Configuring Administration Settings : Configuring security settings : Setting RADIUS servers
  
Setting RADIUS servers
You set RADIUS server authentication in the RADIUS page.
RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional.
Enabling this feature is optional.
You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Security > General Settings page.
To set RADIUS server authentication
1. Choose Administration > Security: RADIUS to display the RADIUS page.
2. Under Default RADIUS Settings, complete the configuration as described in this table.
Control
Description
Set a Global Default Key
Enables a global server key for the RADIUS server.
Global Key
Specify the global server key.
Confirm Global Key
Confirm the global server key.
Timeout
Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries
Specify the number of times you want to allow the user to retry authentication. The default value is 1.
Apply
Applies your settings to the running configuration.
To add a new RADIUS Server
1. Under RADIUS server, complete the configuration as described in this table.
Control
Description
Add a RADIUS Server
Displays the controls to add a RADIUS server.
Hostname or IP Address
Specify the hostname or server IP address. The IP address can be either IPv4 or IPv6. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example:
2001:38dc:0052:0000:0000:e9a4:00c5:6282
You don’t need to include leading zeros. For example:
2001:38dc:52:0:0:e9a4:c5:6282
You can replace consecutive zero strings with double colons (::). For example:
2001:38dc:52::e9a4:c5:6282
Authentication Port
Specify the port for the server.
Authentication Type
Select one of these authentication types:
•  PAP - Password Authentication Protocol (PAP), which validates users before allowing them access to the RADIUS server resources. PAP is the most flexible protocol but is less secure than CHAP.
•  CHAP - Challenge-Handshake Authentication Protocol (CHAP), which provides better security than PAP. CHAP validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This validation happens at the time of establishing the initial link and might happen again at any time. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server.
•  MS-CHAPv2 - MS-CHAP is the Microsoft version of CHAP. MS-CHAPv2 is a more secure authentication protocol than PAP or CHAP. (CHAP uses MD5 while MS-CHAPv2 uses MD4 and SHA-1 which might not be FIPS compliant.)
Override the Global Default Key
Overrides the global server key for the server.
Server Key - Specify the override server key.
Confirm Server Key - Confirm the override server key.
Timeout
Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries
Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default value is 1.
Enabled
Enables the new server.
Add
Adds the RADIUS server to the list.
Remove Selected
Select the check box next to the name and click Remove Selected.
2. Click Save to Disk to save your settings permanently.
Note: To modify RADIUS server settings, click the server IP address in the list of radius servers. Use the Status drop-down list to enable or disable a server in the list.