Configure AAA Server Security Options

Configure an Extreme Networks device as a RADIUS Server.

Use this task to add increased security to the AAA Server Profile. For more information, see Configure an AAA Server Profile.

Note

Note

Default certificates are intended to be used for testing only.

  1. Select an Authentication Protocol from the drop-down list.
    • TLS requires mutual authentication using client-side certificates. With a client-side certificate, a compromised password is not enough to break into TLS-enabled systems because the intruder still needs the client-side certificate. A password is only used to encrypt the client-side certificate for storage. Credentials are used for a one-time certificate enrollment. The certificate is sent to the RADIUS server for authentication.
    • PEAP encapsulates EAP within a potentially encrypted and authenticated TLS tunnel. The user must enter their credentials, which are sent to the RADIUS Server that verifies the credentials, and authenticates them for network access.
    • TTLS extends TLS. The client can, but does not have to, be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed for every client.
    • LEAP uses dynamic WEP keys and mutual authentication between the client and RADIUS server. Uses an authentication protocol in which user credentials are not strongly protected and are easily compromised. Users who absolutely must use LEAP should do so with sufficiently complex passwords.
      Note

      Note

      The WEP protocol is no longer effective for securing wireless networks. For security reasons, WEP configuration is no longer available in the UI. If you require WEP for business continuity purposes, you can enable it via Supplemental CLI.
    • MD5 offers minimal security, is vulnerable to dictionary attacks, and does not support key generation. This method is commonly used in a trusted network.
  2. Select a Default Authentication Protocol from the drop-down list.
  3. Select the default certification authority digital certificate type.
  4. Select the default server digital certificate type.
  5. Select whether to verify the server certificate file.
  6. Enter the client key file password.
  7. Select whether to Check common name in certificate against the user for TLS authentication.
  8. Select the authentication that has been assigned to a user.
  9. If you Enable Authentication, the recommended value for the Age Timeout for Active Session is three times the value of the Accounting Interim Update Interval in the RADIUS Client.
    For example, if the Accounting Interim Update Interval is set to 600 seconds, set the Age Timeout for Active Session to 1800 seconds.

Continue configuring the server.