|
|
|
|
|
Remote Authorization Dial-In User Service (RADIUS) servers provide additional security for networks. The RADIUS server maintains a user database, which contains per-user authentication information. RADIUS servers provide a centralized authentication method for:
The RADIUS folder contains links to pages that help you view and configure system RADIUS settings.
Use the RADIUS Configuration page to view and configure various settings for the RADIUS servers configured on the system.
To access the RADIUS Configuration page, click Security > RADIUS > Configuration in the navigation menu.
RADIUS Configuration Fields
Field |
Description |
|---|---|
Number of Configured Authentication Servers |
The number of RADIUS authentication servers configured on the system. The value can range from 0 to 32. |
Number of Configured Accounting Servers |
The number of RADIUS accounting servers configured on the system. The value can range from 0 to 32. |
Number of Named Authentication Server Groups |
The number of authentication server groups configured on the system. An authentication server group contains one or more configured authentication servers that share the same RADIUS server name. |
Number of Named Accounting Server Groups |
The number of accounting server groups configured on the system. An accounting server group contains one or more configured authentication servers that share the same RADIUS server name. |
Max Number of Retransmits |
The value of the maximum number of times a request packet is retransmitted. The valid range is 1-15. Consideration to maximum delay time should be given when configuring RADIUS max retransmit and RADIUS timeout. If multiple RADIUS servers are configured, the max retransmit value on each will be exhausted before the next server is attempted. A retransmit will not occur until the configured timeout value on that server has passed without a response from the RADIUS server. Therefore, the maximum delay in receiving a response from the RADIUS application equals the sum of (retransmit times timeout) for all configured servers. If the RADIUS request was generated by a user login attempt, all user interfaces will be blocked until the RADIUS application returns a response. |
Timeout Duration (secs) |
The timeout value, in seconds, for request retransmissions. The valid range is 1 - 30. See the Max Number of Retransmits field description for more information about configuring the timeout duration. |
Accounting Mode |
Use the menu to select whether the RADIUS accounting mode is enabled or disabled on the current server. |
Enable RADIUS Attribute 4 (NAS-IP Address |
Select the check box to allow the switch to include the network access server (NAS) IP address in Access-Request packets. |
NAS-IP Address |
Enter the IP address of the NAS. This field can be edited only when the Enable RADIUS Attribute 4 field is selected. The address should be unique to the NAS within the scope of the RADIUS server. The NAS IP address is only used in Access-Request packets. |
Use the buttons at the bottom of the page to perform the following actions:
From the Server Configuration page, you can add a new RADIUS server, configure settings for a new or existing RADIUS server, and view RADIUS server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers.
To access the RADIUS Server Configuration page, click Security > RADIUS > Server Configuration in the navigation menu.
RADIUS Server Configuration Fields
Field |
Description |
|---|---|
RADIUS Server Host Address |
To configure a new RADIUS server, select the Add option from the menu. To view or configure a RADIUS server that is already configured on the system, select its IP address from the menu. |
Host Address |
Enter the IP address of the RADIUS server to add. This field is only available when Add is selected in the RADIUS Server Host Address field. |
RADIUS Server Name |
Enter the name of the RADIUS server. The name can contain up to 31 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. If you do not assign a name, the server is assigned the default name Default-RADIUS-Server. You can use the same name for multiple RADIUS Authentication servers. RADIUS clients can use RADIUS servers with the same name as backups for each other. |
After you enter the RADIUS server information, click Submit to apply the changes to the system. The page refreshes, and additional RADIUS server configuration fields appear.
If at least one RADIUS server is configured on the switch, and a host address is selected in the RADIUS Server Host Address field, then additional fields are available on the RADIUS Server Configuration page. After you add a RADIUS server, use the Server Configuration page to configure the server settings.
If you select Add from the RADIUS Server Host Address field, the page refreshes and several of the configuration options are hidden.
