RADIUS Tab
(Device)

You can also use this tab to enable and configure RADIUS Accounting for your SNMPv3 devices that support it. RADIUS Accounting collects various data and statistics, such as the length of time a user has been logged on, and makes that data available to an administrator. It is used by a device to save accounting data on a RADIUS server. Accounting requests are sent from the device to the server. The server acknowledges these requests, and data is passed to the server via accounting updates. For more information on Accounting functionality, refer to your RADIUS server documentation.

To display the device RADIUS tab, select a device in the left-panel Network Elements tab, then click the RADIUS tab in the right panel.

RADIUS Server(s)
This table lists the RADIUS server(s) with which the device (the RADIUS client) can communicate. Use the buttons to add, edit, or remove information in the table. You can also edit existing information about a RADIUS server by double-clicking the server entry in the table.

RADIUS Server IP

IP address of the RADIUS server.

Auth. Client UDP Port

UDP port number (1-65535) the device uses to send authentication requests to the RADIUS server; 1812 is the default port number.

Acct. Client UDP Port

UDP port number (1-65535) the device uses to send accounting requests to the RADIUS server; 1813 is the default port number. Devices that do not support RADIUS Accounting will display N/A in this column (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Acct. Timeout Duration

The amount of time in seconds the device will wait for the RADIUS server to respond to an accounting request. Valid values are 2-10 seconds. Devices that do not support RADIUS Accounting will display N/A in this column (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Acct. Number of Timeouts

The number of times the device will resend an accounting request if the RADIUS server does not respond. Valid values are 0-20. Devices that do not support RADIUS Accounting will display N/A in this column (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Priority

Order in which the RADIUS server is checked, as compared to the other RADIUS servers listed here. The lower the number, the higher the priority.

Auth. Access Type

The type of authentication access allowed for this RADIUS server:

• Any access - the server can authenticate users originating from any access type.
• Management access - the server can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
• Network access - the server can only authenticate users that are accessing the network via 802.1X, MAC, or Web-Based authentication.

Devices that do not support this feature will display N/A in this column.

Add Button

Opens the Add RADIUS Server window, where you can enter the name, the client UDP port, accounting configuration information, and the shared secret used for communication between the RADIUS server and the RADIUS client. When you click OK on this window, the new server is added to the table.

Remove Button

Removes the selected RADIUS server from the table.

Edit Button

Opens the Edit RADIUS Server window, where you can change the information for the selected RADIUS server. You can also edit the server information by double-clicking the server entry in the table.

Apply Button

Applies any changes you made in the RADIUS Server(s) table.

RADIUS Client Settings Area
This section lets you enable or disable communication between the selected device (the RADIUS client) and the RADIUS server(s), and specify connection attempt information.

RADIUS Client Status

Allows you to enable and disable communication between this device and the RADIUS server(s). If enabled, the device becomes a RADIUS client and will communicate with a RADIUS server whenever a user logs on to a port on the device, as long as the port itself is enabled for authentication and the device is set up as a client on the RADIUS server (see the Authentication Configuration Guide). The default is Disabled.

Number of Retry Attempts

The number of attempts the device will make in contacting each RADIUS server before giving up and trying the next RADIUS server on the list. Valid values are 1-65535.

Retry Timeout Duration (seconds)

The total number of seconds the device will wait for the RADIUS server to respond, before trying again. Valid values are 1-65535.

Client Accounting Status

Allows you to enable or disable RADIUS Accounting on SNMPv3 devices that support it. The default is Disabled. RADIUS Accounting is used by a device to save accounting data on a RADIUS server. If accounting is enabled, an accounting session starts after the user is successfully authenticated by a RADIUS server. Devices that do not support RADIUS Accounting will have this field grayed out (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Accounting Update Interval (minutes)

Collected accounting data is sent from the device to the RADIUS server via accounting updates. The Accounting Update Interval is the amount of time in minutes between accounting updates. Valid values are 1-65535. It is recommended that the value be greater than 10 minutes, and careful consideration should be given to its impact on network traffic. Devices that do not support RADIUS Accounting will have this field grayed out (with the exception of an SNMPv1 R2 device, which will display accounting values but will not allow you to set them.)

Apply Button

Applies the changes you made in the Client Settings section.

	NOTE:	This Application Shared Secret is not to be confused with the Server Shared Secret that encrypts communication between the RADIUS server and the RADIUS client, entered in the Add RADIUS Server window available from the Add button on this tab, or in the Add RADIUS Server window in the Device Configuration Wizard.

	WARNING:	It is important to remember the Application Shared Secret, since the shared secret specified in Policy Manager must match the shared secret on the device. If you delete and recreate the device in Policy Manager, you will have to supply the correct Application Shared Secret in the device's RADIUS tab in order to retrieve or input the RADIUS settings on this tab. If you're using an Auto-Generated or User-Defined Application Shared Secret and you clear NVRAM on the device, you will need to go to the RADIUS tab for the device and change the Application Shared Secret back to "Default" in order to regain access to the RADIUS information in that tab. Once Policy Manager and the device are using the same (Default) Application Shared Secret, then the secret can be changed to be either Auto-Generated or User-Defined.

Auto-Generated

Generates a new 32-character Application Shared Secret automatically whenever you click the radio button.

User-Defined

Use this field to change the default or existing Application Shared Secret. The format is a 32-character string with optional dashes or spaces, typically xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx.

Default

Select this radio button to use the default Application Shared Secret. The default shared secret is provided to allow you to initially configure the RADIUS settings on this tab, but it is recommended that you change to an auto-generated or user-defined secret to increase security.

Change Button

Click this button to make the Application Shared Secret fields available for editing. This button is grayed out for devices that use SNMPv3 for RADIUS configuration.

Cancel Button

Cancels any changes you made in the Application Shared Secret area.

Apply Button

Applies the changes you made in the Application Shared Secret area.

Related Information

• Authentication

• Authentication Configuration Tab
• Add RADIUS Server Window

• How to Configure Devices
• How to Configure Ports
• Authentication Configuration Guide