RADIUS Settings

Configure the following parameters, and then select Save.
Peer Discovery (RFC 7585) Enabled
Select this option to enable peer discovery.

Peer Discovery uses the Network Access Identifier (NAI) in the UserName attribute of the RADIUS packet to dynamically discover the RADIUS server using DNS.

It is supported for Secure(TLS) servers only; therefore, Peer Discovery defaults to the Type value = Secure. Both the server IP address and port values are dynamically discovered. The port is usually TCP 2083.

Type
Select between Standard (UDP) or Secure (RADSEC) protocol.

RADSEC supports RADIUS transactions conducted securely over TCP and TLS (RFC 6614). RADSEC is not supported with Local Onboarding, and it is not available with ADMIN access.

Server Address
The RADIUS server address. This value cannot be changed.
Port
  • A User Datagram Protocol (UDP) port number used for client authentication. UDP needs only one port for full-duplex, bidirectional traffic. Select a UDP port number for standard protocol security.
  • For a secure RADSEC protocol, use port 2083 This is the default port.
Trust Point
Refers to the certificate file required for the secure RADSEC protocol. When a secure RADSEC protocol is configured, the certificate file of the Access Network Provider (ANP) and its private key must be specified, and the CA must also be specified to authenticate the peer's certificate. Select from the list of configured Trust Points. For information about configuring Trust Points, see Trust Points in the ExtremeCloud IQ Controller User Guide.
Retries
Determines the number of times ExtremeCloud IQ Controller will attempt to authenticate an end user.

For Local Onboarding, use the Retries and Timeout values with the RADIUS Server Health Check parameters to detect RADIUS servers that are not responding and fail over to a second server if necessary. When Local Onboarding bypassed is enabled, all RADIUS requests are sent to one RADIUS server until it fails; then, the next RADIUS server is used.

Timeout
Determines a timeout value, in seconds, for the RADIUS server connection.
Status Server Request Timeout
Status Requests are sent by the RADIUS client to query the status of the RADIUS server. The Status Request Timeout is the period between two successive status requests . Status requests are only sent when the RADIUS server has stopped responding to the Access Request with an Access Response.
Shared Secret
The password that is used to validate the connection between the client and the RADIUS server.

For RADSEC, radsec is the default password.

Mask
Determines if the Shared Secret or password value is displayed on the user interface. Enable Mask to display dots in place of the Shared Secret or password value. To display the password characters, clear the Mask check box.