Radius Workflow

To user a RADIUS server, do the following:

1. Open an account for the device on the RADIUS server.
2. Configure that server along with the other parameters in the RADIUS and ADD RADIUS Server pages.

NOTE     If more than one RADIUS server has been configured, the device uses the configured priorities of the available RADIUS servers to select the RADIUS server to be used by the device.

To set the RADIUS server parameters:

1. Click Security > RADIUS.
2. Enter the RADIUS Accounting option. The following options are available:
• Port Based Access Control (802.1X, MAC Based)—Specifies that the RADIUS server is used for 802.1x port accounting.
• Management Access—Specifies that the RADIUS server is used for user login accounting.
• Both Port Based Access Control and Management Access—Specifies that the RADIUS server is used for both user login accounting and 802.1x port accounting.
• None—Specifies that the RADIUS server is not used for accounting.
3. Enter the default RADIUS parameters if required. Values entered in the Default Parameters are applied to all servers. If a value is not entered for a specific server (in the Add RADIUS Server page) the device uses the values in these fields.
• Retries—Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred.
• Timeout for Reply—Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server.
• Dead Time—Enter the number of minutes that elapse before a non-responsive RADIUS server is bypassed for service requests. If the value is 0, the server is not bypassed.
• Key String—Enter the default key string used for authenticating and encrypting between the device and the RADIUS server. This key must match the key configured on the RADIUS server. A key string is used to encrypt communications by using MD5. The key can be entered in Encrypted or Plaintext form. If you do not have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.

This overrides the default key string if one has been defined.

• Source IPv4 Address—(For devices in Layer 3 system mode) Enter the source IPv4 address to be used.
• Source IPv6 Address—Enter the source IPv6 address to be used.
4. Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

To add a RADIUS server, click Add.

5. Enter the values in the fields for each RADIUS server. To use the default values entered in the RADIUS page, select Use Default.
• Server Definition—Select whether to specify the RADIUS server by IP address or name.
• IPv6 Address Type—Displays that IPv6 address type is Global.
• IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are:
• Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
• Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
• Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list.
• Server IP Address/Name—Enter the RADIUS server by IP address or name.
• Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user. The device starts with the highest priority RADIUS server first. Zero is the highest priority.
• Source IP Address—(For devices in Layer 3 system mode) Select to use either the default source address or select one of the available IP addresses.

Key String—Enter the key string used for authenticating and encrypting communication between the device and the RADIUS server. This key must match the key configured on the RADIUS server. It can be entered in Encrypted or Plaintext format. If Use Default is selected, the device attempts to authenticate to the RADIUS server by using the default Key String.

• Timeout for Reply—Enter the number of seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server if the maximum number of retries were made. If Use Default is selected, the device uses the default timeout value.
• Authentication Port—Enter the UDP port number of the RADIUS server port for authentication requests.
• Accounting Port—Enter the UDP port number of the RADIUS server port for accounting requests.
• Retries—Enter the number of requests that are sent to the RADIUS server before a failure is considered to have occurred. If Use Default is selected, the device uses the default value for the number of retries.
• Dead Time—Enter the number of minutes that must pass before a non-responsive RADIUS server is bypassed for service requests. If Use Default is selected, the device uses the default value for the dead time. If you enter 0 minutes, there is no dead time.
• Usage Type—Enter the RADIUS server authentication type. The options are:
• Login—RADIUS server is used for authenticating users that ask to administer the device.
• 802.1X—RADIUS server is used for 802.1x authentication.
• All—RADIUS server is used for authenticating user that ask to administer the device and for 802.1X authentication.
6. To display sensitive data in plaintext form in the configuration file, click Display Sensitive Data As Plaintext.
7. Click Apply. The RADIUS server definition is added to the Running Configuration file of the device.