Configuring the switch for RADIUS authentication

Configure RADIUS authentication for controlling access through one or more of the following

  • Serial port

  • Telnet

  • SSH

  • Port-Access (802.1X)

  • WebAgent

Procedure
  1. RADIUS authentication on the switch must be enabled to override the default authentication operation which is to automatically assign an authenticated client to the operator privilege level. This applies the privilege level specified by the service type value received from the RADIUS server, see Configuring authentication for access methods RADIUS is to protect.
  2. Configure the switch for accessing one or more RADIUS servers (one primary server and up to two backup servers):

    • Server IP address

    • (Optional) UDP destination port for authentication requests (default: 1812; recommended)

    • (Optional) UDP destination port for accounting requests (default: 1813; recommended)

    • (Optional) Encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. Default: null.

    NOTE:

    Step 2 assumes you have already configured the RADIUS servers to support the switch. See your RADIUS server documentation for details.

  3. Configure the global RADIUS parameters.
    1. Server key

      This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and accounting services unless you configure one or more per-server keys.

      Default: null.

    2. Timeout period

      The timeout period the switch waits for a RADIUS server to reply.

      Default: 5 seconds; range: 1 to 15 seconds.

    3. Retransmit attempts

      The number of retries when there is no server response to a RADIUS authentication request.

      Default: 3; range of 1 to 5.

    4. Server dead-time

      The period during which the switch does not send new authentication requests to a RADIUS server that has failed to respond to a previous request. This avoids a wait for a request to time out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0disabled; range: 1 - 1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.

    5. Number of Login Attempts

      This is actually an aaa authentication command. It controls how many times per session a RADIUS client (and clients using other forms of access) can try to log in with the correct user name and password.

      Default: Three times per session.

For RADIUS accounting features, see Accounting services.