- 23 Jan 2024
- 2 Minutes to read
- Contributors
- Print
- PDF
Using a RADIUS Server for Authentication
- Updated on 23 Jan 2024
- 2 Minutes to read
- Contributors
- Print
- PDF
You can use a RADIUS server for authenticating users. When RADIUS authentication is enabled, the unit supports Authentication and Authorization as configured on the RADIUS server. A RADIUS server can be useful if you want to centrally manage user accounts instead of managing them on each unit individually. The unit can be connected to up to RADIUS servers, allowing for RADIUS server redundancy.
To configure session parameters
Access the page System ▶Session ▶RADIUS.
Enter the various RADIUS configuration parameters, then click Apply.
For more information on specific parameters, refer to the following table.
RADIUS Configuration (System ▶Session ▶RADIUS)
General
Parameter | Description |
---|---|
Authentication Method | The authentication method to use. The only option available is: PAP: Password Authentication Protocol. |
RADIUS Timeout | Indicates how long the RADIUS server will wait before retrying the connection. After the number of retries has been exhausted, a connection to the next configured server will be attempted, in which the same timeout and retry scheme apply. |
RADIUS Retry | The number of times to retry the server before trying the next configured server. |
Realm | The string to append to the user's name, following the username@realm method. |
Vendor-Specific attribute in Access-Request | Enable this box to include vendor-specific information as part of the RADIUS access request. Sending this information enables the RADIUS server to better identify the type of equipment requesting access. |
Server-1 / Server-2
Parameter | Description |
---|---|
Host | The RADIUS server host-name or IP address. |
Port | The RADIUS server UDP port to which you connect. |
Secret | The shared secret for this RADIUS server. The secret can be 48 characters long. |
Source Address | The optional bind address for the RADIUS server. |
RADIUS Server Configuration Examples
The following examples are configurations for the RADIUS server, not for the unit.
Two methods are supported by RADIUS servers for providing authorization using standard RADIUS attributes:
- Callback-Id (id=20): Provides a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the unit. The list of tokens is separated by commas. They can be a mix of locally-defined user permission groups and individual privileges.
- Service-Type (id=6): Provides for full admin privileges if attribute is set to "Administrative-User".
Note: You cannot view RADIUS assigned permissions with the CLI or Web-based interface. The permissions tokens are case sensitive.
The following are a few configuration examples for the RADIUS Server using these attributes:
- To assign a user to the built-in Admin group: Callback-Id = "Admin"
- To grant a user full administration privileges (same as first example): Service-Type = "Administrative-User"
- To give a user a list of individual privileges and sub-privileges: Callback-Id = "Config, Config-not-rollback, Firmware, Log, Management, Users"
If a user is authenticated by RADIUS but no attributes are specified in the server configuration, the permissions will be set as follows:
- Local permissions (i.e. as configured in the unit), if the username exists locally.
- Viewer-only permission, if the username does not exist locally.
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks