RADIUS Client

Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X or MAC-based network access control. The device can be configured to be a RADIUS client that can use a RADIUS server to provide centralized security, and as a RADIUS server. An organization can use the device as establish a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

Use RADIUS in network environments that require access security. To set the RADIUS server parameters, follow these steps:

Procedure

Step 1

Click Security > RADIUS Client.

Step 2

Enter the RADIUS Accounting option. The following options are available:

Port Based Access Control (802 1X, MAC Based, Web Authentication)—Specifies that the RADIUS server is used for 802.1X port accounting.
Management Access—Specifies that the RADIUS server is used for user login accounting.
Both Port Based Access Control and Management Access—Specifies that the Radius server is used for both user login accounting and 802.1X port accounting.
None—Specifies that the RADIUS server is not used for accounting.

Step 3

Enter the default RADIUS parameters if required. Values entered in the Default Parameters are applied to all servers. If a value is not entered for a specific server (in the Add RADIUS Server page) the device uses the values in these fields.

Retries—Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred.
Timeout for Reply—Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server.
Dead Time—Enter the number of minutes that elapse before a non-responsive RADIUS server is bypassed for service requests. If the value is 0, the server is not bypassed.
Key String—Enter the default key string used for authenticating and encrypting between the device and the RADIUS server. This key must match the key configured on the RADIUS server. A key string is used to encrypt communications by using MD5. The key can be entered in Encrypted or Plaintext form. If you do not have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.

This overrides the default key string if one has been defined.

Source IPv4 Interface—Select the device IPv4 source interface to be used in messages for communication with the RADIUS server.
Source IPv6 Interface—Select the device IPv6 source interface to be used in messages for communication with the RADIUS server.

Note	If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.

Step 4

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

Step 5

To add a RADIUS server, click Add.

Step 6

Enter the values in the fields for each RADIUS server.

Server Definition—Select whether to specify the RADIUS server by IP address or name.
IP Version—Select the version of the IP address of the RADIUS server.
IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are:
- Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
- Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list. •
Server IP Address/Name—Enter the RADIUS server by IP address or name.
Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user. The device starts with the highest priority RADIUS server first. Zero is the highest priority.
Key String—Enter the key string used for authenticating and encrypting communication between the device and the RADIUS server. This key must match the key configured on the RADIUS server. It can be entered in Encrypted or Plaintext format. If Use Default is selected, the device attempts to authenticate to the RADIUS server by using the default Key String.
Timeout for Reply—Select User Defined and enter the number of seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server if the maximum number of retries made. If Use Default is selected, the device uses the default timeout value.
Authentication Port—Enter the UDP port number of the RADIUS server port for authentication requests
Accounting Port—Enter the UDP port number of the RADIUS server port for accounting requests.
Retries—Select User Defined and enter the number of requests that are sent to the RADIUS server before a failure is considered to have occurred. If Use Default is selected, the device uses the default value for the number of retries.
Dead Time—Select User Defined and enter the number of minutes that must pass before a non-responsive RADIUS server is bypassed for service requests. If Use Default is selected, the device uses the default value for the dead time. If you enter 0 minutes, there is no dead time.
Usage Type—Enter the RADIUS server authentication type. The options are:
- Login—RADIUS server is used for authenticating users that ask to administer the device.
- 802.1x—RADIUS server is used for 802.1x authentication.
- All—RADIUS server is used for authenticating user that ask to administer the device and for 802.1X authentication.

Step 7

Click Apply. The RADIUS server definition is added to the Running Configuration file of the device.

Step 8

To display sensitive data in plaintext form on the page, click Display Sensitive Data As Plaintext.