Dell PowerConnect M6220 Configuration Guide - Page 98

RADIUS Configuration Examples, Example #1: Basic RADIUS Server Configuration

Page 98 highlights

For authenticating users prior to access, the RADIUS standard has become the protocol of choice by administrators of large accessible networks. To accomplish the authentication in a secure manner, the RADIUS client and RADIUS server must both be configured with the same shared password or "secret". This "secret" is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The "secret" is never transmitted over the network. RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It is extremely flexible, supporting a variety of methods to authenticate and statistically track users. RADIUS is also extensible, allowing for new methods of authentication to be added without disrupting existing functionality. As a user attempts to connect to a functioning RADIUS supported network, a device referred to as the Network Access Server (NAS) or switch/router first detects the contact. The NAS or user-login interface then prompts the user for a name and password. The NAS encrypts the supplied information and a RADIUS client transports the request to a pre-configured RADIUS server. The server can authenticate the user itself, or make use of a back-end device to ascertain authenticity. In either case a response may or may not be forthcoming to the client. If the server accepts the user, it returns a positive result with attributes containing configuration information. If the server rejects the user, it returns a negative result. If the server rejects the client or the shared "secrets" differ, the server returns no result. If the server requires additional verification from the user, it returns a challenge, and the request process begins again. RADIUS Configuration Examples This section contains examples of commands used to configure RADIUS settings on the switch. Example #1: Basic RADIUS Server Configuration This example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The shared secrets are configured to be secret1 and secret2 respectively. The server at 10.10.10.10 is configured as the primary server. The process creates a new authentication list, called radiusList, which uses RADIUS as the primary authentication method, and local authentication as a backup method in the event that the RADIUS server cannot be contacted. 98 Device Security

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126

98
Device Security
For authenticating users prior to access, the RADIUS standard has become the protocol of choice by
administrators of large accessible networks. To accomplish the authentication in a secure manner, the
RADIUS client and RADIUS server must both be configured with the same shared password or “secret”.
This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUS
packets. The “secret” is never transmitted over the network.
RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It
is extremely flexible, supporting a variety of methods to authenticate and statistically track users.
RADIUS is also extensible, allowing for new methods of authentication to be added without disrupting
existing functionality.
As a user attempts to connect to a functioning RADIUS supported network, a device referred to as the
Network Access Server (NAS) or switch/router first detects the contact. The NAS or user-login interface
then prompts the user for a name and password. The NAS encrypts the supplied information and a
RADIUS client transports the request to a pre-configured RADIUS server. The server can authenticate
the user itself, or make use of a back-end device to ascertain authenticity. In either case a response may or
may not be forthcoming to the client. If the server accepts the user, it returns a positive result with
attributes containing configuration information. If the server rejects the user, it returns a negative result.
If the server rejects the client or the shared “secrets” differ, the server returns no result. If the server
requires additional verification from the user, it returns a challenge, and the request process begins again.
RADIUS Configuration Examples
This section contains examples of commands used to configure RADIUS settings on the switch.
Example #1: Basic RADIUS Server Configuration
This example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11. Each server has a unique
shared secret key. The shared secrets are configured to be
secret1
and
secret2
respectively. The server at
10.10.10.10 is configured as the primary server. The process creates a new authentication list, called
radiusList, which uses RADIUS as the primary authentication method, and local authentication as a
backup method in the event that the RADIUS server cannot be contacted.