3com 4210 PWR 9-Port 3CR17341-91-ME 用户手册
产品代码
3CR17341-91-ME
RADIUS Configuration Task List
259
RADIUS servers cannot accept the user names that carry ISP domain names. In
this case, it is necessary to remove domain names from user names before
sending the user names to RADIUS server. For this reason, the
user-name-format command is designed for you to specify whether or not
ISP domain names are carried in the user names to be sent to RADIUS server.
this case, it is necessary to remove domain names from user names before
sending the user names to RADIUS server. For this reason, the
user-name-format command is designed for you to specify whether or not
ISP domain names are carried in the user names to be sent to RADIUS server.
■
For a RADIUS scheme, if you have specified to remove ISP domain names from
user names, you should not use this RADIUS scheme in more than one ISP
domain. Otherwise, such errors may occur: the RADIUS server regards two
different users having the same name but belonging to different ISP domains
as the same user (because the usernames sent to it are the same).
user names, you should not use this RADIUS scheme in more than one ISP
domain. Otherwise, such errors may occur: the RADIUS server regards two
different users having the same name but belonging to different ISP domains
as the same user (because the usernames sent to it are the same).
■
In the default RADIUS scheme "system", ISP domain names are removed from
user names by default.
user names by default.
■
The purpose of setting the MAC address format of the Calling-Station-Id (Type
31) field in RADIUS packets is to improve the switch’s compatibility with
different RADIUS servers. This setting is necessary when the format of
Calling-Station-Id field recognizable to RADIUS servers is different from the
default MAC address format on the switch. For details about field formats
recognizable to RADIUS servers, refer to the corresponding RADIUS server
manual.
31) field in RADIUS packets is to improve the switch’s compatibility with
different RADIUS servers. This setting is necessary when the format of
Calling-Station-Id field recognizable to RADIUS servers is different from the
default MAC address format on the switch. For details about field formats
recognizable to RADIUS servers, refer to the corresponding RADIUS server
manual.
Configuring the Local
RADIUS Authentication
Server Function
The switch provides the local RADIUS server function (including authentication and
authorization), also known as the local RADIUS authentication server function, in
addition to RADIUS client service, where separate authentication/authorization
server and the accounting server are used for user authentication.
authorization), also known as the local RADIUS authentication server function, in
addition to RADIUS client service, where separate authentication/authorization
server and the accounting server are used for user authentication.
c
CAUTION:
■
If you adopt the local RADIUS authentication server function, the UDP port
number of the authentication/authorization server must be 1645, the UDP port
number of the accounting server must be 1646, and the IP addresses of the
servers must be set to the addresses of this switch.
number of the authentication/authorization server must be 1645, the UDP port
number of the accounting server must be 1646, and the IP addresses of the
servers must be set to the addresses of this switch.
■
The message encryption key set by the local-server nas-ip ip-address key
password command must be identical with the authentication/authorization
message encryption key set by the key authentication command in the
RADIUS scheme view of the RADIUS scheme on the specified NAS that uses
this switch as its authentication server.
password command must be identical with the authentication/authorization
message encryption key set by the key authentication command in the
RADIUS scheme view of the RADIUS scheme on the specified NAS that uses
this switch as its authentication server.
■
The switch supports IP addresses and shared keys for up to 16 network access
servers (NAS). That is, when acting as the local RADIUS authentication server,
servers (NAS). That is, when acting as the local RADIUS authentication server,
Table 198 Configure the local RADIUS authentication server function
Operation
Command
Remarks
Enter system view
system-view
-
Enable UDP port for local
RADIUS authentication server
RADIUS authentication server
local-server enable
Optional
By default, the UDP port for
local RADIUS authentication
server is enabled.
local RADIUS authentication
server is enabled.
Configure the parameters of
the local RADIUS server
the local RADIUS server
local-server nas-ip
ip-address key password
ip-address key password
Required
By default, a local RADIUS
authentication server is
configured with an NAS IP
address of 127.0.0.1.
authentication server is
configured with an NAS IP
address of 127.0.0.1.