Use this window to configure advanced RADIUS settings used by ExtremeCloud IQ Site Engine when proxying authentication requests to a backend RADIUS server. You can access this window by selecting the Advanced button at the bottom of the Add/Edit RADIUS Server window.
- Username Format
- This field is used by ExtremeCloud IQ Site Engine to determine what format to
use for the username when proxying a request to the backend RADIUS
server. There are two options:
- Strip Domain Name (default) - This option removes a domain name from the username when proxying the request. Select this option unless the backend RADIUS server requires the domain name to be included.
- Keep Domain Name - This option keeps any domain names on the username when proxying the request to the backend RADIUS server. If the backend RADIUS server is a Microsoft IAS or NPS server, this option could cause the RADIUS server to time out if a guest comes onto the network with another domain. In that scenario, if the request is proxied to the backend RADIUS server with the domain name, the server does not respond to the request because it is from an unknown domain. Therefore, if you use this option with a Microsoft IAS or NPS server, use an advanced AAA configuration so that only requests for the desired domain(s) are sent to the backend RADIUS server, and all unknown domains are processed locally so they are rejected.
- Require Message-Authenticator
- Enable this checkbox if the backend RADIUS server requires a message authenticator to be part of the request. If enabled, ExtremeCloud IQ Site Engine adds the message authenticator when proxying the request.
Health Check for UDP
ExtremeCloud IQ Site Engine uses the options in this section to determine how to check the health of a backend RADIUS server, if that server stops responding to requests.
| NOTE: | For backend RADIUS server options other than UDP (for example, TCP or RADSec), all fields except Revive Interval in the Health Check for UDP are not available. |
- Use Server-Status Request
- When selected, ExtremeCloud IQ Site Engine attempts to use Server-Status RADIUS packets as defined by RFC 5997, to determine if the backend RADIUS server is up.
- Use Access Request
- When selected, ExtremeCloud IQ Site Engine attempts to use an access request message to determine if the RADIUS server is up. The request is made using the username and password specified below. The username and password do not need to be valid, as ExtremeCloud IQ Site Engine is looking for a response and a reject also works. The username/password fields are provided in case you want to prevent rejects from being logged in the backend RADIUS server.
- Check Interval
- The interval to wait between checks to see if the RADIUS server is up. This is only applicable if the Server-Status request or Access request methods are used.
- Number of Answers to Alive
- The number of times the RADIUS server must respond before it is marked as alive. This is only applicable if the Server-Status request or Access request methods are used.
- Revive Interval
- If Server-Status requests and Access requests are not allowed or supported by the RADIUS server, then ExtremeCloud IQ Site Engine waits the amount of time specified here before allowing requests to go to a backend RADIUS server, if it stops responding. Only use this if there is no other way to detect the health of the backend RADIUS server.
For information on related help topics: