KB.15.15

dyn-autz-port <1024-49151>

Specifies the UDP port number that listens for Change of Authorization or Disconnect

messages. The range of ports is 1024-49151.

Default: 3799

radius-server timeout < 1 - 15 >

Specifies the maximum time the switch waits for a response to an authentication

request before counting the attempt as a failure.

Default: 5 seconds; Range: 1 - 15 seconds

radius-server retransmit < 1 - 5>

If a RADIUS server fails to respond to an authentication request, specifies how many

retries to attempt before closing the session.

Default: 3; Range: 1 - 5

NOTE: Where the switch has multiple RADIUS servers configured to support authentication

requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on.

If none of the servers respond, then the switch attempts to use the secondary authentication method

configured for the type of access being attempted (console, Telnet, or SSH). If this occurs, see the

“Troubleshooting” chapter of the Management and Configuration Guide for your switch.

Example

Suppose your switch is configured to use three RADIUS servers for authenticating access through

Telnet and SSH. Two of these servers use the same encryption key. In this case the plan is to

configure the switch with the following global authentication parameters:

• Allow only two tries to correctly enter username and password.

• Use the global encryption key to support the two servers that use the same key. (For this

example, assume that you did not configure these two servers with a server-specific key.)

• Use a dead-time of five minutes for a server that fails to respond to an authentication request.

• Allow three seconds for request timeouts.

• Allow two retries following a request that did not receive a response.

Figure 112 Example of global configuration exercise for RADIUS authentication

Configuring 151