Configuring Foundry -S; Radius Configuration Considerations; Radius Configuration Procedure - Foundry Networks Switch and Router Installation And Configuration Manual

Foundry Switch and Router Installation and Configuration Guide

RADIUS Configuration Considerations

• You must deploy at least one RADIUS server in your network.
• Foundry devices support authentication using up to eight RADIUS servers. The device tries to use the
servers in the order you add them to the device's configuration. If one RADIUS server is not responding, the
Foundry device tries the next one in the list.
• You can select only one primary authentication method for each type of access to a device (CLI through
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary
authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the
primary method for the same type of access. However, you can configure backup authentication methods for
each access type.

RADIUS Configuration Procedure

Use the following procedure to configure a Foundry device for RADIUS:
1. Configure Foundry vendor-specific attributes on the RADIUS server. See "Configuring Foundry-Specific
Attributes on the RADIUS Server" on page 3-36.
2. Identify the RADIUS server to the Foundry device. See "Identifying the RADIUS Server to the Foundry
Device" on page 3-37.
3. Set RADIUS parameters. See "Setting RADIUS Parameters" on page 3-38.
4. Configure authentication-method lists. See "Configuring Authentication-Method Lists for RADIUS" on page 3-
38.
5. Optionally configure RADIUS authorization. See "Configuring RADIUS Authorization" on page 3-40.
6. Optionally configure RADIUS accounting. "Configuring RADIUS Accounting" on page 3-40.
Configuring Foundry-Specific Attributes on the RADIUS Server
During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server
sends an Access-Accept packet to the Foundry device, authenticating the user. Within the Access-Accept packet
are three Foundry vendor-specific attributes that indicate:
• The privilege level of the user
• A list of commands
• Whether the user is allowed or denied usage of the commands in the list
You must add these three Foundry vendor-specific attributes to your RADIUS server's configuration, and
configure the attributes in the individual or group profiles of the users that will access the Foundry device.
3 - 36 December 2000