|
|
This feature module describes how to configure a Cisco router or access server acting as a network access server to forward authentication, authorization and accounting (AAA) requests to different User Datagram Protocol (UDP) ports on RADIUS servers.
This document includes the following sections:
In past Cisco IOS releases, RADIUS hosts were uniquely identified by their IP address; therefore, only one definition of a RADIUS server per IP address was allowed. The Configuring RADIUS for Multiple UDP Ports feature expands RADIUS implementation so that RADIUS security servers are identified on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service---for example, accounting---the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
The Configuring RADIUS for Multiple UDP Ports feature also applies to RADIUS server groups---server groups can now include multiple service definitions for host entries for the same server, as long as each entry has a unique identifier.
The Configuring RADIUS for Multiple UDP Ports feature provides the following benefits:
The Cisco implementation of AAA server groups recognize two different remote security protocols: RADIUS and TACACS+. The Configuring RADIUS for Multiple UDP Ports feature extends the functionality of RADIUS server groups, not TACACS+ server groups.
The Configuring RADIUS for Multiple UDP Ports feature is supported on all platforms supporting AAA.
No new or modified standards are supported by this feature.
No new or modified MIBS are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
No new or modified RFCs are supported by this feature.
Before you can configure the network access server to support this extended RADIUS functionality, you need to configure the applicable RADIUS servers. For more information about configuring your network access server to support RADIUS, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
See the following sections for configuration tasks for the Configuring RADIUS for Multiple UDP Ports feature. Each task in the list indicates if the task is optional or required.
To configure your network access server to identify RADIUS hosts using both the IP address and UDP port number, enable AAA using the following command:
| Command | Purpose |
|---|---|
Router(config)#aaa new-model | Enables AAA security services globally. |
For more information about enabling AAA, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
Next, define the parameters associated with each RADIUS security server. The syntax for the radius-server host command has not changed in this feature, but the functionality of it has been expanded to accept more than one host entry with the same IP address, as long as there is a unique UDP port number. To configure RADIUS for multiple UDP ports, simply issue this command for every RADIUS host instance, making sure that each one has a unique UPD port number.
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#radius-server host ip-address [auth-port port-number] [acct-port port-number] | Specifies the security server protocol and defines security server host IP address and UDP port number. Use the auth-port port-number option to configure a specific port on this RADIUS server to be used solely for authentication. Use the acct-port port-number option to configure a specific port on this RADIUS server to be used solely for accounting. | ||
| Router(config)#radius-server key key | Defines security server secret shared key. |
For more information about configuring RADIUS on the network access server, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
The next step is optional, depending on whether you are using RADIUS server groups. If you are using RADIUS server groups, you need to define the name of the security server group and then associate the appropriate security servers (in this case, host instances) to the group. Server groups can now include multiple host entry definitions for the same server, as long as each entry has a unique identifier. The Configuring RADIUS for Multiple UDP Ports feature has added optional arguments to the server command so that you can identify multiple host entries on a RADIUS server by using a unique UPD port number for each entry. If you do not configure values for the optional arguments, the network access server will automatically use default port numbers (1645 for authentication and 1646 for accounting).
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#aaa group server {radius | tacacs+}
group-name
| Specifies the security protocol associated with the AAA server group and defines the name of the AAA server group. In this case, you must define the security protocol as RADIUS. | ||
| Router(config-sg-radius)#server ip-address [auth-portport-number] [acct-port port-number] | Associates a particular server with the defined server group. In this case, you are identifying each host instance on a specific device by specifying both its IP address and UDP port number. Repeat this step for each host instance and server in the RADIUS server group. |
For more information about configuring RADIUS security server groups, refer to the Cisco IOS Release 12.0(5)T AAA Server Groups feature module and the 12.0(6)T Selecting AAA Server Groups Based on DNIS feature module.
The following examples configure a Cisco router or access server acting as a network access server to forward AAA requests to different UDP ports on RADIUS servers:
In this example, the network access server is configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services---authenticaiton and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are configured.)
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default radius ! The next set of commands configures multiple host entries for the same IP address. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 2000 acct-port 2000
In this example, the network access server is configured to recognize two different RADIUS server groups. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group group1 ! The following commands define the group1 RADIUS server group and associates servers
! with it.
aaa group server radius group1 server 172.20.0.1 auth-port 1000 acct-port 1001 ! The following commands define the group2 RADIUS server group and associates servers
! with it.
aaa group server radius group2 server 172.20.0.1 auth-port 2000 acct-port 2001 ! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined server groups. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
This section documents the modified server command. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications and Cisco IOS Release 12.0T feature modules.
To define a server to be associated with a defined authentication, authorization, and accounting (AAA) server group, use the server AAA server-group configuration command. To remove the associated server from the AAA server group, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
ip-address | IP address of the RADIUS server host. |
auth-port port-number | (Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0. |
acct-port port-number | (Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0. |
If no port attributes are defined, the defaults are as follows:
AAA server-group configuration
| Release | Modification |
|---|---|
12.0(5)T | This command was introduced. |
12.0(7)T | Two new keywords/arguments were added
|
Use the server command to associate a particular server with a defined server group. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers/host instances associated with a server group on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service---for example, accounting---the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
In this example, the network access server is configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services---authenticaiton and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are configured.)
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default radius ! The next set of commands configures multiple host entries for the same IP address. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 2000 acct-port 2000
In this example, the network access server is configured to recognize two different RADIUS server groups. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group group1 ! The following commands define the group1 RADIUS server group and associates servers
! with it.
aaa group server radius group1 server 172.20.0.1 auth-port 1000 acct-port 1001 ! The following commands define the group2 RADIUS server group and associates servers
! with it.
aaa group server radius group2 server 172.20.0.1 auth-port 2000 acct-port 2001 ! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined server groups. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
| Command | Description |
|---|---|
aaa new-model | Enables the AAA access control model. |
aaa group server | Groups different server hosts into distinct lists and methods. |
radius-server host | Specifies and defines the IP address of the RADIUS server host. |
Posted: Fri Dec 10 18:37:01 PST 1999
Copyright 1989-1999©Cisco Systems Inc.