This step by step guide show what´s the difference between different RADIUS options.
NXC Webinterface: CONFIGURATION > Object > AP Profile > SSID > Security List
1. What is the authentication mechanism used by an "internal" RADIUS server?
When you select "internal" as the RADIUS server type, the 802.1X authentication is processed by an internal RADIUS that is built within the controller. When the AP is managed by the controller, it automatically adds the AP as a trusted client.
Topology:
Controller (built-in radius server)-----------AP (radius server's trusted client)
2. What is the authentication mechanism used by an "external" RADIUS server?
When you select "external" as the RADIUS server type, the 802.1X authentication is processed by an external RADIUS. The controller will forward the authenticated packets from the AP. Hence, you need to manually add the AP as a trusted client to the external RADIUS server.
Topology:
External radius server-------------Controller-----------AP (RADIUS server's trusted client)
==============================================================
The difference between "internal" RADIUS servers for the NXC managed AP and the standalone AP is that the NXC can support both local and external user database, but the standalone AP only supports local user database.
NXC with managed AP
Internal RADIUS server is a trusted RADIUS client for the NXC controller.
External RADIUS server is a trusted RADIUS client for the APs.
Standalone AP
Internal: internal RADIUS server (built within the standalone AP) with local user database.
External: external RADIUS with external user database.
KB-00299