98 Device SecurityFor authenticating users prior to access, the RADIUS standard has become the protocol of choice byadministrators of large accessible networks. To accomplish the authentication in a secure manner, theRADIUS client and RADIUS server must both be configured with the same shared password or “secret”.This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUSpackets. The “secret” is never transmitted over the network.RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. Itis extremely flexible, supporting a variety of methods to authenticate and statistically track users.RADIUS is also extensible, allowing for new methods of authentication to be added without disruptingexisting functionality.As a user attempts to connect to a functioning RADIUS supported network, a device referred to as theNetwork Access Server (NAS) or switch/router first detects the contact. The NAS or user-login interfacethen prompts the user for a name and password. The NAS encrypts the supplied information and aRADIUS client transports the request to a pre-configured RADIUS server. The server can authenticatethe user itself, or make use of a back-end device to ascertain authenticity. In either case a response may ormay not be forthcoming to the client. If the server accepts the user, it returns a positive result withattributes containing configuration information. If the server rejects the user, it returns a negative result.If the server rejects the client or the shared “secrets” differ, the server returns no result. If the serverrequires additional verification from the user, it returns a challenge, and the request process begins again.RADIUS Configuration ExamplesThis section contains examples of commands used to configure RADIUS settings on the switch.Example #1: Basic RADIUS Server ConfigurationThis example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11. Each server has a uniqueshared secret key. The shared secrets are configured to besecret1 andsecret2 respectively. The server at10.10.10.10 is configured as the primary server. The process creates a new authentication list, calledradiusList, which uses RADIUS as the primary authentication method, and local authentication as abackup method in the event that the RADIUS server cannot be contacted.