Configuring the switch for RADIUS authentication
Configure RADIUS authentication for controlling access through one or more of the following:
Serial port
Telnet
SSH
Port-Access (802.1X)
WebAgent
Procedure
- RADIUS authentication on the switch must be enabled to override the default authentication operation which is to automatically assign an authenticated client to the operator privilege level. This applies the privilege level specified by the service type value received from the RADIUS server.
-
Configure the switch for accessing one or more RADIUS servers (one primary server and up to two backup servers):
Server IP address
(Optional) UDP destination port for authentication requests (default: 1812; recommended)
(Optional) UDP destination port for accounting requests (default: 1813; recommended)
(Optional) Encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (default: null)
NOTE:Step 2 assumes you have already configured the RADIUS servers to support the switch. See your RADIUS server documentation for details.
-
Configure the global RADIUS parameters.
- Server key: This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and accounting services unless you configure one or more per-server keys. (default: null)
- Timeout period: The timeout period the switch waits for a RADIUS server to reply. (default: 5 seconds; range: 1 to 15 seconds)
- Retransmit attempts: The number of retries when there is no server response to a RADIUS authentication request. (default: 3; range of 1 to 5)
- Server dead-time: The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request. This avoids a wait for a request to time out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (default: disabled; range: 1-1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.
- Number of login attempts: This is actually an
aaa authentication
command. It controls how many times per session a RADIUS client (and clients using other forms of access) can try to log in with the correct username and password. (default: Three times per session)