RADIUS configuration considerations

If you are using RADIUS authentication, authorization, and accounting, be aware of the following considerations:

  • You must deploy at least one RADIUS server in your network in order for the RADIUS feature to function.
  • RUCKUS devices support authentication using up to eight RADIUS servers, including those used for 802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the RUCKUS device tries the next one in the list. Servers are tried in the same sequence each time there is a request.
  • You can optionally configure a RADIUS server as a port server, indicating that the server will be used only to authenticate users on ports to which it is mapped, as opposed to globally authenticating users on all ports of the device. Refer to RADIUS server per port.
  • You can map up to eight RADIUS port servers to each port on the RUCKUS device. The port will authenticate users using only the RADIUS servers to which it is mapped. If there are no RADIUS servers mapped to a port, it will use the "global" servers for authentication. Refer to RADIUS server to individual ports mapping.
  • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure different backup authentication methods for each access type.
  • If your RUCKUS device is configured with multiple IP addresses, the lowest numbered IP sources the device's RADIUS traffic by default. You may select a specific interface by configuring the IP RADIUS SOURCE-INTERFACE {interface-type+ID}. If the selected interface has multiple IPs, the lowest-numbered is used.