Quick Reference Guide
138 | Providing User Access Security
www.dell.com | support.dell.com
Configuring a RADIUS Connection
Remote Authentication Dial-In User Service (RADIUS) is another means of port-based network access
control. The switch acts as an intermediary to a RADIUS server, which provides both an authentication
and an accounting function to maintain data on service usages.
Under RFC 2866, an extension was added to the RADIUS protocol giving the client the ability to deliver
accounting information about a user to an accounting server. Exchanges to the accounting server follow
similar guidelines to that of an authentication server, but the flows are much simpler.
At the start of service for a user, the RADIUS client configured to use accounting sends an accounting start
packet specifying the type of service that it will deliver. Once the server responds with an
acknowledgement, the client periodically transmits accounting data. At the end of service delivery, the
client sends an accounting stop packet allowing the server to update specified statistics. The server again
responds with an acknowledgement.
Setting up a connection to a server running Remote Authentication Dial-In User Service (RADIUS) is
basically the same as the TACACS+ procedure described above (see Choosing a TACACS+ Server and
Authentication Method on page 135 and Configuring TACACS+ Server Connection Options on page 137),
where you identify the address of the authentication server and you specify an ordered set of authentication
methods. The following RADIUS commands are documented in the Security chapter of the SFTOS
Command Reference:
•
radius accounting mode: Enable the RADIUS accounting function.
•
radius server host: Configure the RADIUS authentication and accounting server.
•
radius server key: Configure the shared secret between the RADIUS client and the RADIUS
accounting / authentication server.
•
radius server msgauth: Enable the message authenticator attribute for a specified server.
•
radius server primary: Configure the primary RADIUS authentication server for this RADIUS client.
•
radius server retransmit: Set the maximum number of times a request packet is re-transmitted when no
response is received from the RADIUS server.
•
radius server timeout: Set the timeout value (in seconds) after which a request must be retransmitted to
the RADIUS server if no response is received.
•
show radius: to display the various RADIUS configuration items for the switch as well as the
configured RADIUS servers.
•
show radius accounting statistics: Display the configured RADIUS accounting mode, accounting
server, and the statistics for the configured accounting server.
•
show radius statistics (authentication): Display the statistics for RADIUS or configured server.
Using the CLI to Configure Access through RADIUS
The following example configuration sequence configures:
• A single RADIUS server at IP address 10.10.10.10, to be used for both authentication and accounting
• The RADIUS server shared secret for both authentication and accounting to be the word “secret”
• An authentication list called “radiusList”, specifying RADIUS as the only authentication method