RADIUS Server Configuration Fields
Field |
Description |
|---|---|
RADIUS Server Host Address |
Use the drop-down menu to select the IP address of the RADIUS server to view or configure. Select Add to configure additional RADIUS servers. |
Port |
Identifies the authentication port the server uses to verify the RADIUS server authentication. The port is a UDP port, and the valid range is 1‐65535. The default port for RADIUS authentication is 1812. |
Secret |
Shared secret text string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This secret must match the RADIUS encryption. |
Apply |
The Secret will only be applied if this box is checked. If the box is not checked, anything entered in the Secret field will have no affect and will not be retained. This field is only displayed if the user has READWRITE access. |
Primary Server |
Sets the selected server to the Primary (Yes) or Secondary (No) server. If you configure multiple RADIUS servers with the same RADIUS Server Name, designate one server as the primary and the other(s) as the backup server(s). The switch attempts to use the primary server first, and if the primary server does not respond, the switch attempts to use one of the backup servers with the same RADIUS Server Name. |
Message Authenticator |
Enable or disable the message authenticator attribute for the selected server. |
Secret Configured |
Indicates whether the shared secret for this server has been configured. |
Current |
Indicates whether the selected RADIUS server is the current server (Yes) or a backup server (No). If more than one RADIUS server is configured with the same name, the switch selects one of the servers to be the current server from the group of servers with the same name. When the switch sends a RADIUS request to the named server, the request is directed to the server selected as the current server. Initially the primary server is selected as the current server. If the primary server fails, one of the other servers becomes the current server. If the primary server is not configured, the current server is the most recently configured RADIUS server. |
RADIUS Server Name |
Shows the RADIUS server name. To change the name, enter up to 31 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. If you do not assign a name, the server is assigned the default name Default‐RADIUS‐Server. You can use the same name for multiple RADIUS Authentication servers. RADIUS clients can use RADIUS servers with the same name as backups for each other. |
Use the buttons at the bottom of the page to perform the following actions:
The RADIUS Named Server Status page shows summary information about the RADIUS servers configured on the system. To access the RADIUS Named Server Status page, click Security > RADIUS > Named Server Status in the navigation menu.
RADIUS Server Configuration Fields
Field |
Description |
|---|---|
Current |
An asterisk (*) in the column indicates that the server is the current server for the authentication server group. If no asterisk is present, the server is a backup server. If more than one RADIUS server is configured with the same name, the switch selects one of the servers to be the current server from the group of servers with the same name. When the switch sends a RADIUS request to the named server, the request is directed to the server selected as the current server. Initially the primary server is selected as the current server. If the primary server fails, one of the other servers becomes the current server. |
RADIUS Server Host Address |
Shows the IP address of the RADIUS server. |
RADIUS Server Name |
Shows the RADIUS server name. Multiple RADIUS servers can have the same name. In this case, RADIUS clients can use RADIUS servers with the same name as backups for each other. |
Port Number |
Identifies the authentication port the server uses to verify the RADIUS server authentication. The port is a UDP port. |
Server Type |
Shows whether the server is a Primary or Secondary server. |
Secret Configured |
Indicates whether the shared secret for this server has been configured. |
Message Authenticator |
Shows whether the message authenticator attribute for the selected server is enabled or disabled. |
Click Refresh to update the page with the most current information.
Use the RADIUS Server Statistics page to view statistical information for each RADIUS server configured on the system.
To access the RADIUS Server Statistics page, click Security > RADIUS > Server Statistics in the navigation menu.
RADIUS Server Statistics Fields
Field |
Description |
|---|---|
RADIUS Server Host Address |
Use the drop-down menu to select the IP address of the RADIUS server for which to display statistics. |
Round Trip Time (secs) |
The time interval, in hundredths of a second, between the most recent Access- Reply/Access-Challenge and the Access-Request that matched it from this RADIUS authentication server. |
Access Requests |
The number of RADIUS Access-Request packets sent to this server. This number does not include retransmissions. |
Access Retransmissions |
The number of RADIUS Access-Request packets retransmitted to this server. |
Access Accepts |
The number of RADIUS Access-Accept packets, including both valid and invalid packets that were received from this server. |
Access Rejects |
The number of RADIUS Access-Reject packets, including both valid and invalid packets that were received from this server. |
Access Challenges |
The number of RADIUS Access-Challenge packets, including both valid and invalid packets that were received from this server. |
Malformed Access Responses |
The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature attributes or unknown types are not included as malformed access-responses. |
Bad Authenticators |
The number of RADIUS Access-Response packets containing invalid authenticators or signature attributes received from this server. |
Pending Requests |
The number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response. |
Timeouts |
The number of authentication timeouts to this server. |
Unknown Types |
The number of RADIUS packets of unknown type which were received from this server on the authentication port. |
Packets Dropped |
The number of RADIUS packets received from this server on the authentication port and dropped for some other reason. |
Click Refresh to update the page with the most current information.
From the Accounting Server Configuration page, you can add a new RADIUS accounting server, configure settings for a new or existing RADIUS accounting server, and view RADIUS accounting server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers.
To access the RADIUS Named Accounting Server Status page, click Security > RADIUS > Accounting Server Configuration in the navigation menu.
