RADIUS Authentication, Authorization, and Accounting

Configuring the Switch for RADIUS Authentication

Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.)

Determine whether you want to bypass a RADIUS server that fails to respond to requests for service. To shorten authentication time, you can set a bypass period in the range of 1 to 1440 minutes for non-responsive servers. This requires that you have multiple RADIUS servers accessible for service requests.

Optional: Determine whether the switch access level (Manager or Operator) for authenticated clients can be set by a Service Type value the RADIUS server includes in its authentication message to the switch. (Refer to “2. Enable the (Optional) Access Privilege Option” on page 5-13.)

Configure RADIUS on the server(s) used to support authentication on the switch.

Configuring the Switch for RADIUS

Authentication

RADIUS Authentication Commands

Page

aaa authentication

5-10

console telnet ssh web < enable login <local radius>>

5-10

web-based mac-based <chap-radius peap-radius>

 

[ local none authorized]

5-10

[login privilege-mode]*

5-13

[no] radius-server host < IP-address>

5-14

[auth-port < port-number>]

5-14

[acct-port < port-number>]

5-14,5-40

[key < server-specific key-string >]

5-14

[no] radius-server key < global key-string>

5-18

radius-server timeout < 1 - 15>

5-18

radius-server retransmit < 1 - 5 >

5-18

[no] radius-server dead-time < 1 - 1440 >

5-19

show radius

5-46

[< host < ip-address>]

5-47

show authentication

5-48

show radius authentication

5-49

*The web authentication option for the web browser interface is available on the switches covered in this guide.

5-8