RADIUS Authentication

You can use RADIUS authentication to use a remote server to authenticate logons. The RADIUS server also provides access authority. RADIUS assists network security and authorization by managing a database of users. The device uses this database to verify user names and passwords as well as information about the type of access priority available to the user.

When the RADIUS client sends an authentication request requesting additional information such as a SecurID number, it sends it as a challenge-response. Along with the challenge-response, it sends a reply-message attribute. The reply-message is a text string, such as Please enter the next number on your SecurID card:. The RFC defined maximum length of each reply-message attribute is 253 characters. If you have multiple instances of reply-message attributes that together form a large message that displays to the user, the maximum length is 2000 characters.

You can use additional user names to access the device, in addition to the six existing user names of ro, L1, L2, L3, rw, and rwa. The RADIUS server authenticates the user name and assigns one of the existing access priorities to that name. Unauthenticated user names are denied access to the device. You must add user names ro, L1, L2, L3, rw, and rwa to the RADIUS server if you enable authentication. Users not added to the server are denied access.

The limitation on the number of characters in a username for users logging into CLI or EDM configured with RADIUS authentication is 64 chararcters.

Note

Note

RADIUS server used‐by snmp does not support authentication.

The following list shows the user configurable options of the RADIUS feature:

Note

Note

If you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, you enable different access levels, along with stronger password complexity, length, and minimum change intervals. With enhanced secure mode enabled, the switch supports the following access levels for RADIUS authentication:
  • Administrator

  • Privilege

  • Operator

  • Auditor

  • Security

The switch associates each username with a certain role and appropriate authorization rights to view and configure commands. For more information on system access fundamentals and configuration, see System Access.