This article describes how access management can be configured on a switch of the GS-23xx series via RADIUS (802.1x). Thus it is possible to administer login credentials for users in a central place.
- Switch of the GS-23xx series
- Web browser for accessing the web interface of the switch
- LANCOM Router / Access Point as RADIUS Server or a separate RADIUS Server
1) Configuration of the RADIUS authentication on the switch:
1.1) Open the switch configuration in a browser, go to the menu Security → AAA → Configuration, enter the RADIUS server information under RADIUS Authentication Server Configuration and click Apply:
- Enabled: Activate the RADIUS server.
- IP Address/Hostname: Enter the IP address or DNS name of the RADIUS server.
- Port: Make sure, that port 1812 is used.
- Secret: Enter a password, which the switch uses for authentication with the RADIUS server (see step 2.5).
1.2) Go to the menu Security → Access Management → Auth Method, set the Authentication Method to RADIUS for the necessary access options and click Apply.
Activating the option Fallback is recommended, as the authentication at the switch with the local logiin credentials is possible when the RADIUS server isn't reachable.
1.3) Go to the menu Maintenance → Save/Restore → Save Start and click Save to save the configuration as Start Configuration.
The Start Configuration is saved boot persistent in the device and is therefore still available after a reboot or a power outage.
1.4) The configuration of the switch is now complete.
2) Configuration of the RADIUS server on a LANCOM router or access point:
If a separate RADIUS server is used, the Privilege Level has to be committed via a Cisco AV Pair entry with the string shell:priv-lvl=x (x stands for a value between 1-15, whereas the value 15 has the highest priority).
The protocol PAP has to be used for authenticating the switch with the RADIUS server, as the GS-23xx series only supports this protocol.
2.1) Open the configuration of the device in LANconfig, go to the menu RADIUS → Server and activate the checkbox RADIUS authentication active.
2.2) Go to the menu RADIUS services ports.
2.3) Make sure, that the Authentication port 1812 is used.
2.4 ) Go to the menu IPv4 clients.
2.5) Create a new entry and change the following parameters:
- IP adress: Enter the IP address of the switch.
- Netmask: Enter the subnet mask 255.255.255.255. It represents a single IP address.
- Protocols: Make sure, that the protocol RADIUS is selected.
- Client secret: Enter the Secret used in step 1.1). It is used for authenticating the switch with the RADIUS server.
2.6) Go to the menu User table.
2.7) Create a new entry and change the following parameters:
- Name / MAC address: Enter a user name for accessing the switch.
- Password: Enter a password for accessing the switch.
- Protocol restriction for authentication: Activate only the protocol PAP. This is necessary as the GS-23xx series only supports PAP.
- Shell privilege level: Enter the value 15 so that the user gains write permission to all function groups.
- Expiry type: In the dropdown-menu select Never so the entry never becomes invalid.
The Shell privilege level can be set between 1 - 15, whereas the value 15 has the highest priority.
It is possible to assign different Privilege levels to the function groups in the menu System → Account → Privilege-Level. Thus it is possible to assign different rights to users.
2.8) The configuration of the RADIUS server is now complete. Write the configuration back into the router.