Article ID: 6750
Products
SmartSwitch 2000 2nd Generation
SmartSwitch 6000 2nd Generation
SmartSwitch 6000 3rd Generation
Matrix E1
Protocols/Features
Radius
Solution
Shown below are possible event sequences that would apply to a Serial or Telnet management login attempt, when Radius is configured on the device to be managed:
- If the Radius server can be contacted:[list=1]
- The user is prompted for the Username and Password.
- The information is sent to the Radius server.
- If authentication is received from the server, the login is completed using the granted authorization level.
- If authentication is not received from the server, these steps 1-4 are repeated for a total of up to ten times (not configurable). After ten failures, the login is rejected.
If the Radius server cannot be contacted, the result depends upon user configuration of the Local (for Serial) and/or Remote (for Telnet) Last Resort Action on the device to be managed:
- Challenge - control is passed to the standard non-Radius login routine. This is generally the default.
- Reject - the login is rejected.
- Accept - authentication is given, granting Admin authorization. Note that this is typically only used to debug a Radius configuration.
Note: Last Resort Action is for management login only. For network access; a failed 802.1x, MAC, or PWA Authentication may be managed by applying a default policy role to a port.
If the user passes authentication, they get the role assigned by the Radius server.
If the user fails authentication, the result depends upon the "802.1x Strict" vs "802.1x non-Strict" settings (5532).