This article will help to explain how to enable Dynamic RADIUS proxy for a specific Virtual Controller while using IGC to manage IAP clusters.
Static VC IP must be configured if DRP is enabled. The VC IP cannot be 0.0.0.0. In telecommuter
and branch office deployments that do not use local RADIUS resources, it might be difficult or even impossible to determine the IP range used locally. In such cases, the VC IP should be configured to a random static IP in the non-corporate private IP range (say 192.168.137.139, if the corporate network is 10.0.0.0 /8). This will enable the DRP feature that is essential to tunnel the RADIUS traffic to the central RADIUS server in the datacenter.
The location of the RADIUS sever used to authenticate users in branch location varies from organization to
organization. Most organization have centralized RADIUS server in the datacenter to authenticate remote users but some
may use a local RADIUS server at each location. There are also organization that use a local RADIUS server for
employee authentication and a centralized RADIUS based captive portal server for Guest authentication. So to ensure
that the RADIUS traffic is routed to the appropriate RADIUS server, DRP should be enabled. When enabled, DRP will
ensure that all the RADIUS traffic is sourced from the VC IP or inner IP of the IAP IPsec tunnel depending on the
RADIUS server IP and routing profile. If the routing profile is configured to tunnel 10.0.0.0 /8 network and if the
RADIUS server is 10.68.32.40, then the RADIUS traffic will be forwarded through the IPsec tunnel using the inner IP
the IAP IPsec tunnel. However, if the RADIUS server is 192.168.32.40, then the RADIUS traffic bridged locally using
the VC IP
Instruction to enable Dynamic RADIUS proxy:
> Navigate to Group that holds the specific Virtual Controller to which you would need to enable Dynamic RADIUS proxy.
> Goto "Instant Config" as shown below and expand the cluster and select the Virtual Controller.
> Choose Settings >> General and enable "Dynamic RADIUS proxy" and also make sure you have provided a static IP for "Virtual Controller IP" which is mandatory when Dynamic RADIUS proxy is enabled.
> click Save and Apply All to submit the settings.
Once the configuration change is being applied Airwave will initiate configuration audit and post the mismatched configuration to the VC over https.
We can review the configuration that VC receive from Airwave using the following method.
Navigate to the VC Monitor page, from the drop down list "Run commands from VC" select "VC AMP Last Configuration Received".
Airwave will query the respective VC for the recently received configuration and will list the configuration lines that are sent from Airwave with it's status.