Remote Authorization Dial-In User Service (RADIUS) Settings on ESW2 350G Series Managed Switches

Objective

Remote Authentication Dial-In User Service (RADIUS) is a client or server protocol that provides an authentication mechanism for devices to connect and use network services. These services range from access to shared files to shared printing. A RADIUS server is a mechanism that regulates user access to a computer network via user credentials. For example, a public wireless (WiFi) network is installed on a university campus, any non-authorized user cannot use this network, only those to whom the university has given a password can access it. The RADIUS server checks the passwords entered by the users and grants or denies access as appropriate. This feature is useful to secure the network against unauthorized access.

This article explains how to configure RADIUS settings on ESW2 350G Series Managed Switches.

Applicable Devices

• ESW2-350G-52
• ESW2-350G-52DC

Software Version

• 1.3.0.62

RADIUS Settings

Step 1. Log in to the web configuration utility and choose Security > RADIUS. The RADIUS page opens:

 

Note:  RADIUS Accounting for Management Access can only be enabled when TACACS Accounting is disabled. Refer to the article Configuration of TACACS+ Parameters and TACACS+ Server on ESW2-350G Switches for more information on this.

Step 2. Click a radio button for the RADIUS accounting type to be used in the RADIUS Accounting field.

RADIUS Accounting allows information to be shared between the client and the server. Data is sent at the beginning of the session and at the end of the session indicating the resources used during the session.

• Port Based Access Control — This option specifies that the RADIUS server is used for 802.1x port accounting for the server/client interaction.

• Management Access — This option specifies that the RADIUS server is used for user login accounting for the server/client interaction.

• Both Port Based Access Control and Management Access — This option specifies that the RADIUS server is used for both 802.1X port accounting and user login accounting for the server/client interaction.

• None — This option does not permit accounting on the RADIUS server.

Step 3. In the Retries field, enter the number of retries that a request can be sent before a failure notice is given.

Step 4. In the Timeout for Reply field, enter the time (in seconds) before an unanswered request is resent.

Step 5. In the Dead Time field, enter the time (in minutes) before an unresponsive RADIUS server is bypassed and moves to the next available server to attempt connection. A value of 0 means that the RADIUS server is not bypassed.

Step 6. In the Key String field, click the desired radio button to choose the type of key string to use then enter a key string that helps encrypt messages between the server and client. The key string must match the key string of the RADIUS server. You can enter the key string in the following ways:

• Encrypted — You can enter the key string in encrypted form.

• Plaintext — If you don't have encrypted key string from another device, then enter as plaintext. 

Step 6 (Optional). In the Source IPv4 Address field, enter the source IPv4 address to be used.

Step 7 (Optional). In the Source IPv6 Address field, enter the source IPv6 address to be used.

Note: The Source IPv4 and Source IPv6 fields are only available if the switch is in Layer 3 mode. To switch to layer 3 mode, refer to the article Configure System Settings on ESW2-350G Switches.

Step 7. Click Apply. A prompt is displayed at the top of the page to indicate whether the configuration is successful or not. There is also a prompt to copy/save the configuration in file.

Note: To copy/save configuration in file, Refer to Copy or Save Configuration on ESW2-350G switch.

Step 8. Click Display Sensitive Data As Plaintext to display sensitive data in plain text.

Manage RADIUS Servers

The RADIUS table allows a user to add or edit a configured RADIUS server.

This procedure shows how to add a RADIUS server.

Step 1. In the RADIUS Table, click Add to add a RADIUS server. The Add RADIUS Server window appears.

 

Note:  To edit a current Radius server, click Edit and edit the properties of the RADIUS server.

Step 2. In the Server Definition field, click the desired radio button to choose if the RADIUS server is specified by IP address or name.

• By IP address — This option defines the RADIUS server by the IP address.

• By name — This option defines the RADIUS server by the name.

Step 3. In the IP Version field, click the desired radio button to choose if the IP address of the RADIUS server is version 6 or version 4.

• Version 6 — This option sets the IP address of the RADIUS server to the known IPv6 address.

• Version 4 — This option sets the IP address of the RADIUS server to the known IPv4 address.

Note:  If IPv4 is chosen, the IPv6 Address Type field and the Link Local Interface field are dimmed.

Step 4. If you have clicked the Version 6 radio button in the Step 3, then choose the IPv6 address type. The options are:

• Link Local — The hosts on a single network are uniquely identified in the IPv6 address. FE80 is the prefix of a link local address. This address is not routable from outside the network. Only one link local address is supported.

• Global — Global IPv6 address is a global unicast address which is routable from outside the local network.

Step 5. From the Link Local Interface drop-down list choose the desired link local interface from the available IPv6 interfaces created on the switch.

Step 6. In the Server IP Address/Name field, enter the name or IP address for the RADIUS server based on your choice in Step 2.

Step 7. In the Priority field, enter a priority level for the RADIUS server. In order to authenticate a user, the priority determines the order the switch attempts to connect with the RADIUS servers. The value 0 is the top priority.

Note:  If the switch is unable to connect to the RADIUS server with the highest priority then the switch tries to connect with the next highest priority server.

Step 8. In the Key String field, enter a key string that helps encrypt messages between the server and client. The key string must match the key string of the RADIUS server. You can enter the key string in different ways as follows:

• Use Default — Sets the key string of the RADIUS server to the default string.

• User Defined — Allows a user to enter the key string in the adjacent field. You can enter user defined values in one the two ways as follows:

– Encrypted — You can enter the key string in encrypted form.

–Plaintext — If you do not have the encrypted key string from another device, then you can enter as plaintext.

Step 9. In the Timeout for Reply field, click the radio button to set the time (in seconds) for which the switch waits for the the RADIUS server to respond.

• Use Default — Sets the time to the default value.

• User Defined — Allows a user to enter the time in the adjacent field.

 

Step 10. In the Authentication Port field, enter the port number used by the RADIUS server for authentication requests.

Step 11. In the Accounting Port field, enter the port number used by the RADIUS server for accounting requests.

Step 12. In the Retries field, click the radio button for the number of requests that are sent to the RADIUS server before a failure notice occurs.

• Use Default — Uses the default number of retries.

• User Defined — Allows a user to enter the number of retries in the adjacent field.

Step 13. In the Dead Time field, click the radio button for the time in minutes before a RADIUS server is bypassed for being unresponsive.

• Use Default — Uses the default time.

• User Defined — Allows a user to enter the time in the adjacent field.

Note:  If you select the Use Default option in Step 8, Step 9, Step 12 and Step 13, the default RADIUS Configuration is used. See article Configuration of Default RADIUS settings.

Step 14. In the Usage Type field, choose an option for RADIUS server authentication type.

• Login — Authenticates the user for the RADIUS server.

• 802.1X — Uses 802.1X authentication.

• All — Performs both authentications.

Step 15. Click Display Sensitive Data As Plaintext to display sensitive data in plain text.

Step 16. Click Apply. A prompt is displayed at the top of the page to indicate whether the configuration is successful or not. There is also a prompt to copy/save the configuration in file. The window closes and the RADIUS table is updated.

Note: To copy/save configuration in file, Refer to Copy or Save Configuration on ESW2-350G switch.