2-20Configuring the Local RADIUS ServerThe switch provides the local RADIUS server function (including authentication and authorization), alsoknown as the local RADIUS server function, in addition to RADIUS client service, where separateauthentication/authorization server and the accounting server are used for user authentication.Follow these steps to configure the local RADIUS server function:To do… Use the command… RemarksEnter system view system-view —Enable UDP ports for localRADIUS services local-server enableOptionalBy default, the UDP ports for localRADIUS services are enabled.Configure the parameters of thelocal RADIUS serverlocal-server nas-ip ip-addresskey passwordRequiredBy default, a local RADIUS server isconfigured with an NAS IP address of127.0.0.1.z If you adopt the local RADIUS server function, the UDP port number of theauthentication/authorization server must be 1645, the UDP port number of the accounting servermust be 1646, and the IP addresses of the servers must be set to the addresses of this switch.z The message encryption key set by the local-server nas-ip ip-address key password commandmust be identical with the authentication/authorization message encryption key set by the keyauthentication command in the RADIUS scheme view of the RADIUS scheme on the specifiedNAS that uses this switch as its authentication server.z The switch supports IP addresses and shared keys for up to 16 network access servers (NAS).That is, when acting as the local RADIUS server, the switch can provide authentication service toup to 16 network access servers (including the switch itself) at the same time.z When acting as the local RADIUS server, the switch does not support EAP authentication (that isyou cannot set the 802.1x authentication method as eap by using the dot1xauthentication-method eap command).Configuring Timers for RADIUS ServersAfter sending out a RADIUS request (authentication/authorization request or accounting request) to aRADIUS server, the switch waits for a response from the server. The maximum time that the switch canwait for the response is called the response timeout time of RADIUS servers, and the correspondingtimer in the switch system is called the response timeout timer of RADIUS servers. If the switch gets noanswer within the response timeout time, it needs to retransmit the request to ensure that the user canobtain RADIUS service.For the primary and secondary servers (authentication/authorization servers, or accounting servers) ina RADIUS scheme: