I have been battling towards a solution to allow our 4200 switches authenticate against IAS using RADIUS. I thought i would post some instructions on how to implement.
1- Configure the switch to authenticate using RADIUS and PASSWORD. I did this via the GUI ensuring that RADIUS entry was above password. If the RADIUS server fails for whatever reason, the username password combo will be compared against the local database. Add your RADIUS server IP addresses.
2- Create user accounts for each authentication privilege you require. E.g. if you require some users to login with super-user access and some with read access, you need to create two user accounts, with dummy names that will be used to map the AD user to the authorisation level. I did this via the command line.
set system login user lame class read-only
set system login user super class super-user
3- Create a new IAS policy. Add your conditions (e.g. windows security group), ensure you enable to grant permission not deny.
4- Set Authentication methods to Unencrypted only. not sure what happens if you enable others too
5- On the Advanced tab remove all those attributes that are present and add the following.
Vendor Specific; Vendor Code 2636; Yes it conforms; VSA attribute '1'; format string; attribute value <user class name> (as created in step 2, would be 'lame' or 'super' depending on requirements).
Service-type; attribute value 'Login'
And thats it...
The article below outlines most steps more thoroughly although there are a few which I skipped