RADIUS Server Options

To configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server service:

 

The expiration of an EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  certificate will trigger the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  service to stop operating correctly. The top left-hand side of the Server Configuration screen will list in red if a certificate has expired.

1. Navigate to the Administration > Server Manager > Server Configuration, then select the Policy Manager server.

2. From the Server Configuration page, select the Service Parameters tab.

3. From the Select Service drop-down, select RADIUS server.

4. Specify the Service Parameters > RADIUS serverparameters as described in the following table.

Figure 1  RADIUS Server Parameters Dialog (Partial View)

Table 1: Service Parameters > RADIUS Server Service

Service Parameter

Action/Description

EAP-FAST

Key Expire Time

Specify the lifetime of a generated EAP-FAST EAP – Flexible Authentication Secure Tunnel (tunneled). key.

Key Grace Time

Specify the grace period for an EAP-FAST EAP – Flexible Authentication Secure Tunnel (tunneled). key after its lifetime expires. The default is 3 weeks.

If a client presents a PAC Protected Access Credential. PAC is distributed to clients for optimized network authentication. These credentials are used for establishing an authentication tunnel between the client and the authentication server. (Protected Access Credential) that is encrypted using the key in this period after its TTL Time to Live. TTL or hop limit is a mechanism that sets limits for data expiry in a computer or network. (Time-to-Live), it is accepted and a new PAC Protected Access Credential. PAC is distributed to clients for optimized network authentication. These credentials are used for establishing an authentication tunnel between the client and the authentication server. encrypted with the latest key is provisioned on the client.

PACs are valid across cluster

If PACs (Protected Access Credentials) generated by this server are valid across the cluster, set to TRUE (the default setting).

If not, select FALSE.

Proxy

Maximum Response Delay

If the target server has not responded, specify the delay time before retrying a proxy request. The default is 5 seconds.

Maximum Reactivation Time

Specify the time to elapse before retrying a dead proxy server.

Maximum Retry Counts

If the target server doesn't respond, specify the maximum number of times to retry a proxy request.

Rate Limit

Enforce Rate limiting

Policy Manager can provide traffic throttling on the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. In scenarios where an occasional, sudden increase in authentications per second might put an excessive load on the policy server, ClearPass Zone, or Post-Authentication module, this rate limiting can alleviate that load and prevent the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server from going into an unresponsive state. Set this option to yes to enable traffic rate limiting, or no to disable limiting. The default is no.

Window Size

Enter the number of seconds for the traffic-limit window. The supported range is 5-60 seconds, and the default is ten seconds.

Packets per Window

Enter the number of packets to allow within the time window. The supported range is 4000-36000 packets, and the default is 14,000 packets.

Accounting

Log Accounting Interim-Update Packets

To store the Interim-Update packets in session logs, select TRUE. FALSE is the default setting.

OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.

Use HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Proxy setting for OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Connection

Specifies the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. connection when EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. with OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Enabled is the authentication method, and an HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. proxy is configured. Set this parameter to TRUE to apply the HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. proxy setting to all OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. lookups that are not localhost. This parameter is set to FALSE by default.

OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server Connection Timeout

Specifies the time in seconds within which the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. connection must complete (default 5, range 2-10).

OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server Request Failures

Specifies the number of failed responses that must be timed out before the server is marked as down (default 5, range 2-50).

Down OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server Retry Timer

Specifies the time in seconds that the server is "down" and ClearPass will not attempt to reach it again (default 300, range 60-3600).

NOTE: For a server marked with a "down" OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. state after the Down OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server Retry Timer elapses, Policy Manager will try only once to reach OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server. However, if during this time if a configuration is reloaded on the server, the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. connection state and cache is lost, resulting in Policy Manager trying to connect to OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. for the configured number of retries.

OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server Stability Notification

Specifies the time window in seconds that the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server Request Failures value is measured across (default 60, range 60-600).

Thread Pool

Maximum Number of Threads

Specify the maximum number of threads in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server thread pool to process requests.

Number of Initial Threads

Specify the initial number of threads in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server thread pool to process requests.

