RADIUS server feature of the switch
Generally, the RADIUS server runs on a computer or workstation, and the RADIUS client runs on a NAS. A network device that supports the RADIUS server feature can also serve as the RADIUS server, working with RADIUS clients to implement user authentication, authorization, and accounting. As shown in Figure 8, the RADIUS server and client can reside on the same switch or different switches.
Using a network device as the RADIUS server simplifies networking and reduces deployment costs. This implementation is usually deployed on networks by using the clustering feature. In such a scenario, configure the RADIUS server feature on a management device at the distribution layer, so that the device functions as a RADIUS server to cooperate with cluster member switches at the access layer to provide user authentication and authorization services.
Figure 8: Devices functioning as a RADIUS server
The switch can serve as a RADIUS server to provide the following functions:
User information management:
You can create, modify, and delete user information, including the username, password, authority, lifetime, and user description.
RADIUS client information management:
You can create and delete RADIUS clients, which are identified by IP addresses and configured with attributes such as a shared key. With a managed client range configured, the RADIUS server processes only the RADIUS packets from the clients within the management range. A shared key is used to ensure secure communication between a RADIUS client and the RADIUS server.
RADIUS authentication and authorization
With the RADIUS server enabled, the switch checks whether or not the client of an incoming RADIUS packet is under its management. If yes, it verifies the packet validity by using the shared key, checks whether there is an account with the username, whether the password is correct, and whether the user attributes meet the requirements defined on the RADIUS server (for example, whether the account has expired). Then, the RADIUS server assigns the corresponding authority to the client if the authentication succeeds, or denies the client if the authentication fails.
NOTE: A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HPE switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HPE switch as the RADIUS server. | ||