|
|
This chapter describes the commands used to configure RADIUS.
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. Cisco supports RADIUS under its authentication, authorization, and accounting (AAA) security paradigm.
For information on how to configure RADIUS, refer to the "Configuring RADIUS" chapter in the
Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "RADIUS Configuration Examples" section located at the end of the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide.
To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.
aaa group server radius group-name
Syntax Description
group-name Character string used to name the group of servers.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named radgroup1 and comprising three member servers:
aaa group serverradiusradgroup1server 1.1.1.1
server 2.2.2.2server 3.3.3.3
Related Commands
aaa accounting Enables AAA accounting of requested services for billing or security purposes. aaa authentication login Set AAA authentication at login. aaa authorization Sets parameters that restrict network access to a user. aaa new-model Enables the AAA access control model. radius-server host Specifies a RADIUS server host.
Command
Description
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.3 This command was introduced.
Release
Modification
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as
NAS-Port = 20101.
This is because of the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF Attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server vsa send aaa nas port extended
Related Commands
Displays expanded interface information in the NAS-Port attribute. Configures the network access server to recognize and use vendor-specific attributes.
Command
Description
Syntax Description
subinterface-name Name of the interface that RADIUS uses for all of its outgoing packets.
Defaults
This command has no factory-assigned default.
Command Modes
Global configuration
Command History
11.3 This command was introduced.
Release
Modification
Usage Guidelines
Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2
Related Commands
ip tacacs source-interface Uses the IP address of a specified interface for all outgoing TACACS packets. ip telnet source-interface Allows a user to select an address of an interface as the source address for Telnet connections. ip tftp source-interface Allows a user to select the interface whose address will be used as the source address for TFTP connections.
Command
Description
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.3 This command was introduced. 12.1 This command replaced the deprecated radius-server extended-portnames command.
Release
Modification
Usage Guidelines
There are some situations when PPP or login authentication occurs on an interface different from the interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface "ttt" but the call itself occurs on one of the channels of the ISDN interface.
The radius-server attribute nas-port extended command configures RADIUS to expand the size of the NAS-Port attribute (RADIUS IETF Attribute 5) field to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server attribute nas-port extended
Related Commands
Replaces the NAS-Port attribute with RADIUS IETF Attribute 26 and displays extended field information.
Command
Description
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 This command was introduced.
Release
Modification
Usage Guidelines
Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.
 |
Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you issue a copy system:running-config nvram:startup-config command. |
Examples
The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:
radius-server configure-nas
Related Commands
Identifies that the security server is using a vendor-proprietary implementation of RADIUS.
Command
Description
Syntax Description
minutes Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Dead time is set to 0.
Command Modes
Global configuration
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."
Examples
The following example specifies five minutes dead-time for RADIUS servers that fail to respond to authentication requests:
radius-server deadtime 5
Related Commands
Specifies a RADIUS server host. Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up. Sets the interval a router waits for a server host to reply.
Command
Description
The radius-server attribute nas-port extended command replaces this command. See the description of the radius-server attribute nas-port extended command in this chapter for more information.
Syntax Description
hostname DNS name of the RADIUS server host. ip-address IP address of the RADIUS server host. auth-port (Optional) Specifies the UDP destination port for authentication requests. port-number (Optional) Port number for authentication requests; the host is not used for authentication if set to 0. acct-port (Optional) Specifies the UDP destination port for accounting requests. port-number (Optional) Port number for accounting requests; the host is not used for accounting if set to 0. timeout (Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000. seconds (Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used. retransmit (Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command. retries (Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used. key (Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. string (Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
11.1 This command was introduced. 12.0(5)T This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server.
Release
Modification
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.
If no host specific timeout, retransmit, or key values are specified, the global values apply to that host
Examples
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1
The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123
To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.example.com auth-port 0 radius-server host host2.example.com acct-port 0
Related Commands
aaa accounting Enables AAA accounting of requested services for billing or security purposes. aaa authentication ppp Specifies one or more AAA authentication method for use on serial interfaces running PPP. aaa authorization Sets parameters that restrict network access to a user. ppp Starts an asynchronous connection using PPP. ppp authentication Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface. Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. radius-server retransmit Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up. radius-server timeout Sets the interval a router waits for a server host to reply. username Establishes a username-based authentication system, such as PPP CHAP and PAP.
