authentication

Specifies the RADIUS data source used for user authentication. Options include local for the local user database or LDAP for a remote LDAP resource.

Supported on the following devices:

Syntax

authentication [data-source|eap-auth-type]
authentication data-source [ldap|local]
authentication data-source [ldap {fallack}|local] {(ssid <SSID> precedence <1-5000>)}
authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-mschapv2|ttls-pap]

Parameters

authentication data-source [ldap {fallack}|local] {(ssid <SSID> precedence <1-5000>)}

data-source

The RADIUS sever can either use the local database or an external LDAP server to authenticate a user. It is necessary to specify the data source. The options are: LDAP and local.

ldap fallback

Uses a remote LDAP server as the data source
  • fallback – Optional. Enables fallback to local authentication. This feature ensures that if the designated external LDAP resource were to fail or become unavailable, the client is authenticated against the local RADIUS resource. This option is disabled by default.

When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server.

local

Uses the local user database to authenticate a user. This is the default setting.

ssid <SSID> precedence <1-5000>

The following keywords are recursive and common to both ‘ldap‘ and ‘local‘ parameters:

  • ssid – Optional. Associates the data source, selected in the previous step, with a SSID.

    • <SSID> – Specify the SSID for this authentication data source. The SSID is case sensitive and should not exceed 32 characters in length. Do not use any of the following characters (< > | " & \ ? ,).

      • precedence <SSID> – Sets the precedence for this authentication rule. The precedence value allows systematic evaluation and application of rules. Rules with the lowest precedence receive the highest priority.

      • <1-5000> – Specify a precedence from 1 -5000.

Note: Specifying the SSID allows the RADIUS server to use the SSID attribute in access requests to determine the data source to use. This option is applicable to onboard RADIUS servers only.
authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-mschapv2|ttls-pap]

eap-auth-type

Uses EAP (Extensible Authentication Protocol), with this RADIUS server policy, for user authentication

The EAP authentication types supported by the local RADIUS server are: all, peap-gtc, peap-mschapv2, tls, ttls-md5, ttls-mschapv2, ttls-pap.

all

Enables both TTLS and PEAP authentication. This is the default setting.

peap-gtc

Enables PEAP with default authentication using GTC

peap-mschapv2

Enables PEAP with default authentication using MSCHAPv2

When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server.

tls

Enables TLS as the EAP type

ttls-md5

Enables TTLS with default authentication using md5

ttls-mschapv2

Enables TTLS with default authentication using MSCHAPv2

ttls-pap

Enables TTLS with default authentication using PAP

Examples

nx9500-6C8809(config-radius-server-policy-test)#authentication eap-auth-type tls
nx9500-6C8809(config-radius-server-policy-test)#show context
radius-server-policy test
 authentication eap-auth-type tls
nx9500-6C8809(config-radius-server-policy-test)#

Related Commands

no Removes the RADIUS authentication settings