RADIUS Authentication and Authorization
How RADIUS Authentication Works
1. A remote administrator connects to the switch and provides a user name and
2. Using Authentication/Authorization protocol, the switch sends request to
3. The authentication server checks the request against the user ID database.
4. Using RADIUS protocol, the authentication server instructs the switch to grant or
Configuring RADIUS on the Switch
1. Configure the IPv4 addresses of the Primary and Secondary RADIUS servers, and
106
G8264 Application Guide for ENOS 8.4
Enterprise NOS supports the RADIUS (Remote Authentication Dial‐in User
Service) method to authenticate and authorize remote administrators for
managing the switch. This method is based on a client/server model. The Remote
Access Server (RAS)—the switch—is a client to the back‐end database server. A
remote user (the remote administrator) interacts only with the RAS, not the
back‐end server and database.
RADIUS authentication consists of the following components:
A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and
2866)
A centralized server that stores all the user authorization information
A client: in this case, the switch
The G8264—acting as the RADIUS client—communicates to the RADIUS server to
authenticate and authorize a remote administrator using the protocol definitions
specified in RFC 2138 and 2866. Transactions between the client and the RADIUS
server are authenticated using a shared key that is not sent over the network. In
addition, the remote administrator passwords are sent encrypted between the
RADIUS client (the switch) and the back‐end RADIUS server.
The RADIUS authentication process follows these steps:
password.
authentication server.
deny administrative access.
Use the following procedure to configure Radius authentication on your switch.
enable RADIUS authentication.
RS G8264(config)# radiusserver primaryhost 10.10.1.1
RS G8264(config)# radiusserver secondaryhost 10.10.1.2
RS G8264(config)# radiusserver enable
Note: You can use a configured loopback address as the source address so the
RADIUS server accepts requests only from the expected loopback address block.
Use the following command to specify the loopback interface:
RS G8264(config)# ip radius sourceinterface loopback <1‐5>