6.2.4 RADIUS server-access function

<Structure of this section>

(1) Connecting to RADIUS Servers

You can specify a maximum of four RADIUS servers. You can specify IP address or hostname of the server when you specify it, but IEEE802.1X recommends that you specify a IP address. If you specify a hostname, refer to Notes on Using 5.4.2 RADIUS Servers and specify it. If the host name resolves to multiple addresses, the switch uses the IP address with the highest priority. For more information about precedence, see the Configuration Guide Vol.1" "11.1 Description. You must use a non-authenticating port for the connection between the Switch and the RADIUS server.

If the connection to the RADIUS server fails, the switch will try the next RADIUS server listed in the configuration. If no RADIUS servers are accessible, the switch sends an EAP-Failure response to the terminal and terminates the authentication sequence.

If a timeout occurs at some point during the authentication sequence after connecting to the RADIUS server, the switch sends an EAP-Failure response to the terminal and terminates the authentication sequence.

(2) Settings for applying filters to authenticated terminals in terminal authentication mode

To apply filters to an authenticated terminal in the terminal authentication mode supported by the Switch, you must set the following properties on RADIUS servers: For more information about attributes, see Table 6-4: Attribute names used in authentication (their 3 Access-Accept).

Filter-Id

(3) Configuring the identity of the Switch on RADIUS servers

The RADIUS protocol stipulates that the RADIUS server must use the source IP address of the request packet to identify the RADIUS client (NAS). In the Switch, the addresses below are used as the source IP address of a request packet:

If a local address is set, the local address is used as the source IP address
If no local address is set, the IP address of the transmission interface is used as the source IP address

If a local address is assigned to the Switch, specify the IP address configured as the local address when you register the Switch in the RADIUS server. This allows the RADIUS server to identify the IP address of the Switch from the local address even if you cannot identify the physical interface.