Configuring RADIUS-based User Authentication
The following procedure describes how to configure RADIUS-based login authentication. For a detailed description of the RADIUS parameters, see RADIUS Parameters.
|
➢
|
To configure RADIUS-based login authentication: |
|
1.
|
Open the Authentication Server page (Setup menu > Administration tab > Web & CLI folder > Authentication Server). |
|
2.
|
From the 'Use RADIUS for Web/Telnet Login' drop-down list, select Enable to enable RADIUS authentication for Web and Telnet login: |
|
3.
|
When implementing Web user access levels, do one of the following: |
|
●
|
If the RADIUS server response includes the access level attribute: In the 'RADIUS VSA Access Level Attribute' field, enter the code that indicates the access level attribute in the VSA section of the received RADIUS packet. For defining the RADIUS server with access levels, see Setting Up a Third-Party RADIUS Server. |
|
●
|
If the RADIUS server response does not include the access level attribute: In the 'Default Access Level' field, enter the default access level that is applied to all users authenticated by the RADIUS server. |
|
4.
|
Configure RADIUS timeout handling: |
|
a.
|
From the 'Behavior upon Authentication Server Timeout' drop-down list, select the option if the RADIUS server does not respond within five seconds: |
|
◆
|
Deny Access: device denies user login access. |
|
◆
|
Verify Access Locally: device checks the username and password configured locally for the user in the Local Users table (see Configuring Management User Accounts), and if correct, allows access. |
|
a.
|
In the 'Password Local Cache Timeout' field, enter a time limit (in seconds) after which the username and password verified by the RADIUS server becomes invalid and a username and password needs to be re-validated with the RADIUS server. |
|
b.
|
From the 'Password Local Cache Mode' drop-down list, select the option for the local RADIUS password cache timer: |
|
◆
|
Reset Timer Upon Access: upon each access to a Web page, the timer resets (reverts to the initial value configured in the previous step). |
|
◆
|
Absolute Expiry Timer: when you access a Web page, the timer doesn’t reset, but continues its count down. |
|
5.
|
Configure when the Local Users table must be used to authenticate login users. From the 'Use Local Users Database' drop-down list, select one of the following: |
|
●
|
When No Auth Server Defined (default): When no RADIUS server is configured or if a server is configured but connectivity with the server is down (if the server is up, the device authenticates the user with the server). |
|
●
|
Always: First attempts to authenticate the user using the Local Users table, but if not found, it authenticates the user with the RADIUS server. |
|
6.
|
Click Apply, and then reset the device with a save-to-flash for your settings to take effect. |