Configure RADIUS Authentication for an Access Point

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP330, AP332CR, AP430CR, AP432)

RADIUS (Remote Authentication Dial-In User Service) authenticates local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.

To configure a Wi-Fi in WatchGuard Cloud access point to use RADIUS authentication, you can add a RADIUS server to an authentication domain, and configure access points in your account to use that domain for authentication.

You can then configure a wireless network SSID with WPA2 Enterprise or WPA3 Enterprise to authenticate wireless clients to the RADIUS server.

The wireless client authenticates with the RADIUS server using any EAP-based method configured on the RADIUS server.

Before You Begin

Before you configure your access point to use a RADIUS authentication server, you must have this information for each RADIUS server:

  • RADIUS Server — IP address and RADIUS port for the RADIUS Authentication Server. You can add an additional server as a backup RADIUS authentication server.
  • Shared Secret — This is a case-sensitive password that must be the same on the WatchGuard Cloud authentication domain configuration and on the RADIUS server.
  • RADIUS Accounting Server (optional) — IP address and RADIUS port of the RADIUS Accounting Server. In many deployments, the Authentication and Accounting services are on the same RADIUS server and run on different ports.
    A RADIUS Accounting Server monitors RADIUS traffic and collects data about client sessions, such as when sessions begin and end. For example, you must configure a RADIUS accounting server for RADIUS Single Sign-on (SSO) deployments. For more information on how to configure RADIUS SSO with WatchGuard access points and a Firebox, see About RADIUS Single Sign-On.
  • Authentication methods — Configure your RADIUS server to allow the authentication method (any EAP-based method), that your access point and clients use.

About NAS Attributes for Access Points

NAS (Network Access Server) attributes are data included in the request packet sent by the access point to the RADIUS server to identify specific elements about the access point and client to the RADIUS server. These attributes enable the RADIUS server to use this data for authentication, authorization, accounting, and dynamic client profile assignment features.

In access point firmware v2.1 and higher, you can customize the Called Station ID and NAS ID in the advanced settings of an SSID. For more information, go to Configure Access Point SSID Settings.

Access Point Firmware v2.1 or Higher

  • Called Station ID — The default Called Station ID is the name of the SSID and the MAC address of the access point [SSID]-[MAC address].
    For example: MySSID-00-aa-00-bb-00-cc
    You can also customize the Called Station ID in the SSID advanced settings. You can enter custom text in combination with the predefined variables. The maximum length for the field is 32 characters. With variable expansion, the maximum length of the Called Station ID is 84 characters.
  • %m — MAC address of the access point Ethernet interface
  • %s — SSID name
  • %n — Device name
  • NAS ID — The default NAS ID is the name of the SSID and the MAC address of the access point [SSID]-[MAC address]. For example: MySSID-00-aa-00-bb-00-cc
    You can also customize the NAS ID in the SSID advanced settings. You can enter custom text in combination with the predefined variables. The maximum length for the field is 32 characters. With variable expansion, the maximum length of the NAS ID is 84 characters.
  • %m — MAC address of the access point Ethernet interface
  • %s — SSID name
  • %n — Device name
  • NAS IP Address — The IP address of the access point. This can be a static or DHCP IP address. We recommend you use static or reserved DHCP IP addresses for access points that communicate with RADIUS servers.
  • NAS Port — The NAS port is set to 0 by default and cannot be modified.

Screen shot of the SSID advanced settings (Called Station ID/NAS ID) for an access point

Access Point Firmware v2.0 or Lower

In access point firmware v2.0 or lower, you cannot modify the default RADIUS attributes.

  • Called Station ID — The Called Station ID is the MAC address of the access point.
    For example: 00-aa-00-bb-00-cc
  • NAS ID — The NAS ID is the name of the SSID.
    For example: MySSID
  • NAS IP Address — The IP address of the access point. This can be a static or DHCP IP address. We recommend you use static or reserved DHCP IP addresses for access points that communicate with RADIUS servers.
  • NAS Port — The NAS port is set to 0 by default and cannot be modified.

Configure RADIUS Authentication for an Access Point

To use RADIUS server authentication with a WatchGuard Cloud-managed access point, you must:

  • Add the IP address of the access point to the RADIUS server to configure the device as a RADIUS client. We recommend you use static or reserved DHCP IP addresses for access points that communicate with RADIUS servers.
  • Add the RADIUS server to a WatchGuard Cloud authentication domain, and specify the server IP address and shared secret. For more information, see Add an Authentication Domain to WatchGuard Cloud.
  • If you have a RADIUS accounting server, add it to the same authentication domain. For more information, see Add Servers to an Authentication Domain.
  • Add the authentication domain to the access point configuration. For more information, see Access Point Authentication Domains.
  • Configure an SSID with WPA2 Enterprise or WPA3 Enterprise security, and select an Authentication Domain with a configured RADIUS server.

    With WPA3 Enterprise, you can also enable 192-bit mode (WPA3 Enterprise Suite B) to increase encryption security in sensitive enterprise environments. WPA3 Enterprise 192-bit mode requires access point firmware v2.1 or higher. For more information, see Configure Access Point SSID Settings.

    When you configure WPA2 or WPA3 Enterprise authentication on access points with firmware v2.2 and higher, you can also enable Dynamic VLANs that enables you to dynamically assign VLAN IDs to the wireless client based on the user information provided by the RADIUS server after successful authentication. For more information, go to Configure Access Point Dynamic VLANs.

RADIUS Integration with Firebox and Third-Party Servers

For information on how to configure RADIUS Single Sign-On (SSO) with WatchGuard access points and a Firebox, see About RADIUS Single Sign-On.

For information on how to integrate RADIUS authentication and Microsoft Active Directory and NPS, see Authenticate Wi-Fi in WatchGuard Cloud Clients with Microsoft Active Directory and NPS.

Access Point Authentication Domains

Configure Access Point SSID Settings

About Access Point Sites