Header Only - DO NOT REMOVE - Extreme Networks

Login sequence using Radius Authentication


Userlevel 3
Article ID: 6750

Products
SmartSwitch 2000 2nd Generation
SmartSwitch 6000 2nd Generation
SmartSwitch 6000 3rd Generation
Matrix E1

Protocols/Features
Radius

Solution
Shown below are possible event sequences that would apply to a Serial or Telnet management login attempt, when Radius is configured on the device to be managed:
  • If the Radius server can be contacted:[list=1]
  • The user is prompted for the Username and Password.
  • The information is sent to the Radius server.
  • If authentication is received from the server, the login is completed using the granted authorization level.
  • If authentication is not received from the server, these steps 1-4 are repeated for a total of up to ten times (not configurable). After ten failures, the login is rejected.
  • If the Radius server cannot be contacted, the result depends upon user configuration of the Local (for Serial) and/or Remote (for Telnet) Last Resort Action on the device to be managed:
    • Challenge - control is passed to the standard non-Radius login routine. This is generally the default.
    • Reject - the login is rejected.
    • Accept - authentication is given, granting Admin authorization. Note that this is typically only used to debug a Radius configuration.
    [/list] Note: Last Resort Action is for management login only. For network access; a failed 802.1x, MAC, or PWA Authentication may be managed by applying a default policy role to a port.

    If the user passes authentication, they get the role assigned by the Radius server.
    If the user fails authentication, the result depends upon the "802.1x Strict" vs "802.1x non-Strict" settings (5532).
  • 0 replies

    Be the first to reply!

    Reply