This window lets you add a RADIUS server to Policy Manager for the purpose of authentication. Access this window by clicking Add in the RADIUS Server(s) Authentication sub-tab in the RADIUS tab for a device.
- Authentication Server Type
- Select the authentication type used on the RADIUS server.
NOTE: DNS is only available as an option if there is a valid DNS server configured on the device so the DNS name can resolve to an IP address when configuration occurs.
- Authentication Server IP
- Enter the IP or IPv6 address, or the hostname of the RADIUS authentication server. Not all devices support IPv6 address types.
- Authentication Client UDP Port
- Enter the UDP port number (1-65535) the device (RADIUS client) uses to send authentication requests to the RADIUS authentication server; 1812 is the default port number.
- Server Shared Secret
- A string of characters used to encrypt and decrypt communications between
the device (RADIUS client) and the RADIUS authentication server. This string must match the
shared secret entered when you added the client device on the RADIUS server. Without the shared secret, the server and
client will be unable to communicate, and authentication attempts will fail.
The shared secret must be at least 6 characters long; 16 characters is recommended.
Dashes are allowed in the string, but spaces are not.
NOTE: If you are configuring multiple RADIUS servers, the same server shared secret must be used for each RADIUS server. This is because most Policy Manager devices (RADIUS clients) only support one shared secret. Matrix N-Series devices with firmware version 5.0 or above are an exception to this, as these devices do support a unique shared secret for each server. NOTE: This Server Shared Secret is not to be confused with the Application Shared Secret that encrypts communication between the RADIUS client and Policy Manager, entered in the Application Shared Secret area of the RADIUS tab for a device.
- Max Sessions (Sticky Round-Robin)
- Specifies the maximum number of sticky round-robin authentication sessions allowed on the server when the sticky round-robin RADIUS authentication algorithm is configured for a device. In sticky round-robin, if a MAC address needs to re-authenticate, the request is sent to the same RADIUS server as the initial authentication request, unless the current number of authentication sessions for the server has reached the specified Max Sessions value. When this value is reached, re-authentication requests will instead default to the standard round-robin behavior to determine which RADIUS server to send the request to. Devices that do not support this functionality will have the option grayed out.
- Number of Retries
- The number of times the device will resend an authentication request if the RADIUS authentication server does not respond. For ExtremeWireless Wireless devices, this value is configured for each server. For all other devices, this value is global to all RADIUS servers, and is specified per device (Client Default) in the RADIUS Authentication Client Settings section of the RADIUS tab.
- Timeout Duration
- The amount of time in seconds the device will wait for the RADIUS authentication server to respond to an authentication request. For ExtremeWireless Wireless devices, this value is configured for each server. For all other devices, this value is global to all RADIUS servers, and is specified per device (Client Default) in the RADIUS Authentication Client Settings section of the RADIUS tab.
- Authentication Access Type
- Use the drop-down list to select the type of authentication access allowed for this
RADIUS server:
- Any access - the server can authenticate users originating from any access type.
- Management access - the server can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
- Network access - the server can only authenticate users that are accessing the network via 802.1X, MAC, or Web-Based authentication.
- Server Priority
- Order in which the RADIUS authentication server will be checked, as compared to the other RADIUS authentication servers on the device. The lower the number, the higher the priority.
- Management Interface
- Select the IP address and VRName to use when the switch is communicating with a configured RADIUS server.
NOTE: ExtremeXOS devices must define a Management Interface.
For information on related concepts:
For information on related windows:
For information on related tasks:
