With eDirectory integration, the RADIUS server can read the Universal Password from eDirectory. Therefore, if the account of the user is disabled or closed in eDirectory, the RADIUS server can still read the Universal Password and authorize the user. Also, the intruder detection facility of eDirectory is bypassed.
To avoid these risks, it is recommended that you enable the eDirectory account policy check so that the authorization fails if either the RADIUS server or the eDirectory server does not authorize the user.
Figure 8-1 eDirectory Account Policy Check Disabled
Figure 8-2 eDirectory Account Policy Check Enabled