5.4.2 Notes on using RADIUS servers
- <Structure of this section>
(1) Notes on configuring RADIUS servers
For Layer 2 authentication, you can set RADIUS server for Layer 2 authentication in the following configurations, so configure a RADIUS server for each Layer 2 authentication that you want to use.
-
IEEE 802.1 X:dot 1 x radius-server host command
-
Web Authorization: web-authentication radius-server host
-
MAC Authorization: mac-authentication radius-server host
You can use RADIUS server that is used to authenticate logins to the Switch for Layer 2 authentication. However, if you want to use it, you must remove RADIUS server settings for the corresponding Layer 2 authentication.
(2) Notes on specifying the hostname in RADIUS server settings
If you specify a RADIUS server by its host name, the following issues might occur if, for example, the switch is unable to connect to the DNS server to perform name resolution:
-
When executing an operation command:
-
Command execution results are slow to appear.
-
Command output stops midstream, and then resumes following a brief pause.
-
The message Connection failed to 802.1X program. appears during IEEE 802.1X authentication.
-
The message Can't execute. appears during MAC-based or Web authentication.
-
-
When executing a configuration command:
-
It might take some time to save the new configuration or for configuration changes to take effect.
-
-
When an SNMP manager acquires MIB information for IEEE 802.1X:
-
Response times might be slow, or SNMP might time out while waiting for a response.
-
To avoid these issues, we recommend that you specify the RADIUS server by its IP address in IPv4 or IPv6 format. If you must specify a host name, make sure that the DNS server is available to respond to requests from the switch.
(3) Notes on Loss of Communication with RADIUS Servers in IEEE802.1X
In IEEE802.1X, if communication with RADIUS server is lost or if there is no RADIUS server specified by the configuration command dot1x radius-server host, it takes time per login request to authenticate per login request because the time-out period and the number of retransmissions specified in the configuration command dot1x radius-server host are required for each login request.
Even if more than one RADIUS server is set, the authentication process takes longer if communications cannot be performed due to failures or other reasons at RADIUS server that was set earlier because the settings are accessed each time in the order of dot1x radius-server host configuration commands.
In such a case, stop the login operation, reconfigure the correct RADIUS servers using the configuration command dot1x radius-server host, and then perform the login operation.
(4) Notes on Specifying IPv6 Addressing RADIUS Servers
When using RADIUS servers with IPv6 addresses, do not use RADIUS servers with link-local addresses. Layer 2 authentication cannot communicate with RADIUS servers that have link-local addresses.