Network Router User Manual
Release 11.0 Release Notes and User Guide Supplement
Issue 1, March 2011 Page 15
When RADIUS AAA is selected, up to 3 Authentication Server (RADIUS Server) IP addresses
and Shared Secrets can be configured. The IP address(es) configured here must match the IP
address(es) of the RADIUS server(s). The shared secret(s) configured here must match the
shared secret(s) configured in the RADIUS server(s). Servers 2 and 3 are meant for backup and
reliability, not splitting the database. If Server 1 doesn’t respond, Server 2 is tried, and then server
3. If Server 1 rejects authentication, the SM is denied entry to the network, and does not progress
trying the other servers.
The default IP address is 0.0.0.0 (which obviously won’t match any RADIUS server). The default
Shared Secret is “CanopySharedSecret”. The Shared Secret can be up to 32 ASCII characters
(no diacritical marks or ligatures, for example).
Figure 2: AP's Configuration > Security tab
5.2.2 SM Authentication Mode – Require RADIUS or Follow AP
Refer to Figure 3: SM's Configuration > Security tab to see the GUI options.
If it is desired that an SM will only authenticate to an AP that is using RADIUS, on the SM’s
Configuration Security tab set Lock AAA to Enabled. With Lock AAA enabled, an SM will not
register to an AP that has any Authentication Mode other than RADIUS AAA selected.
If it is desired that an SM use the authentication method configured on the AP it is registering to,
set Lock AAA to Disabled. With Lock AAA disabled, an SM will attempt to register using
whichever Authentication Mode is configured on the AP it is attempting to register to.
Note, requiring SMs to use RADIUS by enabling Lock AAA avoids the security issue of SMs
possibly registering to “rogue” APs which have authentication disabled.