Switch operating rules for RADIUS

  • You must have at least one RADIUS server accessible to the switch.

  • The switch supports authentication and accounting using up to 15 RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius. If the first server does not respond, the switch tries the next one, and so-on. To change the order in which the switch accesses RADIUS servers, see Changing RADIUS-server access order.

  • You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.)

  • In the switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.

  • When primary/secondary authentication is set to Radius/Local (for either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message radius: Can't reach RADIUS server <server-ip-addr> . When this type of failure occurs, the switch prompts the client again to enter a username and password. In this case, use the local username (if any) and password configured on the switch itself.

  • Zero-length usernames or passwords are not allowed for RADIUS authentication, even though allowed by some RADIUS servers.