RADIUS Commands

aaa group server radius

aaa nas port extended

ip radius source-interface

radius-server attribute nas-port extended

radius-server configure-nas

radius-server deadtime

radius-server extended-portnames

radius-server host

radius-server host non-standard

radius-server key

radius-server optional passwords

radius-server retransmit

radius-server timeout

radius-server vsa send

server (RADIUS)

RADIUS Commands

This chapter explains the function and syntax of the RADIUS commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

aaa group server radius

To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.

aaa group server radius group-name

no aaa group server radius group-name

Syntax Description

group-name

Character string used to name the group of servers.

group-name	Character string used to name the group of servers.

aaa nas port extended

To replace the NAS-Port attribute with RADIUS IETF Attribute 26 and to display extended field information, use the aaa nas port extended command in global configuration mode. Use the no form of this command to not display extended field information.

aaa nas port extended

no aaa nas port extended

Syntax Description

This command has no arguments or keywords.

ip radius source-interface

To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. Use the no form of this command to not force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

ip radius source-interface subinterface-name

no ip radius source-interface

Syntax Description

subinterface-name

Name of the interface that RADIUS uses for all of its outgoing packets.

subinterface-name	Name of the interface that RADIUS uses for all of its outgoing packets.

radius-server attribute nas-port extended

To display expanded interface information in the NAS-Port-Type attribute, use the radius-server attribute nas-port extended command in global configuration mode. Use the no form of this command to not display expanded interface information.

radius-server attribute nas-port extended

no radius-server attribute nas-port extended

Syntax Description

This command has no arguments or keywords.

radius-server configure-nas

To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode.

radius-server configure-nas

Syntax Description

This command has no arguments or keywords.

radius-server deadtime

To improve RADIUS response times when some servers might be unavailable, use the radius-server deadtime command in global configuration mode to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.

radius-server deadtime minutes

no radius-server deadtime

Syntax Description

minutes

Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).

minutes	Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).

radius-server extended-portnames

The radius-server attribute nas-port extended command replaces this command. See the description of the radius-server attribute nas-port extended command in this chapter for more information.

radius-server host

To specify a RADIUS server host, use the radius-server host command in global configuration mode. Use the no form of this command to delete the specified RADIUS host.

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]

no radius-server host {hostname | ip-address}

Syntax Description

hostname

DNS name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

auth-port

(Optional) Specifies the UDP destination port for authentication requests.

port-number

(Optional) Port number for authentication requests; the host is not used for authentication if set to 0.

acct-port

(Optional) Specifies the UDP destination port for accounting requests.

port-number

(Optional) Port number for accounting requests; the host is not used for accounting if set to 0.

timeout

(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.

seconds

(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.

retransmit

(Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.

retries

(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.

key

(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.

The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

string

(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

hostname	DNS name of the RADIUS server host.
ip-address	IP address of the RADIUS server host.
auth-port	(Optional) Specifies the UDP destination port for authentication requests.
port-number	(Optional) Port number for authentication requests; the host is not used for authentication if set to 0.
acct-port	(Optional) Specifies the UDP destination port for accounting requests.
port-number	(Optional) Port number for accounting requests; the host is not used for accounting if set to 0.
timeout	(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.
seconds	(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.
retransmit	(Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.
retries	(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.
key	(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
string	(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

radius-server host non-standard

To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command in global configuration mode. This command tells the Cisco IOS software to support nonstandard RADIUS attributes. Use the no form of this command to delete the specified vendor-proprietary RADIUS host.

radius-server host {hostname | ip-address} non-standard

no radius-server host {hostname | ip-address} non-standard

Syntax Description

hostname

DNS name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

hostname	DNS name of the RADIUS server host.
ip-address	IP address of the RADIUS server host.

radius-server key

To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. Use the no form of this command to disable the key.

radius-server key {string}

no radius-server key

Syntax Description

string

The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon.

string	The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon.

radius-server optional passwords

To specify that the first RADIUS request to a RADIUS server be made without password verification, use the radius-server optional-passwords command in global configuration mode. Use the no form of this command to restore the default.

radius-server optional-passwords

no radius-server optional-passwords

Syntax Description

This command has no arguments or keywords.

radius-server retransmit

To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. Use the no form of this command to disable retransmission.

radius-server retransmit retries

no radius-server retransmit

Syntax Description

retries

Maximum number of retransmission attempts. The default is 3 attempts.

retries	Maximum number of retransmission attempts. The default is 3 attempts.

radius-server timeout

To set the interval a router waits for a server host to reply, use the radius-server timeout command in global configuration mode. Use the no form of this command to restore the default.

radius-server timeout seconds

no radius-server timeout

Syntax Description

seconds

Number that specifies the timeout interval in seconds. The default is 5 seconds.

seconds	Number that specifies the timeout interval in seconds. The default is 5 seconds.

radius-server vsa send

To configure the network access server to recognize and use vendor-specific attributes, use the radius-server vsa send command in global configuration mode. Use the no form of this command to restore the default.

radius-server vsa send [accounting | authentication]

no radius-server vsa send [accounting | authentication]

Syntax Description

accounting

(Optional) Limits the set of recognized vendor-specific attributes to only accounting attributes.

authentication

(Optional) Limits the set of recognized vendor-specific attributes to only authentication attributes.

accounting	(Optional) Limits the set of recognized vendor-specific attributes to only accounting attributes.
authentication	(Optional) Limits the set of recognized vendor-specific attributes to only authentication attributes.

server (RADIUS)

To configure the IP address of the RADIUS server for the group server, use the server (RADIUS) command in group server configuration mode. To remove the associated server from the AAA group server, use the no form of this command.

server ip-address [auth-port port-number] [acct-port port-number]

no server ip-address [auth-port port-number] [acct-port port-number]

Syntax Description

ip-address

IP address of the RADIUS server host.

auth-port port-number

(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.

acct-port port-number

(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.

ip-address	IP address of the RADIUS server host.
auth-port port-number	(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.
acct-port port-number	(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.

Table of Contents

RADIUS Commands