Configure Remote Authentication Dial-In User

Service (RADIUS) Server Settings on a Switch

Objective

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides
centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for
users who connect and use a network service. A RADIUS server regulates access to the
network by verifying the identity of the users through the login credentials entered. For
example, a public Wi-Fi network is installed in a university campus. Only those students who
have the password can access these networks. The RADIUS server checks the passwords
entered by the users and permits or denies access as appropriate.

Setting up a RADIUS Server is useful in enhancing security since it authenticates before

authorizing a client or a user to gain access to the network. The RADIUS Server responds to
client issues related to server availability, re-transmission, and timeouts. The RADIUS Server
also handles users connection requests, authenticates the user, and sends the necessary
configuration information to client to deliver services to the user.

The RADIUS Server is a server that centralizes control of a network that is made of
RADIUS-enabled devices. RADIUS servers based its forwarding decisions on either 802.1X
or Media Access Control (MAC) addresses.

This article explains how to configure RADIUS settings on the Sx350, SG350X, and Sx550X
Series Switches.

Applicable Devices

● Sx350 Series
● SG350X Series
● Sx550X Series

Software Version

● 2.2.5.68

Configure RADIUS Server Settings

Configure RADIUS Server Global Settings

Step 1. Log in to the switch web-based utility and choose Advanced from the Display Mode
drop-down list.

Step 2. Choose Security > RADIUS Server > RADIUS Server Global Settings.
Step 3. Check the Enable check box for RADIUS Server Status.

Step 4. Enter the User Datagram Protocol (UDP) port number of the RADIUS server port for
authentication requests. The range is 1 to 65535 and the default is 1812.

Step 5. Enter the UDP port number of the RADIUS server port for accounting requests. The
range is from 1 to 65535 and the default is 1813.

Step 6. (Optional) To generate traps for RADIUS accounting events, check the Enable
check box for RADIUS Accounting Traps under Trap Settings.

Step 7. (Optional) To generate traps for logins that failed, check the Enable check box for
RADIUS Authentication Failure Traps.
 Step 8. (Optional) To generate traps for logins that succeeded, check the Enable check box
for RADIUS Authentication Success Traps.

Step 9. Click Apply.

Step 10. A icon indicates that the configuration has been saved successfully. To
permanently save the configuration, go to the File Operations page or click the icon
at the top portion of the page. Otherwise, click Close.

Configure RADIUS Server Keys

Step 1. Choose RADIUS Server Keys under RADIUS Server.

Step 2. (Optional) Enter the default RADIUS key if required. Values entered in the Default
Key are applied to all servers configured (in the Add RADIUS Server page) to use the default
key.

Default Key— Choose the default key string that you want to be used for authenticating and
 encrypting between the device and the RADIUS client. The options are:

● Keep existing default key — For specified servers, the device attempts to authenticate the
RADIUS client by using the existing default Key String.
● Encrypted — To encrypt communications by using Message Digest 5 (MD5) algorithm, enter
the key in encrypted form.
● Plaintext — Enter the key string in plaintext mode.

MD5 Digest— Displays the MD5 digest of the user-entered password.

Note: In this example, Keep existing default key under Default Key is chosen.

Step 3. Click Apply.

Step 4. A icon indicates that the configuration has been saved successfully. To
permanently save the configuration, go to the File Operations page or click the icon
at the top portion of the page.

Step 5. (Optional) Under the Secret Key Table area, click the Add button to add a secret
key.

Step 6. Enter the IP Address of the NAS or the switch that contains the RADIUS Client in the
NAS Address field.

Note: In the image below, 192.168.1.118 is used as an example of the IP Address.

Step 7. Choose your preferred Secret Key.

Note: In the image below, Plaintext is chosen as an example.

The options are:

● Use default key — For specified servers, the device attempts to authenticate the RADIUS
client by using the existing default Key String.
● Encrypted — To encrypt communications by using MD5, enter the key in encrypted form.
● Plaintext — Enter the key string in plaintext mode. You can enter up to 128 characters.

Step 8. Click Apply.

