"min": 0,
"value": "%RADIUS_DEFAULT_EXPIRATION_VALUE%",
"hint": "How long before account permanently expires. 0 = never expires."
},
{
"type": "field",
"label": "Unit",
"name": "default_expiration_unit",
"input_type": "select",
"value": "%RADIUS_DEFAULT_EXPIRATION_UNIT%",
"options": [
{"value": "hours", "label": "Hours"},
{"value": "days", "label": "Days"}
]
}
]
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "button_row",
"items": [
{
"type": "button_primary",
"text": "Save"
},
{
"type": "button_cancel",
"text": "Cancel"
}
]
}
]
}
]
},
{
"type": "card",
"label": "Unknown Clients",
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "p",
"text": "The DEFAULT Rule only applies to unknown devices (those without a DHCP reservation/authorization)."
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "form",
"action": "/action/radius/default_rule_save",
"method": "post",
"items": [
{
"type": "field",
"label": "Which RADIUS Clients (authenticators) may apply the DEFAULT rule to unknown devices?",
"name": "apply_to",
"input_type": "select",
"value": "%RADIUS_APPLY_TO%",
"options": [
{"value": "all", "label": "All authenticators"},
{"value": "wireless", "label": "Wireless authenticators only (NAS-Port-Type = Wireless-802.11)"},
{"value": "huntgroup", "label": "Wireless authenticators only (AP huntgroup by IP)"}
],
"hint": "_"
},
{
"type": "field",
"label": "Which of the following authenticators are Wireless Access Points that you wish to add to the huntgroup?",
"name": "ap_ips",
"input_type": "checkbox_group",
"options": "%RADIUS_AP_IPS_OPTIONS%",
"value": "%RADIUS_AP_IPS%",
"hint": "These authenticators are defined on the DHCP Reservations page by denoting a device (such as a managed switch or wireless access point) as a \"RADIUS Client\"."
},
{
"type": "button_row",
"items": [
{
"type": "button_primary",
"text": "Save"
},
{
"type": "button_cancel",
"text": "Cancel"
}
]
}
]
},
{
"type": "hr"
},
{
"type": "p",
"text": "Unknown devices are assigned to this VLAN. For wired switch ports, also set the fallback network in your managed switch's configuration."
},
{
"type": "raw_html",
"html": "
"
},
{
"type": "form",
"action": "/action/radius/default_vlan_save",
"method": "post",
"items": [
{
"type": "field",
"label": "Default VLAN",
"name": "default_vlan",
"input_type": "select",
"value": "%RADIUS_DEFAULT_VLAN%",
"options": "%RADIUS_DEFAULT_VLAN_OPTIONS%",
"hint": "Devices without a DHCP reservation will receive RADIUS authorization to be placed on this VLAN. This may also be selected on the Network Layout page by denoting a VLAN as the \"RADIUS Default\"."
},
{
"type": "button_row",
"items": [
{
"type": "button_primary",
"text": "Save"
},
{
"type": "button_cancel",
"text": "Cancel"
}
]
}
]
}
]
},
{
"type": "card",
"label": "Logging",
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "form",
"action": "/action/radius/logging_save",
"method": "post",
"items": [
{
"type": "field",
"label": "",
"name": "logging",
"input_type": "checkbox",
"checkbox_label": "Log auth requests",
"value": "%RADIUS_LOGGING%",
"hint": "%RADIUS_LOGGING_HINT%"
},
{
"type": "hr"
},
{
"type": "pre_block",
"text": "%RADIUS_LOG_TAIL%",
"scroll_to_bottom": true
},
{
"type": "raw_html",
"html": "%RADIUS_LOG_SUMMARY%"
},
{
"type": "button_row",
"items": [
{
"type": "button_ghost",
"action": "/action/radius/logging_download",
"text": "Download Log"
}
]
},
{
"type": "hr"
},
{
"type": "field",
"label": "Max Log Size (KB)",
"name": "log_max_kb",
"input_type": "number",
"layout": "inline",
"value": "%RADIUS_GEN_LOG_MAX_KB%",
"min": "64",
"hint": "Log will automatically be cleared when it reaches this size."
},
{
"type": "button_row",
"items": [
{
"type": "button_primary",
"text": "Save"
},
{
"type": "button_cancel",
"text": "Cancel"
}
]
}
]
}
]
}
]
}