RADIUS Server Configuration Fields
Field |
Description |
|---|---|
Accounting Server Host Address |
To configure a new RADIUS accounting server, select the Add option from the menu. To view or configure an accounting server that is already configured on the system, select its IP address from the menu. |
Host Address |
Enter the IP address of the RADIUS accounting server to add. This field is only available when Add is selected in the Accounting Server Host Address field. |
RADIUS Accounting Server Name |
Enter a name for the RADIUS accounting server. The name can contain up to 31 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. If you do not assign a name, the server is assigned the default name Default-RADIUS-Server. You can use the same name for multiple RADIUS accounting servers. RADIUS clients can use accounting servers with the same name as backups for each other. |
After you enter the RADIUS accounting server information, click Submit to apply the changes to the system.The page refreshes, and additional accounting server configuration fields appear.
If at least one RADIUS accounting server is configured on the switch, and a host address is selected in the Accounting Server Host Address field, then additional fields are available on the Accounting Server Configuration page. After you add an accounting server, use the Accounting Server Configuration page to configure the server settings.
If you select Add from the Accounting Server Host Address field, the page refreshes and several of the configuration options are hidden.
RADIUS Accounting Server Configuration-Server Added
Field |
Description |
|---|---|
Accounting Server Host Address |
Use the drop-down menu to select the IP address of the accounting server to view or configure. Select Add to configure additional RADIUS servers. |
Port |
Identifies the authentication port the server uses to verify the RADIUS accounting server authentication. The port is a UDP port, and the valid range is 1-65535. The default port for RADIUS accounting is 1813. |
Secret |
Specifies the shared secret to use with the specified accounting server. This field is only displayed if you are logged into the switch with READWRITE access. |
Apply |
The Secret will only be applied if this box is checked. If the box is not checked, anything entered in the Secret field will have no affect and will not be retained. This field is only displayed if you are logged into the switch with READWRITE access. |
Secret Configured |
Indicates whether the shared secret for this server has been configured. |
RADIUS Accounting Server Name |
Enter the name of the RADIUS accounting server. The name can contain up to 31 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. If you do not assign a name, the server is assigned the default name Default-RADIUS-Server. You can use the same name for multiple RADIUS accounting servers. RADIUS clients can use accounting servers with the same name as backups for each other. |
Use the buttons at the bottom of the page to perform the following actions:
The RADIUS Named Accounting Server Status page shows summary information about the accounting servers configured on the system.
Named Accounting Server Fields
Field |
Description |
|---|---|
RADIUS Accounting Server Name |
Shows the RADIUS accounting server name. Multiple RADIUS accounting servers can have the same name. In this case, RADIUS clients can use RADIUS servers with the same name as backups for each other. |
IP Address |
Shows the IP address of the RADIUS server. |
Port Number |
Identifies the authentication port the server uses to verify the RADIUS server authentication. The port is a UDP port. |
Secret Configured |
Indicates whether the shared secret for this server has been configured. |
Click Refresh to update the page with the most current information.
Use the RADIUS Accounting Server Statistics page to view statistical information for each RADIUS server configured on the system.
To access the RADIUS Accounting Server Statistics page, click Security > RADIUS > Accounting Server Statistics in the navigation menu.
RADIUS Accounting Server Fields
Field |
Description |
|---|---|
Accounting Server Host Address |
Use the drop-down menu to select the IP address of the RADIUS accounting server for which to display statistics. |
Round Trip Time (secs) |
Displays the time interval, in hundredths of a second, between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server. |
Accounting Requests |
The number of RADIUS Accounting-Request packets sent to this server. This number does not include retransmissions. |
Accounting Retransmissions |
The number of RADIUS Accounting-Request packets retransmitted to this server. |
Accounting Responses |
Displays the number of RADIUS packets received on the accounting port from this server. |
Malformed Access Responses |
Displays the number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators and unknown types are not included as malformed accounting responses. |
Bad Authenticators |
Displays the number of RADIUS Accounting-Response packets that contained invalid authenticators received from this accounting server. |
Pending Requests |
The number of RADIUS Accounting-Request packets destined for this server that have not yet timed out or received a response. |
Timeouts |
The number of accounting timeouts to this server. |
Unknown Types |
The number of RADIUS packets of unknown type which were received from this server on the accounting port. |
Packets Dropped |
The number of RADIUS packets received from this server on the accounting port and dropped for some other reason. |
Use the RADIUS Clear Statistics page to reset all RADIUS authentication and accounting statistics to zero.
To access the RADIUS Clear Statistics page, click Security > RADIUS > Clear Statistics in the navigation menu.
To clear all statistics for the RADIUS authentication and accounting server, click Clear.