Active Directory Errors

Window Size

Enter a duration during which Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. errors are accumulated for possible action. The default is 5 minutes.

Number of Errors

Enter a number to specify the number of Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. errors that can occur within the defined Window Size and have the self-healing Recovery Action taken. The default is 150.

Recovery Action

Select one of the following recovery actions from the drop-down list:

None: To not initiate a self-recovery action. This is the default.

Exit: To restart the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. (The monitoring daemon restarts it.)

Restart Domain Service: To restart the Domain service.

TLS

Disable RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.-PSS Signature Suite in EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.

Set this value to TRUE to assist Windows 10 devices using a Trusted Platform Module (TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices.) authenticate when certificates installed in the TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. fail with a RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet._verify_PKCS1_PSS_mgf1:last octet invalid error. This issue is reported in ClearPass 6.11.x and later deployments on some Windows 10 devices using TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices., especially TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. 1.16 and lower. This issue does not impact pre 6.11.x ClearPass versions. The default value is FALSE.

Skip CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. name list in EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  packet

Enable this parameter for ClearPass to exclude the list of certificate authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.) names configured in the Trust List during an EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Server packet exchange.

Security

Enable Packet Rejection Delay

If set to TRUE (default setting), a rejection is not sent until a consecutive Radius client request is made. If set to FALSE, a failed authentication packet is rejected immediately.

NOTE: This field previously accepted an integer value. However, this parameter now accepts either True/False. If needed, manually update the value to reflect the required value change from a previous version of ClearPass.

Maximum Attributes

Specify the maximum number of RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes allowed in a request. The default is 200.

Process Server-Status Request

TRUE: Send replies to Status-Server RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

FALSE: Do not send replies to Status-Server RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets. This is the default setting.

Require Message-Authenticator from NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch.

Set this parameter to yes for Policy Manager to check and validate the Message-Authenticator in each Access-Request RADIUS packet sent to a RADIUS server requesting authorization.. If the Message-Authenticator is not present, or the Message-Authenticator validation fails for the incoming packet, Policy Manager drops the packet and an Event Viewer alert is written. However, there is no Access Tracker entry. The default setting is no, with no operation performed.

Require Message-Authenticator from Proxy Server

Set this parameter to yes for Policy Manager to check and validate the Message-Authenticator in each Access-Challenge, Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information., and Access-Reject Response from RADIUS server indicating that a user is not authorized. when functioning as a Proxy Client. If the Message-Authenticator is not present or the Message-Authenticator validation fails for the incoming packet, Policy Manager drops the packet an Event Viewer alert is written. However, there is no Access Tracker entry. The default setting is no, with no operation performed.

Main

Authentication Port

Specify the ports on which the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server listens for authentication requests. Default values are ports 1645 and 1812.

NOTE: You can configure the Authentication Port to different values if desired.

Accounting Port

Specify the ports on which the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server listens for accounting requests. The default values are 1646 and 1813.

NOTE: You can configure the Accounting Port to different values if desired.

Maximum Request Time

Specify the maximum time (in seconds) allowed for processing a request after which it is considered timed out. The default is 30 seconds.

Cleanup Time

Specify the time to cache the response sent to a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request after sending it.

The range is from 2 to 10 seconds. The default is 5 seconds.

If the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server gets a duplicate request for which the response is already sent, and the duplicate request arrives within this time period, the cached response is resent.

Local DB Authentication Source Connection Count

Specify the maximum number of Local DB connections opened.

AD/LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Authentication Source Connection Count

Specify the maximum number of Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. and LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. (Lightweight Directory Access Protocol) connections opened.

The range is from 5 to 300. The default is 64.

SQL DB Authentication Source Connection Count

Specify the maximum number of SQL DB.

Kerberos Authentication Source Connection Count

Specify the maximum number of Kerberos connections opened.

Authentication Source Primary Fallback Interval

Set a value from 60 - 86400 seconds to determine how long the Radius server waits before it checks to see whether the primary server is back online. The default is 120 seconds.

EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. Fragment Size

Specify the maximum allowed size (in bytes) for the EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. fragment.

