8.5.2 Preparing RADIUS Servers
Before you can use Web authentication in RADIUS authentication mode, you need to configure the RADIUS server as described below.
Also described below are the RADIUS attributes used by the Web authentication functionality in the Switch.
- <Structure of this section>
(1) Setting up the RADIUS server
On the RADIUS server, set user information such as a user ID, password, and VLAN ID for each authentication user. For details about how to configure the RADIUS server, see the documentation for the RADIUS server deployed in your network.
Use the following procedure to configure the post-authentication VLAN to which a terminal is assigned after successful authentication in dynamic VLAN mode.
-
Specify 13 (Virtual VLANs (VLAN)) for the Tunnel-Type attribute.
-
Specify 6 for the Tunnel-Medium-Type attribute.
-
Specify a VLAN ID for the Tunnel-Private-Group-ID attribute, in one of the following formats:
-
As a numerical value
Example: If the VLAN ID is 2048, specify the character string 2048.
-
As the character string "VLAN" followed by a numerical value
Example: If the VLAN ID is 2048, specify the character string VLAN2048.
-
As a VLAN name defined using the name configuration command
-
If you perform authentication in dynamic VLAN mode without setting Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID, the native VLAN will be assigned as the post-authentication VLAN.
The user ID and password can be from 1 to 32 characters long, and can contain the following characters:
-
0x21~0x7E of user ID:ASCII character encoding
-
Password: ASCII character encoding 0x21~0x7E
As the authentication method, specify PAP.
(2) RADIUS Properties Used by Web authentication
The following table describes the RADIUS attributes used for Web authentication.
|
Attribute name |
Type value |
Description |
|---|---|---|
|
User-Name |
1 |
The user name. |
|
User-Password |
2 |
The user's password. |
|
NAS-IP-Address |
4 |
The IP address of the loop-back interface, if one is specified.If no loop-back interface is specified, the IP address of the interface that communicates with the RADIUS server. |
|
Service-Type |
6 |
Specify Framed(2). |
|
State |
24 |
The State value in the last Access-Challenge message received from the RADIUS server in relation to the authentication session. Do not specify a value if the Access-Challenge message does not contain a State attribute. |
|
Calling-Station-Id |
31 |
The MAC address of the terminal to be authenticated (as a hyphen-punctuated lower-case ASCII string) Example:00-12-e2-12-34-56 |
|
NAS-Identifier |
32 |
A numerical string representing the VLAN ID to which authenticated terminals gain membership in fixed VLAN mode. Example (for VLAN ID 100): 100 In dynamic VLAN mode and legacy mode, use the device name as specified by the hostname configuration command. |
|
NAS-Port-Type |
61 |
Specify Virtual(5). |
|
NAS-IPv6-Address |
95 |
The IPv6 address of the loop-back interface, if one is specified.If no loop-back interface is specified, the IPv6 address of the interface that communicates with the RADIUS server. When communicating via an IPv6 link-local address, this attribute specifies the IPv6 link-local address of the transmission interface regardless of whether an IPv6 address is set for the loop-back interface. |
|
Attribute name |
Type value |
Description |
|---|---|---|
|
Service-Type |
6 |
Returns Framed(2):This attribute is ignored in Web authentication. |
|
Reply-Message |
18 |
(Not used) |
|
Tunnel-Type |
64 |
Used in dynamic VLAN mode and legacy mode. The MAC-based authentication functionality checks whether the value is 13 (VLAN). This attribute is not used in fixed VLAN mode. |
|
Tunnel-Medium-Type |
65 |
Used in dynamic VLAN mode and legacy mode. The MAC-based authentication functionality checks whether the Tunnel-Medium-Type value is 6, as for IEEE 802.1X. This attribute is not used in fixed VLAN mode. |
|
Tunnel-Private-Group-Id |
81 |
Used in dynamic VLAN mode and legacy mode. The value of this attribute is a number representing a VLAN, or the character string VLANxx (where xx is the VLAN ID). However, if the content of the first octet is 0x00~0x1f, it represents Tag, in which case the number from the second octet represents VLAN. If the first octet has a value of 0x20 or higher, the entire value of the attribute represents the VLAN. In dynamic VLAN mode, if this attribute contains a VLAN name as specified by the name configuration command, the switch uses the VLAN ID associated with the VLAN name. This attribute is not used in fixed VLAN mode. |
|
Attribute name |
Type value |
Description |
|---|---|---|
|
User-Name |
1 |
The user name. |
|
NAS-IP-Address |
4 |
The IP address of the NAS. This attribute contains the IP address of the loop-back interface, if one is specified. If no loop-back interface is specified, this attribute contains the IP address of the interface that communicates with the server. |
|
Service-Type |
6 |
Specify Framed(2). |
|
Calling-Station-Id |
31 |
The MAC address of the terminal (as a hyphen-punctuated ASCII string). Example:00-12-e2-12-34-56 |
|
NAS-Identifier |
32 |
A numerical string representing the VLAN ID to which authenticated terminals gain membership in fixed VLAN mode. Example (for VLAN ID 100): 100 In dynamic VLAN mode and legacy mode, use the device name as specified by the hostname configuration command. |
|
Acct-Status-Type |
40 |
Contains the value Start(1) at login, and the value Stop(2) at logout. |
|
Acct-Delay-Time |
41 |
The length of time (in seconds) between the event occurring and transmission to the server. |
|
Acct-Session-Id |
44 |
ID that identifies Accounting (same for login/logout). |
|
Acct-Authentic |
45 |
The manner in which the user was authenticated (either RADIUS or Local). |
|
Acct-Session-Time |
46 |
The length of time (in seconds) between login and logout. |
|
NAS-Port-Type |
61 |
Specify Virtual(5). |
|
NAS-IPv6-Address |
95 |
The IPv6 address of the NAS. The IPv6 address of the loop-back interface, if one is specified. If no loop-back interface is specified, this attribute contains the IPv6 address of the interface that communicates with the server. When communicating via an IPv6 link-local address, this attribute specifies the IPv6 link-local address of the transmission interface regardless of whether an IPv6 address is set for the loop-back interface. |