|
|
This chapter describes the commands used to configure RADIUS.
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. Cisco supports RADIUS under its Authentication, Authorization, and Accounting (AAA) security paradigm.
For information on how to configure RADIUS, refer to the "Configuring RADIUS" chapter in the Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "RADIUS Configuration Examples" section located at the end of the "Configuring RADIUS" chapter in the Security Configuration Guide.
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface global configuration command.
ip radius source-interface subinterface-name| subinterface-name | Name of the interface that RADIUS uses for all of its outgoing packets. |
This command has no factory-assigned default.
Global configuration
This command first appeared in Cisco IOS Release 11.3.
Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have a IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2
You can use the master indexes or search online to find documentation of related commands.
ip tacacs source-interface
ip telnet source-interface
ip tftp source-interface
To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas global configuration command.
radius-server configure-nasThis command has no arguments or keywords.
Global configuration
This command first appeared in Cisco IOS Release 11.3.
Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.
The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:
radius-server configure-nas
You can use the master indexes or search online to find documentation of related commands.
radius-server host non-standard
To improve RADIUS response times when some servers might be unavailable, use the radius-server dead-time global configuration command to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.
radius-server dead-time minutes| minutes | Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours). |
Dead time is set to 0.
Global configuration
Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."
The following example specifies five minutes dead-time for RADIUS servers that fail to respond to authentication requests:
radius-server dead-time 5
You can use the master indexes or search online to find documentation of related commands.
radius-server host
radius-server retransmit
radius-server timeout
To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]| hostname | DNS name of the RADIUS server host. |
| ip-address | IP address of the RADIUS server host. |
| auth-port | (Optional) Specifies the UDP destination port for authentication requests. |
| port-number | (Optional) Port number for authentication requests; the host is not used for authentication if set to 0. |
| acct-port | (Optional) Specifies the UDP destination port for accounting requests. |
| port-number | (Optional) Port number for accounting requests; the host is not used for accounting if set to 0. |
No RADIUS host is specified.
Global configuration
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1.company.com
The following example specifies port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named host1:
radius-server host host1.company.com auth-port 12 acct-port 16
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.company.com auth-port 0
radius-server host host2.company.com acct-port 0
You can use the master indexes or search online to find documentation of related commands.
aaa accounting
aaa authentication
aaa authorization
login authentication
login tacacs
ppp
ppp authentication
radius-server key
slip
tacacs-server
username
To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard global configuration command. This command tells the Cisco IOS software to support non-standard RADIUS attributes. Use the no form of this command to delete the specified vendor-proprietary RADIUS host.
radius-server host {hostname | ip-address} non-standard| hostname | DNS name of the RADIUS server host. |
| ip-address | IP address of the RADIUS server host. |
No RADIUS host is specified.
Global configuration
This command first appeared in Cisco IOS Release 11.3.
The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
The following example specifies a vendor-proprietary RADIUS server host named alcatraz:
radius-server host alcatraz non-standard
You can use the master indexes or search online to find documentation of related commands.
radius-server host
radius-server configure-nas
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key global configuration command. Use the no form of this command to disable the key.
radius-server key {string}| string | The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon. |
Disabled
Global configuration
This command first appeared in Cisco IOS Release 11.1.
After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The following example sets the authentication and encryption key to "dare to go":
radius-server key dare to go
You can use the master indexes or search online to find documentation of related commands.
login authentication
login tacacs
ppp
ppp authentication
radius-server host
slip
tacacs-server
username
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit global configuration command. Use the no form of this command to disable retransmission.
radius-server retransmit retries| retries | Maximum number of retransmission attempts. The default is 3 attempts. |
Three retries
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
The following example specifies a retransmit counter value of five times:
radius-server retransmit 5
To set the interval a router waits for a server host to reply, use the radius-server timeout global configuration command. Use the no form of this command to restore the default.
radius-server timeout seconds| seconds | Number that specifies the timeout interval in seconds. The default is 5 seconds. |
5 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The following example changes the interval timer to 10 seconds:
radius-server timeout 10
You can use the master indexes or search online to find documentation of related commands.
login authentication
login tacacs
ppp
ppp authentication
slip
tacacs-server
username
|
|