Command
Description
Syntax Description
hostname DNS name of the RADIUS server host. ip-address IP address of the RADIUS server host.
Defaults
No RADIUS host is specified.
Command Modes
Global configuration
Command History
11.3 This command was introduced.
Release
Modification
Usage Guidelines
The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
For a list of supported vendor-specific RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide.
Examples
The following example specifies a vendor-proprietary RADIUS server host named alcatraz:
radius-server host alcatraz non-standard
Related Commands
Specifies a RADIUS server host. Allows the Cisco router or access server to query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up.
Command
Description
Syntax Description
string The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
|
Note Specify a RADIUS key after you issue the aaa new-model command. |
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
radius-server key dare to go
Related Commands
aaa accounting Enables AAA accounting of requested services for billing or security purposes. aaa authentication ppp Specifies one or more AAA authentication method for use on serial interfaces running PPP. aaa authorization Sets parameters that restrict network access to a user. ppp Starts an asynchronous connection using PPP. ppp authentication Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface. Specifies a RADIUS server host. username Establishes a username-based authentication system, such as PPP CHAP and PAP.
Command
Description
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.2 This command was introduced.
Release
Modification
Usage Guidelines
When the user enters the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the RADIUS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The RADIUS server must support authentication for users without passwords to make use of this feature.
Examples
The following example configures the first login to not require RADIUS verification:
radius-server optional-passwords
Syntax Description
retries Maximum number of retransmission attempts. The default is 3 attempts.
Defaults
Three retries.
Command Modes
Global configuration
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
Examples
The following example specifies a retransmit counter value of five times:
radius-server retransmit 5
Syntax Description
seconds Number that specifies the timeout interval in seconds. The default is 5 seconds.
Defaults
5 seconds.
Command Modes
Global configuration
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
Use this command to set the number of seconds a router waits for a server host to reply before timing out.
Examples
The following example changes the interval timer to 10 seconds:
radius-server timeout 10
Related Commands
Specifies a RADIUS server host. Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
Command
Description
Syntax Description
accounting (Optional) Limits the set of recognized vendor-specific attributes to only accounting attributes. authentication (Optional) Limits the set of recognized vendor-specific attributes to only authentication attributes.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.3T This command was introduced.
Release
Modification
Usage Guidelines
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string with the following format:
protocol : attribute sep value *
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"
The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
Examples
The following example configures the network access server to recognize and use vendor-specific accounting attributes:
radius-server vsa send accounting
Related Commands
Replaces the NAS-Port attribute with RADIUS IETF Attribute 26 and displays extended field information.
Command
Description
To configure the IP address of the RADIUS server for the group server, use the server (RADIUS) command in group server configuration mode. To remove the associated server from the AAA group server, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
Syntax Description
ip-address IP address of the RADIUS server host. auth-port port-number (Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0. acct-port port-number (Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.
Defaults
If no port attributes are defined, the defaults are as follows:
Command Modes
RADIUS group server configuration
Command History
12.0(5)T This command was introduced. 12.0(7)T Two new keywords/arguments were added
Release
Modification
Usage Guidelines
Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers/host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service---for example, accounting---the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
Examples
Configuring Multiple Entries for the Same Server IP Address
The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services---authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order they are configured.)
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default radius ! The next set of commands configures multiple host entries for the same IP address. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 2000 acct-port 2000
Configuring Multiple Entries Using AAA Group Servers
In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group group1 ! The following commands define the group1 RADIUS group server and associates servers
! with it.
aaa group server radius group1 server 172.20.0.1 auth-port 1000 acct-port 1001 ! The following commands define the group2 RADIUS group server and associates servers
! with it.
aaa group server radius group2 server 172.20.0.1 auth-port 2000 acct-port 2001 ! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined group servers. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
Related Commands
aaa new-model Enables the AAA access control model. aaa group server Groups different server hosts into distinct lists and distinct methods. radius-server host Specifies a RADIUS server host.
Command
Description
Posted: Tue Apr 4 17:33:19 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.