DRoca Networks S.A. de C.V. MEX +52(55)55957500 Contacto
Use the Router's Internal RADIUS Server for Local 802.1X Authentication | DrayTek

Knowledge Base  >   Wireless  > 

Use the Router's Internal RADIUS Server for Local 802.1X Authentication

The Vigor Router supports an Internal RADIUS Server function, which can be regarded as a built-in RADIUS server. It can act as both the authenticator and the authentication server, allowing wireless or wired clients to be authenticated using user profiles stored directly on the router. This document demonstrates how to use the router’s Internal RADIUS Server to authenticate wireless clients on a Vigor Router.

This document demonstrates how to use the router's Local 802.1X to authenticate wireless clients. Since firmware version 3.8.1, Vigor Router supports Local 802.1X which can be regarded as a built-in RADIUS server. It can act as authenticator and authentication server simultaneously and authenticate wireless or wired clients by the user profiles stored on it.

Configuration of the router

1. First of all, make sure Wireless LAN is enabled and SSID are ready.

2. Create a user profile for the wireless client. Go to User Management >> User Profile, click on an index number to add/edit a profile:

  1. Enable this account.
  2. Enter username and password, confirm the password again.
  3. Enable Local 802.1X at Internal Services, so that this user profile can be used by 802.1X authentication.
  4. Click OK to save

NOTE: For 802.1X authentication by Local 802.1X, Vigor Router now supports PEAP for phase 1 and MSCHAPV2 for phase 2.

3. Set up Security for the Wireless LAN. Go to Wireless LAN >> Security, select a security Mode that uses 802.1X, and click Wireless LAN 802.1X Setting.

4. In Wireless LAN 802.1X Setting page, set Authentication Type to "Local 802.1X" and select "Enable," so the router will use the user profiles on the router to authenticate wireless clients. Then click OK to apply.

NOTE: In this page, it shows all the user profiles on the router. In the right column are the ones that have Local 802.1X enabled and can be used for 802.1X authentication. For example, the profile created in step 2 will be listed here. In the left column are the ones that don't enable Local 802.1X; however, we may select those profiles, and click ">>" to move it to "Enable Local 802.1X" list, then they will be ready for 802.1X authentication as well.

Wireless Client Connecting

5. After the above configuration, wireless clients can join the network by entering the user name and password set in the router's user profiles.

6. In Diagnostics >> Authentication Information, we can check the failed authentication attempts from Authentication User List tab and the logs about authentication.

Vigor Router Setup

1. Create a User Profile

Navigate to IAM / Users & Groups / Users.

  • Enter a Username and Password
  • Click Apply to save the settings

    • 2. Configure the Internal RADIUS Server

    Navigate to Configuration / RADIUS / TACACS+ / Internal RADIUS.

    • Toggle Enable
    • Enter the Authentication Port
    • Under RADIUS Client Access List, click +Add, then:
      • Enter the Shared Secret
      • Enter the client’s IPv4 address (in this example, the Vigor Router’s LAN IP)
      • Enter the IPv4 mask
    • Under User Profile, select the user profiles to be used for Internal RADIUS authentication.
    • Click Apply to save the settings

    3. Configure an External RADIUS Server Profile

    Navigate to Configuration / RADIUS / TACACS+ / External RADIUS, then click Add to create a new RADIUS profile.

    • Enter a Profile Name
    • Enable RADIUS Authentication
    • Click +Add, then enter:
      • Server IP address (use the Vigor Router’s IP address)
      • Shared Secret for the RADIUS connection
      • Authentication Port
    • Toggle RADIUS Authorization
    • Click Apply to save the settings

    4. Specify the Default Certificate for the Authentication Server

    Navigate to Configuration / Certificates / Local Services.

  • Assign the default certificate for the Authentication Server (Internal RADIUS Server)

    • 5. Configure Wi-Fi to Use WPA2-Enterprise

    Navigate to Configuration / Wireless LAN, then click Edit for the desired wireless profile.

  • Toggle Enable
  • Set Security to WPA2 Enterprise
  • Select the External RADIUS Profile created in Step 3
  • Select the VLAN
  • Click Apply to save the settings
    • Wireless Client Connecting

    6. Connect Wireless Clients

    After completing the above configuration, wireless clients can connect to the Wi-Fi network using the username and password defined in the router's IAM user profiles.

    7. Verify Connected Clients

    Connected Wi-Fi clients can be viewed by navigating to Monitoring / Clients List.

    Published On: 2025-12-31 

    Share

    Was this helpful?   

    book icon

    Knowledge Base