Table of Contents
Advertisement
8 Login Security and RADIUS
If authentication fails when using the first specified method when end-by-reject is set,
authentication is not performed using the next specified method. The entire authentication
process is terminated at the first denial and is treated as a failure. The next specified
method is used for authentication only when authentication fails due to an inability to
communicate, for example if the RADIUS server does not respond.
The figure below shows an example of the authentication sequence. In this example,
RADIUS authentication and local password authentication are specified in that order as
authentication methods. The RADIUS server denies authentication.
Figure 8-9 Sequence of authentication (with end-by-reject specified)
In this figure, the user accesses the Switch via Telnet from a remote terminal, and the
Switch requests the RADIUS server to perform authentication. However, the RADIUS
server denies the request, and the RADIUS server authentication fails, which means the
series of authentications fails and authentication finishes. The next local password
authentication is not performed on the Switch. As a result, the user fails to log in to the
Switch.
(2) Selection of a RADIUS server and automatic-restoration (dead-interval)
functionality
You can specify up to 20 general-use RADIUS servers used for RADIUS authentication for
remote logins. If one server is unreachable and its authentication service is unavailable,
each of the other servers is attempted in turn.
Selection of a RADIUS server (the maximum time before the system decides that
communication with a RADIUS server is not possible)
You can configure a response timeout period to determine whether communication
with a RADIUS server is possible. The default is five seconds. If a RADIUS server
times out, another attempt is made to connect to it. You can set the maximum
number of connection retries that the server makes with each server (three by
default). Because of this, the maximum time before the system decides that the
RADIUS server is unavailable is as follows:
number-of-retries) × number-of-RADIUS-servers-configured.
Automatic-restoration (dead-interval)
RADIUS authentication used by the Switch detects an effective RADIUS server
when it detects a RADIUS authentication request by receiving a frame from a
terminal subject to authentication. The following terminals always use the effective
RADIUS server. In this method, time to authentication is reduced, but it cannot be
automatically restored to a load-distributed state when a RADIUS server is used in a
load-distributed structure and a failure occurs on a RADIUS server. The Switch
supports the automatic-restoration (dead-interval) functionality provided by the
monitoring timer as a method of automatic restoration for the first valid RADIUS
server (primary RADIUS server). The monitoring timer default is 10 minutes.
(3) Information to be registered in the RADIUS server
To use the RADIUS authentication, register a user ID and a password in the RADIUS server.
90
response-timeout-period
×
(first-try
+
Advertisement
Table of Contents
