Procedure 5-10: Radius authentication server configuration

- Overview

An Authentication Server simplifies the authentication and management of users in a large network. One such type of Authentication Server supports the Remote Authentication Dial In User Service (RADIUS) protocol as defined by RFC 2865.

Use this procedure to configure the VLNC4x/VLNC6x to use a RADIUS server on your network for authentication.

To accomplish the authentication in a secure manner, the RADIUS client and RADIUS server must both be configured with the same shared secret. This secret is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The secret is never transmitted over the network.

To use RADIUS authentication, you need to create an authentication login list, which uses RADIUS as the primary authentication method, and local authentication as a backup method in the event that the RADIUS server cannot be contacted. The authentication list is then associated with the default login. See Procedure 5-4.10: User accounts, logins, and authentication.

Step
 
1

From the Navigation menu, select System → RADIUS → Configuration.

Result:

The RADIUS Configuration window opens.

2

Configure the following RADIUS parameters for the switch:

  • Current Server IP Address - This is a display only. The configured server currently in use for authentication.

    Equivalent CLI command: show radius.

  • Number of Configured Servers - This is a display only. Number of servers configured. Up to 3 servers may be configured per RADIUS client.

    Equivalent CLI command: show radius.

  • Max Number of Retransmits - Enter the maximum number of times a request packet is re-transmitted when no response is received from the RADIUS server. Range 1 to 15. Default is 2.

    Equivalent CLI command: radius server retransmit <retries>.

  • Timeout Duration (Secs) - Enter the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received. Range 1 to 30. Default is 5.

    Equivalent CLI command: radius server timeout <seconds>.

Consideration to maximum delay time should be given when configuring RADIUS maxretransmit and RADIUS timeout. If multiple RADIUS servers are configured, the max retransmit value on each will be exhausted before the next server is attempted. A retransmit will not occur until the configured timeout value on that server has passed without a response from the RADIUS server. Therefore, the maximum delay in receiving a response from the RADIUS application equals the sum of (retransmit times timeout) for all configured servers. If the RADIUS request was generated by a user login attempt, all user interfaces will be blocked until the RADIUS application returns a response.

3

Click Submit to send the updated configuration to the switch.

4

From the Navigation menu, select System → RADIUS → Server Configuration.

Result:

The RADIUS Server Configuration window opens.

This window allows the user to add/remove the RADIUS servers to/from the switch. It displays the system setting initially. Equivalent CLI command: show radius servers.

5

From the RADIUS Server IP Address dropdown box, select Add to configure a new server. Or select an existing server to view/change parameters.

Equivalent CLI command to add server IP address and port: radius server host auth <ipaddr> | <port>.

You can configure up to three servers per RADIUS client. If the maximum number of configured servers is reached, you cannot add a new server until you Remove one of the existing servers. Equivalent CLI command to remove server: no radius server host auth <ipaddr>.

6

Configure the following RADIUS server parameters for the switch, as required:

  • IP Address — The IP address of the server being added.

  • Port — The UDP port used by this server. The valid range is 0 - 65535. Default is 1812.

  • Secret — This is the shared secret key between the server and RADIUS client. It is an alphanumeric string not exceeding 128 characters.

    Equivalent CLI command: radius server key auth <ipaddr>.

  • Apply — The Secret will only be applied if this box is checked. If the box is not checked, anything entered in the Secret field will have no affect and will not be retained. This field is only displayed if the user has READWRITE access.

  • Primary Server - Sets the selected server to the Primary or Secondary server.

    The primary server handles RADIUS requests. The remaining configured servers are only used if the primary server cannot be reached. You can configure up to three servers on each client. Only one of these servers can be configured as the primary. If a primary server is already configured prior to this command being executed, the server specified in this command will become the new primary server

    Equivalent CLI command: radius server primary <ipaddr>.

  • Secret Configured — Indicates if the shared secret for this server has been configured.

    Equivalent CLI command: show radius servers.

  • Current — Indicates if this server is currently in use as the authentication server.

    Equivalent CLI command: show radius servers.

7

Click Submit to send the updated screen to the switch, or click Remove to remove the selected server from the configuration.

End of steps

Copyright © 2011 Alcatel-Lucent. All rights reserved.