Use Inner Identity in Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. Reply

To use the inner identity in the Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. replies, select TRUE. The default setting is FALSE.

Reject if OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. response does not have Nonce

To reject an OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. response without a nonce, select TRUE. Else, select FALSE.

Include Nonce in OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. request

Specify one of the following:

TRUE: Select if the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. (Online Certificate Status Protocol) request should include the nonce. This is the default value.

FALSE: To avoid the EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication failure, select if the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server does not support the nonce.

Enable signing for OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Request

To enable signing for OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  request, select TRUE.

This determines whether Policy Manager should sign an OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. request with a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. /EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  server certificate. The default value is FALSE.

Check the validity of all certificates in the chain against CRLs

To check the validity of all certificates in the chain against Certificate Revocation Lists (CRLs), select TRUE. Else, select FALSE.

ECDH Curve

Select one of the following ECDH curve (Elliptic Curve Diffie-Helman) options from the drop-down list:

X9.62/SECG curve over a 256-bit prime field

NIST/SECG curve over a 384-bit prime field

NOTE: Support  for Suite-B enabled clients using WPA3 requires either the NIST/SECG curve over a 384 bit prime field option, or the 4096-bit DH Param Size option.

Disable TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.2

To disable Transport Layer Security 1.2 (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.2), select TRUE.

FALSE is the default setting—TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.2 is enabled by default.

Check the validity of intermediary certificates in the chain using OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.

To check the validity of intermediary certificates in the chain using OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. (Online Certificate Status Protocol), select TRUE.

The default setting is FALSE.

Maximum Number of AD Authentication Processes

To specify the maximum number of Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. authentication processes, enter a number between 1 and 5.

The default is 1.

Verify OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Signing Purpose

Specify one of the following:

When the value for this parameter is set to TRUE, EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication will fail unless the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signing certificate also has the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signing purpose set.

If this parameter is left at the default setting of FALSE, the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signing certificate does not need to have the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signing purpose set.

OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server connection preference

Specify whether Policy Manager should use an IPv4 or IPv6 network to connect to the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. server. The default value is IPv4.

Disable Policy Manager Machine account password expiry in AD

Specify one of the following:

When the value for this parameter is set to TRUE, it disables the Samba machine account password timeout setting so that a change to the machine account password will not be made.

If this parameter is left at the default setting of FALSE, the Samba machine account password timeout setting remains in effect.

Skip Netevents for IPv6 Accounting Packets

This option is recommended in a dual-stack (IPv4/IPv6) environment when Policy Manager is configured to send updates to endpoint servers.

Use this option to disable accounting netevents if an IPv6 address is present in the accounting packet.

When you enable this option (that is, set to TRUE), Policy Manager does not send client IPv6 updates to endpoint servers. The default setting is FALSE.

DH Param Size

Select one of the following sizes for the Diffie Hellman key exchange:

DH2048 : Use a 2046-bit Diffie Hellman key

DH4096: Use a 4096-bit Diffie Hellman key

NOTE: Support  for Suite-B enabled clients using WPA3 requires either the NIST/SECG curve over a 384 bit prime field option, or the 4096-bit DH Param Size option.

Parse Cisco-AVPair to get device mac

Identify the device MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address using Cisco-supported RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute-value (AV) pairs.

Kerberos DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. lookup

Use this setting to enable or disable Kerberos DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. lookup during the process to join or authenticate users to your Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain controller. This setting is enabled (set to TRUE) by default. The setting can be disabled (set to False) if DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. servers don't response to Kerberos URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. queries, causing the appliance to retry multiple times causing significant delay and fail to join or to authenticate users to Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed.

Request Expire Time

Radius server requests are prone to timeout when they take longer than 50 seconds. Set the Request Expire Time parameter from 30- 300 seconds as needed to accommodate the anticipated time needed to authenticate to the Radius server. Configuring a high value means more request state must be maintained, and will increase Radius process memory usage. The default is 45 seconds.

TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Session Cache Limit

Specify the number of TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. sessions to cache before purging the cache (used in TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. based 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Methods).

The range is from 1,000 to 100,000. The default is 10,000.