RADIUS Tab (Device)

The device RADIUS tab allows you to configure and enable communication between the selected device (the RADIUS client), a RADIUS server or servers, and Policy Manager, for the purposes of authentication and accounting (for your SNMPv3 devices that support it).

RADIUS accounting collects various data and statistics, such as the length of time a user has been logged on, and makes that data available to an administrator. It is used by a device to save accounting data on a RADIUS server. Accounting requests are sent from the device to the server. The server acknowledges these requests, and data is passed to the server via accounting updates. For more information on accounting functionality, refer to your RADIUS server documentation.

To display the device RADIUS tab, select a device in the left-panel Network Elements tab, then click the RADIUS tab in the right panel.

Authentication Tab

Use this tab to view and configure the RADIUS authentication servers with which the device (the RADIUS client) can communicate.

RADIUS Authentication Client Settings

This section lets you enable or disable communication between the selected device (the RADIUS client) and the RADIUS authentication servers, and specify connection attempt information.

Authentication Status: Allows you to enable and disable communication between this device and the RADIUS authentication server(s). If enabled, the device becomes a RADIUS client and will communicate with a RADIUS authentication server whenever a user logs on to a port on the device, as long as the port itself is enabled for authentication and the device is set up as a client on the RADIUS authentication server (see the Authentication Configuration Guide). The default is Disabled. For ExtremeWireless Wireless devices, the Client Status is automatically set to Enabled when a RADIUS server exists and Disabled when it does not.

Management Access Auth Status Override: Allows you to override the Authentication Status for users accessing the RADIUS authentication server(s) that have requested management access via the console, Telnet, SSH, or HTTP, etc.

Network Access Auth Status Override: Allows you to override the Authentication Status for users accessing the network via 802.1X, MAC, or Web-Based authentication.

Number of Retries: The number of attempts the device will make in contacting each RADIUS authentication server before giving up and trying the next RADIUS authentication server on the list. Valid values are 1-65535. For ExtremeWireless Wireless devices, this value is entered when the RADIUS server is added.

Timeout Duration: The total number of seconds the device will wait for the RADIUS authentication server to respond, before trying again. Valid values are 1-65535. For ExtremeWireless Wireless devices, this value is entered when the RADIUS server is added.

Response Mode

Select the RADIUS response attribute that the device should use for authentication:

Filter ID — The Filter ID (role) is used. If a VLAN Tunnel Attribute (VTA) is returned, it will be ignored.
VLAN Tunnel Attribute — The VLAN Tunnel Attribute is used and the Authentication-Based VLAN to Role Mappings are applied, if present. If a Filter ID is returned, it will be ignored.
Filter ID With VLAN Tunnel Attribute — Both attributes are applied in the following manner: the role is applied to the user, except that the VLAN Tunnel Attribute replaces the role's Default Access Control VLAN (if present). In this case, the Authentication-Based VLAN to Role mappings are ignored (as the role was explicitly assigned). VLAN classification rules are still applied, as defined by the assigned role.

Retransmit Algorithm

Select the authentication retransmission algorithm for this device to use with your RADIUS servers. Devices that do not support this functionality will have the option grayed out.

Standard — Specifies that the primary RADIUS server should always be used for authentication, if it is available. The standard RADIUS authentication algorithm focuses on using RADIUS servers for redundancy rather than for scale provisioning. The only time secondary RADIUS servers are used, is when the primary server is unreachable due to a network outage or because server capacity is exceeded.
Round-Robin — The round-robin RADIUS authentication algorithm spreads RADIUS server usage evenly between available RADIUS servers, allowing the load balancing of a large number of authentications across all RADIUS servers. This allows for a maximum authentication throughput for the number of servers configured. Additionally, if a single server is down, only a portion of the authenticating sessions will be affected by the outage.
Sticky Round-Robin — This algorithm uses round-robin when assigning a RADIUS server to each unique authentication session, but specifies that the same RADIUS server should be used for any given authentication session once a session is initiated. In large-scale NAC deployments, this algorithm is used for switches that are authenticating more users than a NAC appliance supports. For example, a NAC deployment might have an S-Series device that supports 9000 users deployed at the distribution level and authenticating users to three NAC appliances that support 3000 users each. In this scenario, the sticky round-robin algorithm allows the S-Series device to spread the load across all three NAC appliances while using the same NAC appliance for all RADIUS transactions for a given session (MAC address).

Apply Button: Applies the changes you made in the RADIUS Authentication Client Settings section.

