117
Enhancements in Release F.04.08
Configuring RADIUS Authentication and Accounting
Outline of the Steps for Configuring RADIUS Accounting
1. Configure the switch for accessing a RADIUS server.
You can configure a list of up to three RADIUS servers (one primary, two backup). The switch
operates on the assumption that a server can operate in both accounting and authentication
mode. (Refer to the documentation for your RADIUS server application.)
• Use the same radius-server host command that you would use to configure RADIUS
authentication. Refer to “2. Configure the Switch To Access a RADIUS Server” on page
109.
• Provide the following:
– A RADIUS server IP address.
– Optional—a UDP destination port for authentication requests. Otherwise the switch
assigns the default UDP port (1812; recommended).
– Optional—if you are also configuring the switch for RADIUS authentication, and
need a unique encryption key for use during authentication sessions with the
RADIUS server you are designating, configure a server-specific key. This key over-
rides the global encryption key you can also configure on the switch, and must match
the encryption key used on the specified RADIUS server. For more information, refer
to the "[key < key-string >]" parameter on page 109. (Default: null)
2. Configure the types of accounting you want the switch to perform, and the controls for sending
accounting reports from the switch to the RADIUS server(s).
• Accounting types: exec (page 115), network (page 115), or system (page 116)
• Trigger for sending accounting reports to a RADIUS server: At session start and
stop or only at session stop
3. (Optional) Configure session blocking and interim updating options
• Updating: Periodically update the accounting data for sessions-in-progress
• Suppress accounting: Block the accounting session for any unknown user with no
username accesses the switch