Table of Contents
Advertisement
Configuring the Local
RADIUS Authentication
Server Function
c
RADIUS servers cannot accept the user names that carry ISP domain names. In
this case, it is necessary to remove domain names from user names before
sending the user names to RADIUS server. For this reason, the
user-name-format command is designed for you to specify whether or not
ISP domain names are carried in the user names to be sent to RADIUS server.
For a RADIUS scheme, if you have specified to remove ISP domain names from
■
user names, you should not use this RADIUS scheme in more than one ISP
domain. Otherwise, such errors may occur: the RADIUS server regards two
different users having the same name but belonging to different ISP domains
as the same user (because the usernames sent to it are the same).
In the default RADIUS scheme "system", ISP domain names are removed from
■
user names by default.
The purpose of setting the MAC address format of the Calling-Station-Id (Type
■
31) field in RADIUS packets is to improve the switch's compatibility with
different RADIUS servers. This setting is necessary when the format of
Calling-Station-Id field recognizable to RADIUS servers is different from the
default MAC address format on the switch. For details about field formats
recognizable to RADIUS servers, refer to the corresponding RADIUS server
manual.
The switch provides the local RADIUS server function (including authentication and
authorization), also known as the local RADIUS authentication server function, in
addition to RADIUS client service, where separate authentication/authorization
server and the accounting server are used for user authentication.
Table 198 Configure the local RADIUS authentication server function
Operation
Enter system view
Enable UDP port for local
RADIUS authentication server
Configure the parameters of
the local RADIUS server
CAUTION:
If you adopt the local RADIUS authentication server function, the UDP port
■
number of the authentication/authorization server must be 1645, the UDP port
number of the accounting server must be 1646, and the IP addresses of the
servers must be set to the addresses of this switch.
The message encryption key set by the local-server nas-ip ip-address key
■
password command must be identical with the authentication/authorization
message encryption key set by the key authentication command in the
RADIUS scheme view of the RADIUS scheme on the specified NAS that uses
this switch as its authentication server.
The switch supports IP addresses and shared keys for up to 16 network access
■
servers (NAS). That is, when acting as the local RADIUS authentication server,
RADIUS Configuration Task List
Command
system-view
local-server enable
local-server nas-ip
ip-address key password
259
Remarks
-
Optional
By default, the UDP port for
local RADIUS authentication
server is enabled.
Required
By default, a local RADIUS
authentication server is
configured with an NAS IP
address of 127.0.0.1.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