Application Shared Secret (Legacy)

The device (the RADIUS client) and Policy Manager share a common "secret" that provides for a secure means of RADIUS client configuration on devices using SNMPv1. This "Application Shared Secret" is a string of characters used to encrypt and decrypt communication between Policy Manager and the device. A Default shared secret is provided that allows you to initially configure the RADIUS settings on this tab, but it is recommended that you change this secret to increase security.

Click the Change button to make the Application Shared Secret fields available for editing and select the method for changing the string:

Auto-Generated — Generates a new 32—character Application Shared Secret automatically.
User-Defined — Enter a new shared secret in the field. The format is a 32-character string with optional dashes or spaces, typically xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx.
Default — Uses the default shared secret that is provided to allow you to initially configure the RADIUS settings on this tab. It is recommended that you change to an auto-generated or user-defined secret to increase security.

Click the Apply button to save any changes you made.

	NOTE:	This Application Shared Secret is not to be confused with the Server Shared Secret that encrypts communication between the RADIUS server and the RADIUS client, entered in the Add RADIUS Authentication Server window or Add RADIUS Accounting Server window available from the Add buttons on this tab, or in the Add RADIUS Server window in the Device Configuration Wizard.

	WARNING:	It is important to remember the Application Shared Secret, since the shared secret specified in Policy Manager must match the shared secret on the device. If you delete and recreate the device in Policy Manager, you will have to supply the correct Application Shared Secret in the device's RADIUS tab in order to retrieve or input the RADIUS settings on this tab. If you're using an Auto-Generated or User-Defined Application Shared Secret and you clear NVRAM on the device, you will need to go to the RADIUS tab for the device and change the Application Shared Secret back to "Default" in order to regain access to the RADIUS information in that tab. Once Policy Manager and the device are using the same (Default) Application Shared Secret, then the secret can be changed to be either Auto-Generated or User-Defined.

Authentication RADIUS Server(s) Table

This table lists the RADIUS authentication servers with which the device (the RADIUS client) can communicate. Use the buttons to add or remove servers, and edit server parameters. You can also edit a server's parameters by double-clicking the server entry in the list.

Priority: Order in which the RADIUS authentication server is checked, as compared to the other RADIUS authentication servers listed here. The lower the number, the higher the priority.

RADIUS Server IP: IP address of the RADIUS authentication server.

Client UDP Port: UDP port number (1-65535) on the RADIUS authentication server that the device will send authentication requests to; 1812 is the default port number.

Access Type

The type of authentication access allowed for this RADIUS server:

Any access — the server can authenticate users originating from any access type.
Management access — the server can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
Network access — the server can only authenticate users that are accessing the network via 802.1X, MAC, or Web-Based authentication.

Devices that do not support this feature will display N/A in this column.

Current Sessions: The current number of sessions associated with this server when the device is using the sticky round-robin RADIUS authentication algorithm. This value is not used when other algorithms are being used.

Max Sessions: The maximum number of sticky round-robin authentication sessions allowed on the server when the sticky round-robin RADIUS authentication algorithm is configured for the device. This value is not used when other algorithms are being used. In sticky round-robin, if a MAC address needs to re-authenticate, the request is sent to the same RADIUS server as the initial authentication request, unless the current number of authentication sessions for the server has reached the specified Max Sessions value. When this value is reached, re-authentication requests will instead default to the standard round-robin behavior to determine which RADIUS server to send the request to.

Number of Retries: The number of times the device will resend an authentication request if the RADIUS authentication server does not respond. For ExtremeWireless Wireless devices, this value is configured per RADIUS server. For all other devices, this value is global to all RADIUS servers, and is specified per device (Client Default) in the RADIUS Authentication Client Settings section.

Timeout Duration: The amount of time in seconds the device will wait for the RADIUS authentication server to respond to an authentication request. For ExtremeWireless Wireless devices, this value is configured per RADIUS server. For all other devices, this value is global to all RADIUS servers, and is specified per device (Client Default) in the RADIUS Authentication Client Settings section.

Management Interface: The IP address and VRName used when the switch is communicating with a configured RADIUS server.

Apply Button: Applies any changes you made in the RADIUS Authentication Server(s) tab.

Add Button: Opens the Add RADIUS Authentication Server window, where you can enter the parameters for a server you want to add to the list. When you click OK on this window, the new server is added.

Remove Button: Select a RADIUS authentication server in the list and use this button to remove the server.

