Using a RADIUS Server for Authentication
  • 25 Jan 2024
  • 2 Minutes to read
  • Contributors
  • PDF

Using a RADIUS Server for Authentication

  • PDF

Article summary

You can use a RADIUS server for authenticating users. When RADIUS authentication is enabled, the unit supports Authentication and Authorization as configured on the RADIUS server. A RADIUS server can be useful if you want to centrally manage user accounts instead of managing them on each unit individually. The unit can be connected to up to RADIUS servers, allowing for RADIUS server redundancy.

To configure session parameters

  1. Access the page System ▶Session ▶RADIUS.

  2. Enter the various RADIUS configuration parameters, then click Apply.

For more information on specific parameters, refer to the following table.

RADIUS Configuration (System ▶Session ▶RADIUS)
General

ParameterDescription
Authentication MethodThe authentication method to use. The only option available is:

PAP: Password Authentication Protocol.

RADIUS TimeoutIndicates how long the RADIUS server will wait before retrying the connection. After the number of retries has been exhausted, a connection to the next configured server will be attempted, in which the same timeout and retry scheme apply.
RADIUS RetryThe number of times to retry the server before trying the next configured server.
RealmThe string to append to the user's name, following the username@realm method.
Vendor-Specific attribute in Access-RequestEnable this box to include vendor-specific information as part of the RADIUS access request. Sending this information enables the RADIUS server to better identify the type of equipment requesting access.

Server-1 / Server-2

ParameterDescription
HostThe RADIUS server host-name or IP address.
PortThe RADIUS server UDP port to which you connect.
SecretThe shared secret for this RADIUS server. The secret can be 48 characters long.
Source AddressThe optional bind address for the RADIUS server.

RADIUS Server Configuration Examples

The following examples are configurations for the RADIUS server, not for the unit.

Two methods are supported by RADIUS servers for providing authorization using standard RADIUS attributes:

  • Callback-Id (id=20): Provides a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the unit. The list of tokens is separated by commas. They can be a mix of locally-defined user permission groups and individual privileges.
  • Service-Type (id=6): Provides for full admin privileges if attribute is set to "Administrative-User".

    Note: You cannot view RADIUS assigned permissions with the CLI or Web-based interface. The permissions tokens are case sensitive.

The following are a few configuration examples for the RADIUS Server using these attributes:

  • To assign a user to the built-in Admin group: Callback-Id = "Admin"
  • To grant a user full administration privileges (same as first example): Service-Type = "Administrative-User"
  • To give a user a list of individual privileges and sub-privileges: Callback-Id = "Config, Config-not-rollback, Firmware, Log, Management, Users"

If a user is authenticated by RADIUS but no attributes are specified in the server configuration, the permissions will be set as follows:

  • Local permissions (i.e. as configured in the unit), if the username exists locally.
  • Viewer-only permission, if the username does not exist locally.

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.