Use the information in this section to understand the limitations of some security functions, such as BSAC RADIUS servers and Layer 2 protocols before you attempt to configure security.
If you use a third-party RADIUS server and need to modify the dictionary files, you must add a vendor-specific attribute (attribute #26) and use 1584 as vendor code for all the devices and then send back access-priority vendor-assigned attribute number 192 with a decimal value of 1 to 6, depending upon whether you want read only to read-write-all.
Authentication for Privileged EXEC command mode supports RADIUS and TACACS+ protocols. If RADIUS and TACACS+ servers are not reachable, access to Privileged EXEC command mode is denied. You must open a new session and type the same username and password used to Telnet or SSH to the switch
The management port supports the RADIUS protocol. When RADIUS packets are sent out of the management port, the SRC-IP address is properly entered in the RADIUS header.
For more information about the supported RADIUS servers, see the documentation of the RADIUS server.
An SNMP query sent by an unreachable RADIUS server configured as used‐by snmp and with accounting enabled, can cause a timeout. A timeout can occur if the device that receives the SNMP query attempts to send accounting packets to the unreachable server. You can mitigate the timeout issue by configuring lower retry and timeout values on the RADIUS server. Alternatively, you can configure a higher timeout value for SNMP.
Before enabling Remote Access Dial-In User Services (RADIUS) accounting on the device, you must configure at least one RADIUS server.
The switch software supports Microsoft Radius Servers (NPS Windows 2008, Windows 2003 IAS Server), BaySecure Access Control (BSAC), Merit Network servers and Linux based servers. To use these servers, you must first obtain the software for the server. You must also make changes to one or more configuration files for these servers.
Single Profile is a feature that is specific to BSAC RADIUS servers. In a BSAC RADIUS server, when you create a client profile, you can specify all the returnable attributes. When you use the same profile for different products (VSP 8000 Series and Baystack 450, for example) you specify all the returnable attributes in the single profile.
If the user from which you are cloning has authentication, you can choose for the new user to either have the same authentication protocol as the user from which it was cloned, or no authentication. If you choose authentication for the new user, you must provide a password for that user. If you want a new user to have authentication, you must indicate that at the time you create the new user. You can assign a privacy protocol only to a user that has authentication.
If the user from which you are cloning has no authentication, then the new user has no authentication.
Note
The following Source IP configuration considerations are only applicable on hardware platforms running VOSS Release 8.2 and later.
mgmt CLIP - 100
mgmt VLAN - 200
mgmt OOB - 300
mgmt oob ip route 192.0.2.0/24 next-hop 198.51.100.1
OR
mgmt oob no ip route 0.0.0.0/24 next-hop 198.51.100.1 ip route 0.0.0.0/24 next-hop 198.51.100.1 weight 50
Note
If you change the default route weight, the management interface with the lowest weight value becomes the default route for all segmented management interface traffic.
For VOSS Release 8.1.5 and earlier, there was a potential for thousands of different Source IP management interfaces for applications initiating an outbound connection without a Source IP specified. To avoid Source IP fluctuations for many management interfaces with frequent route updates, you could specify the Source IP for applications where the source IP identifies the client. Configuring a Source IP for specific management applications is deprecated in VOSS Release 8.2 and later.
Note
This applies only to client mgmt applications initiating an outgoing connection, where the source IP address is not specified. If an application is running in server mode, the source IP address of the reply packet is configured to the destination IP address of the original request for TCP connections.