Edit Button: Select a RADIUS authentication server in the list and use this button to edit the server's parameters. You can also edit the server parameters by double-clicking the server entry in the list.

Accounting Tab

Use this tab to view and configure the RADIUS accounting servers with which the device (the RADIUS client) can communicate.

Click the graphic for more information.

RADIUS Accounting Client Settings

This section lets you enable or disable communication between the selected device (the RADIUS client) and the RADIUS accounting servers, and specify the update interval.

Accounting Status: Allows you to enable or disable RADIUS accounting on SNMPv3 devices that support it. RADIUS accounting is used by a device to save accounting data on a RADIUS accounting server. If accounting is enabled, an accounting session starts after the user is successfully authenticated by a RADIUS authentication server. The default is Disabled. For ExtremeWireless Wireless devices, the status is automatically set to Enabled when a RADIUS server exists and Disabled when it does not. Devices that do not support RADIUS accounting will have this field grayed out.

Per Authentication Type Accounting Status: Allows you to enable/disable RADIUS accounting for individual authentication types. Some authentication types do not have RADIUS accounting enabled by default (when global RADIUS accounting is enabled). Enabling these authentication types will give both NAC and other RADIUS servers more complete information regarding authentication sessions. These options also allow you to disable accounting messages from certain authentication types, for example, Auto-Tracking, which does not actually authenticate end users. Note that the global Accounting Status option controls accounting on a global basis for all authentication types. Devices that do not support this functionality will have these fields grayed out.

Update Interval (minutes): Collected accounting data is sent from the device to the RADIUS accounting server via accounting updates. The Accounting Update Interval is the amount of time in minutes between accounting updates. Valid values are 1-65535. It is recommended that the value be greater than 10 minutes, and careful consideration should be given to its impact on network traffic. Devices that do not support RADIUS accounting will have this field grayed out (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.) For ExtremeWireless Wireless devices, this value is entered when the RADIUS server is added.

Apply Button: Applies the changes you made in the RADIUS Accounting Client Settings section.

Accounting RADIUS Servers Table

This tab lists the RADIUS accounting servers with which the device (the RADIUS client) can communicate. Use the buttons to add or remove servers, and edit server parameters. You can also edit a server's parameters by double-clicking the server entry in the list.

Priority: Order in which the RADIUS accounting server is checked, as compared to the other RADIUS accounting servers listed here. The lower the number, the higher the priority.

RADIUS Server IP: IP address of the RADIUS accounting server.

Client UDP Port: UDP port number (1-65535) on the RADIUS accounting server that the device will send accounting requests to; 1813 is the default port number. Devices that do not support RADIUS accounting will display N/A in this column (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Access Type

The type of authentication access allowed for this RADIUS server:

Any access — the server can authenticate users originating from any access type.
Management access — the server can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
Network access — the server can only authenticate users that are accessing the network via 802.1X, MAC, or Web-Based authentication.

Devices that do not support this feature will display N/A in this column.

Number of Retries: The number of times the device will resend an accounting request if the RADIUS accounting server does not respond. Valid values are 0-20. Devices that do not support RADIUS accounting will display N/A in this column (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Timeout Duration: The amount of time in seconds the device will wait for the RADIUS accounting server to respond to an accounting request. Valid values are 2-10 seconds. Devices that do not support RADIUS accounting will display N/A in this column (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Update Interval: The amount of time in minutes between accounting updates. For ExtremeWireless Wireless devices, this value is configured per RADIUS server. For all other devices, this value is global to all RADIUS servers, and is specified per device (Client Default) in the RADIUS Accounting Client Settings section.

Management Interface: The IP address and VRName used when the switch is communicating with a configured RADIUS server.

Apply Button: Applies any changes you made in the RADIUS Accounting Server(s) tab.

Add Button: Opens the Add RADIUS Accounting Server window, where you can enter the parameters for a server you want to add to the list. When you click OK on this window, the new server is added.

Remove Button: Select a RADIUS accounting server in the list and use this button to remove the server.

Edit Button: Select a RADIUS accounting server in the list and use this button to edit the server's parameters. You can also edit the server parameters by double-clicking the server entry in the list.

Port Configuration Tab

This tab displays all the ports on the device and allows you to configure the RADIUS Timeout role and the RADIUS Reject Role for one or more ports via a right-click menu. It also provides access to the Port Properties window for a single port.

Related Information

For information on related concepts:

Authentication

For information on related windows:

For information on related tasks: