Advanced RADIUS Settings

For information about advanced RADIUS configuration settings, see the following table:

Table 1. RADIUS Server Advanced Settings
Field	Description
Username Format	Determines if the domain name will be included in the username when proxying a request to the backend RADIUS server. Valid values are: Strip Domain Name (default) - Select this option unless the backend RADIUS server requires the domain name to be included. Keep Domain Name - Using this option with a Microsoft IAS or NPS server, may cause the server to timeout. Therefore, use an advanced AAA configuration. With a AAA configuration, only requests for known domains are sent to the backend RADIUS server. Unknown domains are processed locally and rejected.
Require Message-Authenticator	Protect against spoofed Access-Request messages and RADIUS message tampering with this attribute. The Require Message-Authenticator provides additional security when using PAP and CHAP security protocols for authentication. EAP uses the Message Authenticator attribute by default.
Health - Use Server Status Request	Use Server-Status RADIUS packets, as defined by RFC 5997, to determine if the backend RADIUS server is running.
Health - Use Access Request	Use an access request message to determine if the RADIUS server is running. The request uses a username and password. This method looks for any response from the server. The username and password do not need to be valid. A negative response will work. However, the username/password fields are provided to prevent rejects from being logged in the backend RADIUS server.
Check Interval	Determines the wait time between checks to see if the RADIUS server is running. Note: This is only applicable if the Server-Status request or Access request methods are used.
Number of Answers to Alive	Determines the number of times the RADIUS server must respond before it is marked as alive. Note: This is only applicable if the Server-Status request or Access request methods are used.
Revive Interval	Determines the wait time before allowing requests to go to a backend RADIUS server, after it stops responding. Note: Use this option only when there is no other way to detect the health of the backend RADIUS server. If Server-Status requests option and Access request option are not supported by the RADIUS server, then use this option.
Require Message-Authenticator	When enabled, the message-authenticator attribute value pair is included in the packet from the RADIUS server.
Health — Use Server Status Request	Determines if the Server Status Request is used to determine RADIUS server health upon recovery after the server has gone down. This is RADIUS status code point 12 from RFC5997.
Health — Use Access Request	Determines if the Server Access Request is used to determine RADIUS server health upon recovery after the server has gone down. This is access request code point 1 from RFC2865 with the user name/password set to `fakeuser/fakepasswd`.