RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

radius-server timeout < 1 .. 15 >

 

 

Specifies the maximum time the switch waits for a response

 

 

to an authentication request before counting the attempt as

 

 

a failure. (Default: 3 seconds; Range: 1 - 15 seconds)

 

 

radius-server retransmit < 1 .. 5 >

 

 

If a RADIUS server fails to respond to an authentication

 

 

request, specifies how many retries to attempt before closing

 

 

the session. Default: 3; Range: 1 - 5)

 

 

 

Note

Where the switch has multiple RADIUS servers configured to support authen-

 

 

tication requests, if the first server fails to respond, then the switch tries the

 

 

next server in the list, and so-on. If none of the servers respond, then the switch

 

 

attempts to use the secondary authentication method configured for the type

 

 

of access being attempted (console, Telnet, or SSH). If this occurs, refer to

 

 

"RADIUS-Related Problems" in the Troubleshooting chapter of the Manage-

 

 

ment and Configuration Guide for your switch.

 

 

For example, suppose that your switch is configured to use three RADIUS

 

 

 

 

servers for authenticating access through Telnet and SSH. Two of these servers

 

 

use the same encryption key. In this case your plan is to configure the switch

 

 

with the following global authentication parameters:

 

 

Allow only two tries to correctly enter username and password.

 

 

Use the global encryption key to support the two servers that use the

 

 

same key. (For this example, assume that you did not configure these

 

 

two servers with a server-specific key.)

 

 

Use a dead-time of five minutes for a server that fails to respond to

 

 

an authentication request.

 

 

Allow three seconds for request timeouts.

 

 

Allow two retries following a request that did not receive a response.

 

 

 

 

 

 

Figure 3-5. Example of Global Configuration Exercise for RADIUS Authentication

3-13