||In node view
(single-shelf mode) or multishelf view (multishelf mode), click the
Create to add a RADIUS server to the list of
authenticators. The Create RADIUS Server Entry dialog box appears.
|| Enter the
RADIUS server IP address in the Node Address field. If the node is an end
network element (ENE), enter the IP address of the gateway network element
(GNE) in this field.
The GNE passes
authentication requests from the ENEs in its network to the RADIUS server,
which grants authentication if the GNE is listed as a client on the server.
The RADIUS port numbers used for the ENE RADIUS configuration map
to the RADIUS configuration entries in the GNE. For example, the first RADIUS
authentication port number configured in ENE (1860) maps to the first RADIUS
authentication entry in the GNE. The port number 1863 maps to the fourth entry
in the GNE and so on.
The above logic applies to the configuration of the RADIUS
accounting ports starting with port number 1870 for the first entry.
In ONS 15454
Software Release 9.1 and later, you can configure IPv6 addresses for RADIUS
servers, in addition to IPv4 addresses.
ENE nodes use the GNE to pass authentication requests to the RADIUS server, you
must add the ENEs to the RADIUS server individually for authentication. If you
do not add the ENE node to a RADIUS server prior to activating RADIUS
authentication, no user will be able to access the node. Refer to the
for Cisco Secure ACS for Windows Server for more information about adding a
node to a RADIUS server.
if there are 5 NEs namely, A, B, C, D, and E with A as GNE and others as ENE,
the sequence must be as follows:
- Add all the 5 IPs (A, B, C,
D, and E) in RADIUS Server.
- Enable RADIUS
authentication on the nodes in the sequence: A, B, C, D, and E where A is GNE
and others are ENE.
In the above
sequence, if CTC disconnects after enabling RADIUS on A, the user will still be
able to access the ENEs even though RADIUS is not enabled on them. If the above
sequence is reversed, the user will not be able to login to the ENE nodes if
|| Enter the
shared secret in the Shared Secret field. A shared secret is a masked text
string that serves as a password between a RADIUS client and RADIUS server.
|| Re-enter the
shared secret in the Confirm Shared Secret field.
secret used for TACACS+ authentication is not masked.
|| Enter the
RADIUS authentication port number in the Authentication Port field. The default
port is 1812. If the node is an ENE, set the authentication port to a number
within the range of 1860 to 1869.
|| Enter the
RADIUS accounting port in the Accounting Port field. The default port is 1813.
If the node is an ENE, set the accounting port to a number within the range of
1870 to 1879.
server details such as node address, authentication port, and accounting port
is added to the list of RADIUS authenticators. The RADIUS authenticators list
does not display shared secret since it is masked.
You can add up
to 10 RADIUS servers to a node's list of authenticators.
Edit to make changes to an existing RADIUS server.
You can change the IP address, the shared secret, the authentication port, and
the accounting port.
Delete to delete the selected RADIUS server.
||Select a server
Down to reorder that server in the list of RADIUS authenticators.
The node requests authentication from the servers sequentially from top to
bottom. If one server is unreachable, the node will request authentication from
the next RADIUS server on the list.
RADIUS Authentication check box to activate remote-server
authentication for the node.
the Enable RADIUS
Accounting check box if you want to show RADIUS authentication
information in the audit trail.
|| Click the
the Node as the Final Authenticator check box if you want the node
to be the final authenticator. This means that if every RADIUS authenticator is
unavailable, the node will authenticate the login rather than locking the user
Apply to save all changes or
Reset to clear all changes.
|| Return to your
originating procedure (NTP).