FAQs

Login sequence using Radius Authentication

  • 1.  Login sequence using Radius Authentication

    Posted 11-22-2013 12:15
    Article ID: 6750

    Products
    SmartSwitch 2000 2nd Generation
    SmartSwitch 6000 2nd Generation
    SmartSwitch 6000 3rd Generation
    Matrix E1

    Protocols/Features
    Radius

    Solution
    Shown below are possible event sequences that would apply to a Serial or Telnet management login attempt, when Radius is configured on the device to be managed:
    • If the Radius server can be contacted:[list=1]
    • The user is prompted for the Username and Password.
    • The information is sent to the Radius server.
    • If authentication is received from the server, the login is completed using the granted authorization level.
    • If authentication is not received from the server, these steps 1-4 are repeated for a total of up to ten times (not configurable). After ten failures, the login is rejected.
  • If the Radius server cannot be contacted, the result depends upon user configuration of the Local (for Serial) and/or Remote (for Telnet) Last Resort Action on the device to be managed:
    • Challenge - control is passed to the standard non-Radius login routine. This is generally the default.
    • Reject - the login is rejected.
    • Accept - authentication is given, granting Admin authorization. Note that this is typically only used to debug a Radius configuration.
    [/list] Note: Last Resort Action is for management login only. For network access; a failed 802.1x, MAC, or PWA Authentication may be managed by applying a default policy role to a port.

    If the user passes authentication, they get the role assigned by the Radius server.
    If the user fails authentication, the result depends upon the "802.1x Strict" vs "802.1x non-Strict" settings (5532).