6.2.4 RADIUS server-access function

(1) Connecting to RADIUS Servers

You can specify a maximum of four RADIUS servers. Although you can specify a RADIUS server by IPv4 address, IPv6 address, or host name, in the context of IEEE 802.1X we recommend that you use an IPv4 address or IPv6 address. If you specify a hostname, refer to Notes on Using 5.4.2 RADIUS Servers and specify it. If the host name resolves to multiple addresses, the switch uses the IP address with the highest priority. For more information about precedence, see the Configuration Guide Vol.1" "13.1 Description. You must use a non-authenticating port for the connection between the Switch and the RADIUS server.

If the connection to the RADIUS server fails, the switch will try the next RADIUS server listed in the configuration. If no RADIUS servers are accessible, the switch sends an EAP-Failure response to the terminal and terminates the authentication sequence.

If a timeout occurs at some point during the authentication sequence after connecting to the RADIUS server, the switch sends an EAP-Failure response to the terminal and terminates the authentication sequence.

(2) Settings for dynamically assigning VLAN by VLAN (dynamically)

The Switch supports authentication in VLAN-based authentication (dynamic) mode. However, you must configure the following RADIUS server attributes before you can implement dynamic VLAN assignment on the Switch. For more information about attributes, see Table 6-4: Attribute names used in authentication (their 3 Access-Accept).

• Tunnel-Type

• Tunnel-Medium-Type

• Tunnel-Private-Group-Id

(3) Terminal authentication mode for port-based authentication and settings for applying filters to authenticated terminals by VLAN authentication (static)

The Switch supports the filtering of terminals that undergo port-based authentication (in terminal authentication mode) and VLAN-based authentication (static).However, you must configure the following RADIUS server attribute before you can apply a filter. For more information about attributes, see Table 6-4: Attribute names used in authentication (their 3 Access-Accept).

• Filter-Id

(4) Configuring the identity of the Switch on RADIUS servers

The RADIUS protocol stipulates that the RADIUS server must use the source IP address of the request packet to identify the RADIUS client (NAS). In the Switch, the addresses below are used as the source IP address of a request packet:

• If a local address is set, the local address is used as the source IP address

• If no local address is set, the IP address of the transmission interface is used as the source IP address

If a local address is assigned to the Switch, specify the IP address configured as the local address when you register the Switch in the RADIUS server. This allows the RADIUS server to identify the IP address of the Switch from the local address even if you cannot identify the physical interface.