Switch operating rules for RADIUS
-
You must have at least one RADIUS server accessible to the switch.
-
The switch supports authentication and accounting using up to 15 RADIUS servers. The switch accesses the servers in the order in which they are listed by
show radius
. If the first server does not respond, the switch tries the next one, and so-on. To change the order in which the switch accesses RADIUS servers, see Changing RADIUS-server access order. -
You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.)
-
In the switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.
-
When primary/secondary authentication is set to Radius/Local (for either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message
radius: Can't reach RADIUS server <server-ip-addr>
. When this type of failure occurs, the switch prompts the client again to enter a username and password. In this case, use the local username (if any) and password configured on the switch itself. -
Zero-length usernames or passwords are not allowed for RADIUS authentication, even though allowed by some RADIUS servers.