2-13
Configuring RADIUS Authentication/Authorization Servers
Table 2-12 Configure RADIUS authentication/authorization servers
Operation Command Remarks
Enter system view
system-view
—
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Required
By default, a RADIUS scheme
named "system" has already
been created in the system.
Set the IP address and port
number of the primary RADIUS
authentication/authorization
server
primary authentication
{ ip-address | ipv6
ipv6-address } [ port-number ]
[ key string ]
Required
By default, the IP address and
UDP port number of the
primary server are 0.0.0.0 and
1812 respectively for a newly
created RADIUS scheme.
Set the IP address and port
number of the secondary
RADIUS
authentication/authorization
server
secondary authentication
{ ip-address | ipv6
ipv6-address } [ port-number ]
[ key string ]
Optional
By default, the IP address and
UDP port number of the
secondary server are 0.0.0.0
and 1812 respectively for a
newly created RADIUS
scheme.
z The authentication response sent from the RADIUS server to the RADIUS client carries
authorization information. Therefore, you need not (and cannot) specify a separate RADIUS
authorization server.
z In an actual network environment, you can specify one server as both the primary and secondary
authentication/authorization servers, as well as specifying two RADIUS servers as the primary and
secondary authentication/authorization servers respectively.
z The IP address and port number of the primary authentication server used by the default RADIUS
scheme "system" are 127.0.0.1 and 1645.
Configuring Ignorance of Assigned RADIUS Authorization Attributes
A RADIUS server can be configured to assign multiple authorization attributes, such as authorization
VLAN and idle timeout. Some users may need the attributes but some users may not. Such conflict
occurs if the RADIUS server does not support user-based attribute assignment or it performs uniformed
user management.
The RADIUS authorization attribute ignoring function can solve this issue. It is configured as per
RADIUS scheme. Users using a RADIUS scheme with this function enabled can ignore certain
unexpected attributes.
As shown in
Figure 2-1, NAS 1 and NAS 2 are connected to the same RADIUS server for authentication.
For easy management, the RADIUS server issues the same authorization attributes to all the users.
However, users attached to NAS 1 need these attributes while users attached to NAS 2 do not want to
To Next Page
Loading...