Step 9. A icon indicates that the configuration has been saved successfully. To
permanently save the configuration, go to the File Operations page or click the icon
at the top portion of the page. Otherwise, click Close.

Configure RADIUS Server Groups

RADIUS Server Groups are a group of users that will be using the device as its RADIUS
Server. To set up a group, follow the instructions below:

Step 1. Choose RADIUS Server Groups under RADIUS Server.

Step 2. Click the Add button under RADIUS Server Group table.

Step 3. In the popup window, enter a name for the group in the Group Name field. You can
enter up to 32 characters.

Note: In the image below, GroupA1 is used as an example.

Step 4. Enter the privilege level that you want to assign to the group. The privilege level
determines the level of access that you will assign to each group that you created. You can
 set the levels from 1-15. The default value is 1.

Note: In this example, 7 is used.

● 1 (Read-Only CLI Access) — Users in the group cannot access the GUI, and can only access
CLI commands that do not change the device configuration.
● 7 (Read/Limited Write CLI Access) — Users in the group cannot access the GUI, and can only
access some CLI commands that change the device configuration. See the CLI Reference
Guide for more information.
● 15 (Read/Write Management Access) — Users in the group can access the GUI, and can
configure the device.

Step 5. (Optional) If you want to apply a time range for this group, check the Enable check
box for the Time Range. Otherwise, skip to Step 15.

Step 6. Click the Edit link beside Time Range Name to configure the Time settings.

Step 7. A popup window will appear telling you that the current window will be closed so that
you can continue with the Time Range settings. Click OK.

You will then be directed to the Time Range page.

Step 8. Click the Add button under the Time Range Table.
 Step 9. Enter a name for the Time Range in the Time Range Name field.

Note: In the image below, Reconnect is used as an example.

Step 10. Choose your preferred Absolute Starting and Ending Time by clicking on the radio
button.

● Absolute Starting Time — To define the start time, choose from the following:
● Immediate — Choose this if you want the time range to start immediately.
● Date, Time — Choose this if you want to specify the date and time that the Time Range
begins.
● Absolute Ending Time — To define the start time, choose from the following:
● Infinite — Choose this if you want the time range to never end.
● Date, Time — Choose this if you want to specify the date and time that the Time Range ends.

Note: In this example, Date and Time are chosen.

Step 11. Click Apply.

Step 12. A icon indicates that the configuration has been saved successfully. To
permanently save the configuration, go to the File Operations page or click the icon
at the top portion of the page. Otherwise, click Close.

You will then be directed to the main page.

 Step 13. Click RADIUS Server Groups again under RADIUS Server.

Step 14. The newly created group will now appear under RADIUS Server Group table.
Check the box beside the name of the group and then click Edit.

Step 15. (Optional) Choose the VLAN for the group. The options are:

● None — No VLAN specified.

● VLAN ID — Specify a VLAN ID.
● VLAN Name — Specify a VLAN name.

Note: In this example, VLAN ID 8 is used.

Step 16. Click Apply.

Step 17. A icon indicates that the configuration has been saved successfully. To
permanently save the configuration, go to the File Operations page or click the icon
at the top portion of the page. Otherwise, click Close.

Configure RADIUS Server Users

To add users to the previously created group:

Step 1. Click RADIUS Server Users under RADIUS Server.

Step 2. Click the Add button under the RADIUS User Table.

Step 3. Enter the name of the user in the User Name field.

Note: In this example, UserA is used.

Step 4. Choose the group where the user belongs from the Group Name drop-down list.

Step 5. Click a radio button in the Password area.

Step 6. Enter your preferred password.

● Encrypted — A key string is used to encrypt communications by using MD5. To use
encryption, enter the key in encrypted form.
● Plaintext — If you do not have an encrypted key string (from another device), enter the key
string in plaintext mode. The encrypted key string is generated and displayed.

Note: In this example, Plaintext is chosen.

Step 6. Click Apply.

Step 7. A icon indicates that the configuration has been saved successfully. To
permanently save the configuration, go to the File Operations page or click the icon
at the top portion of the page. Otherwise, click Close.

You should now have successfully configured the RADIUS Server settings on your switch.

©2016 Cisco Systems, Inc. All rights reserved.