RADIUS Authentication, Authorization, and Accounting

Configuring the Switch for RADIUS Authentication

Timeout Period: The timeout period the switch waits for a RADIUS

server to reply. (Default: 5 seconds; range: 1 to 15 seconds.)

Retransmit Attempts: The number of retries when there is no server

response to a RADIUS authentication request. (Default: 3; range of 1 to 5.)

Server Dead-Time:The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request. This avoids a wait for a request to time out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled; range: 1 - 1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.

Number of Login Attempts: This is actually an aaa authentication command. It controls how many times per session a RADIUS client (and clients using other forms of access) can try to log in with the correct username and password. (Default: Three times per session.)

(For RADIUS accounting features, refer to “Configuring RADIUS Accounting” on page 5-37.)

1.Configure Authentication for the Access Methods You Want RADIUS To Protect

This section describes how to configure the switch for RADIUS authentication through the following access methods:

Console: Either direct serial-port connection or modem connection.

Telnet: Inbound Telnet must be enabled (the default).

SSH: To use RADIUS for SSH access, first configure the switch for SSH operation. Refer to chapter 6, “Configuring Secure Shell (SSH)” .

Web: You can enable RADIUS authentication for web browser inter- face access to the switch.

You can configure RADIUS as the primary password authentication method for the above access methods. You also need to select either local, none, or authorized as a secondary, or backup, method. Note that for console access, if you configure radius (or tacacs) for primary authentication, you must config-

5-10