33-13To do… Use the command… RemarksEnter system view —system-viewRequiredCreate a RADIUS scheme andenter its viewradius schemeradius-scheme-name By default, a RADIUS schemenamed "system" has alreadybeen created in the system.RequiredSet the IP address and portnumber of the primary RADIUSauthentication/authorizationserverBy default, the IP address andUDP port number of theprimary server are 0.0.0.0 and1812 respectively for a newlycreated RADIUS scheme.primary authenticationip-address [ port-number ]OptionalSet the IP address and portnumber of the secondaryRADIUSauthentication/authorizationserverBy default, the IP address andUDP port number of thesecondary server are 0.0.0.0and 1812 respectively for anewly created RADIUSscheme.secondary authenticationip-address [ port-number ]z The authentication response sent from the RADIUS server to the RADIUS client carriesauthorization information. Therefore, you need not (and cannot) specify a separate RADIUSauthorization server.z In an actual network environment, you can specify one server as both the primary and secondaryauthentication/authorization servers, as well as specifying two RADIUS servers as the primary andsecondary authentication/authorization servers respectively.z The IP address and port number of the primary authentication server used by the default RADIUSscheme "system" are 127.0.0.1 and 1645.Configuring Ignorance of Assigned RADIUS Authorization AttributesA RADIUS server can be configured to assign multiple authorization attributes, such as authorizationVLAN and idle timeout. Some users may need the attributes but some users may not. Such conflictoccurs if the RADIUS server does not support user-based attribute assignment or it performs uniformeduser management.The RADIUS authorization attribute ignoring function can solve this issue. It is configured as perRADIUS scheme. Users using a RADIUS scheme with this function enabled can ignore certainunexpected attributes.As shown in Figure 33-1, NAS 1 and NAS 2 are connected to the same RADIUS server forauthentication. For easy management, the RADIUS server issues the same authorization attributes toall the users. However, users attached to NAS 1 need these attributes while users attached to NAS 2 donot want to use the assigned Attribute 28, idle-timeout. You can configure the attribute ignoring functionon NAS 2 to ignore Attribute 28.
