Configure an Extreme
Networks device as a RADIUS Server.
Use this task to add increased security to the AAA Server Profile. For more
information, see Configure an AAA Server Profile.
Note
Default certificates are intended to be used for testing
only.
-
Select an
Authentication Protocol from the drop-down
list.
- TLS
requires mutual authentication using client-side certificates. With a
client-side certificate, a compromised password is not enough to break
into TLS-enabled systems because the intruder still needs the
client-side certificate. A password is only used to encrypt the
client-side certificate for storage. Credentials are used for a one-time
certificate enrollment. The certificate is sent to the RADIUS server for
authentication.
- PEAP
encapsulates EAP within a potentially encrypted and authenticated TLS
tunnel. The user must enter their credentials, which are sent to the
RADIUS Server that verifies the credentials, and authenticates them for
network access.
- TTLS
extends TLS. The client can, but does not have to, be authenticated via
a CA-signed PKI certificate to the server. This greatly simplifies the
setup procedure since a certificate is not needed for every client.
- LEAP uses
dynamic WEP keys and mutual authentication between the client and RADIUS
server. Uses an authentication protocol in which user credentials are
not strongly protected and are easily compromised. Users who absolutely
must use LEAP should do so with sufficiently complex passwords.
- MD5
offers minimal security, is vulnerable to dictionary attacks, and does
not support key generation. This method is commonly used in a trusted
network.
-
Select a Default Authentication Protocol from the
drop-down list.
-
Select the default certification authority digital certificate type.
-
Select the default server
digital certificate type.
-
Select whether to verify the
server certificate file.
-
Enter the client key file password.
-
Select whether to Check common name in certificate against the user
for TLS authentication.
-
Select the authentication that has been assigned to a user.
-
If you Enable
Authentication, the recommended value for the Age Timeout for Active
Session is three times the value of the Accounting Interim Update
Interval in the RADIUS Client.
For example, if the Accounting
Interim Update Interval is set to 600 seconds, set the Age Timeout for Active
Session to 1800 seconds.
Continue configuring the server.