Configure RADIUS Server Settings

First begin configuring a RADIUS server group. See Configure a RADIUS Server Group.

This task is part of the network policy configuration workflow. Use this task to configure RADIUS server settings for IQ Engine devices for a RADIUS server group, as part of a network policy.

  1. On the Configure RADIUS Servers page, select Settings and configure the following settings:
    Setting Description
    Retry Interval Specify the time between retries for an unresponsive primary RADIUS server Access-Request. The device retries the primary server after the interval elapses, even if the current backup server is responding.

    Range: 60–100000000 (seconds)

    Default: 600

    Note: Do not enter commas in this field. Enter 100,000,000 as 100000000.
    Accounting Interim Update Interval Specify the interval for sending RADIUS accounting updates to report the client session status and cumulative length.

    Range: 10–100000000 (seconds)

    Default: 600

    Note: Do not enter commas in this field. Enter 100,000,000 as 100000000.
    Permit Dynamic Change Of Authorization Messages (RFC 3576) Enable the RADIUS server to dynamically change the authorization for a user, or to disconnect a user per RFC 3576. When you enable this parameter, devices acting as RADIUS authenticators can accept unsolicited disconnect and Change of Authorization (CoA) messages from a RADIUS authentication server, such as GuestManager, per RFC 3576. Disconnect messages terminate a user session immediately, and CoA messages modify session authorization attributes such as VLANs and user profile IDs.
    Inject Operator-Name attribute Select to include the Operator-Name attribute in the Access-Request and Accounting-Request messages that the Extreme Networks RADIUS authenticators send to the RADIUS authentication server. The attribute value is the domain name suffix of the Extreme Networks authenticator, usually assigned by DHCP, and helps to identify the authentication requests source. Providing source information like this can aid in troubleshooting authentication problems.
    Message Authenticator attribute The Message Authenticator attribute is an HMAC-MD5 checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field, using the shared secret as the key. This ensures the authenticity and integrity of the packet.

    ExtremeCloud‌ IQ uses this attribute to authenticate RADIUS server replies, and to encrypt passwords.

    Override default failover settings Select this option to override the default RADIUS server failover and retry interval. The retry interval is the number of seconds between RADIUS server requests.

    Select Aggressive or Custom (Range 1-5).

    Set the First retry interval. (Default: 1)

    Set the Max-retries value, which is the maximum number or retries, before failing over to a configured backup RADIUS server. (Default: 3)

  2. Select SAVE RADIUS SETTINGS.

Finish configuring the RADIUS server group.