This section describes the commands you use to configure the switch to use a Remote Authentication Dial-In User Service (RADIUS) server on your network for authentication and accounting.
authorization network radius
Use this command to enable the switch to accept VLAN assignment by the radius server.
Default: disable
Format: authorization network radius
Mode: Global Config
no authorization network radius
Use this command to disable the switch to accept VLAN assignment by the radius server.
Format: no authorization network radius
Mode: Global Config
radius accounting mode
This command is used to enable the RADIUS accounting function.
Default: disabled
Format: radius accounting mode
Mode: Global Config
no radius accounting mode
This command is used to set the RADIUS accounting function to the default value - i.e. the RADIUS accounting function is disabled.
Format: no radius accounting mode
Mode: Global Config
radius server attribute 4
This command specifies the RADIUS client to use the NAS-IP Address attribute in the RADIUS requests. If the specific IP address is configured while enabling this attribute, the RADIUS client uses that IP address while sending NAS-IP-Address attribute in RADIUS communication.
Format: radius server attribute 4 [<ipaddr>]
Mode: Global Config
4: NAS-IP-Address attribute to be used in RADIUS requests.
ipaddr: The IP address of the server
no radius server attribute 4
The no version of this command disables the NAS-IP-Address attribute global parameter for RADIUS client. When this parameter is disabled, the RADIUS client does not send the NAS-IP-Address attribute in RADIUS requests.
Format: no radius server attribute 4 [ipaddr]
Mode: Global Config
radius server host
This command configures the IP address or DNS name to use for communicating with the RADIUS server of a selected server type. While configuring the IP address or DNS name for the authenticating or accounting servers, you can also configure the port number and server name. If the authenticating and accounting servers are configured without a name, the command uses the Default_RADIUS_Auth_Server and Default_RADIUS_Acct_Server as the default names, respectively. The same name can be configured for more than one authenticating servers and the name should be unique for accounting servers. The RADIUS client allows the configuration of a maximum 32 authenticating and accounting servers.
If you use the<auth> parameter, the command configures the IP address or hostname to use to connect to a RADIUS authentication server. You can configure up to 3 servers per RADIUS client. If the maximum number of configured servers is reached, the command fails until you remove one of the servers by issuing the "no" form of the command. If you use the optional <port> parameter, the command configures the UDP port number to use when connecting to the configured RADIUS server. The <port> number range is 1 - 65535, with 1812 being the default value.
NOTE: To re-configure a RADIUS authentication server to use the default UDP <port>, set the <port> parameter to 1812.
If you use the<acct> token, the command configures the IP address or hostname to use for the RADIUS accounting server. You can only configure one accounting server. If an accounting server is currently configured, use the "no" form of the command to remove it from the configuration. The IP address or hostname you specify must match that of a previously configured accounting server. If you use the optional <port> parameter, the command configures the UDP port to use when connecting to the RADIUS accounting server. If a <port> is already configured for the accounting server, the new <port> replaces the previously configured <port>. The <port> must be a value in the range 0 - 65535, with 1813 being the default.
NOTE: To re-configure a RADIUS accounting server to use the default UDP <port>, set the <port> parameter to 1813.
0-65535: The port number to use to connect to the specified RADIUS server.
servername: The alias name to identify the server.
no radius server host
The no version of this command deletes the configured server entry from the list of configured RADIUS servers. If the RADIUS authenticating server being removed is the active server in the servers that are identified by the same server name, then the RADIUS client selects another server for making RADIUS transactions. If the 'auth' token is used, the previously configured RADIUS authentication server is removed from the configuration. Similarly, if the 'acct' token is used, the previously configured RADIUS accounting server is removed from the configuration. The <ipaddr/dnsname> parameter must match the IP address or DNS name of the previously configured RADIUS authentication / accounting server.
Format: no radius server host {auth | acct} {<ipaddr|dnsname>}
Mode: Global Config
radius server key
This command configures the key to be used in RADIUS client communication with the specified server. Depending on whether the 'auth' or 'acct' token is used, the shared secret is configured for the RADIUS authentication or RADIUS accounting server. The IP address or hostname provided must match a previously configured server. When this command is executed, the secret is prompted.
Text-based configuration supports Radius server's secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running config command's display, these secret keys are displayed in encrypted format. You cannot show these keys in plain text format.
NOTE: The secret must be an alphanumeric value not exceeding 16 characters.
Format: radius server key {auth | acct} {<ipaddr|dnsname>} <encrypted> <password>
Mode: Global Config
ipaddr: The IP address of the server.
dnsname: The DNS name of the server.
password: The password in encrypted format.
radius server msgauth
This command enables the message authenticator attribute to be used for the specified RADIUS Authenticating server.
Format: radius server msgauth <ipaddr|dnsname>
Mode: Global Config
ip addr: The IP address of the server.
dnsname: The DNS name of the server.
no radius server msgauth
The no version of this command disables the message authenticator attribute to be used for the specified RADIUS Authenticating server.
Format: no radius server msgauth <ipaddr|dnsname>
Mode: Global Config
radius server primary
This command specifies a configured server that should be the primary server in the group of servers which have the same server name. Multiple primary servers can be configured for each number of servers that have the same name. When the RADIUS client has to perform transactions with an authenticating RADIUS server of specified name, the client uses the primary server that has the specified server name by default. If the RADIUS client fails to communicate with the primary server for any reason, the client uses the backup servers configured with the same server name. These backup servers are identified as the Secondary type.
Format: radius server primary {<ipaddr|dnsname>}
Mode: Global Config
ip addr: The IP address of the RADIUS Authenticating server.
dnsname: The DNS name of the server
radius server retransmit
This command configures the global parameter for the RADIUS client that specifies the number of transmissions of the messages to be made before attempting the fall back server upon unsuccessful communication with the current RADIUS authenticating server. When the maximum number of retries are exhausted for the RADIUS accounting server and no response is received, the client does not communicate with any other server.
Default: 4
Format: radius server retransmit <retries>
Mode: Global Config
retries: The maximum number of transmission attempts in the range of 1 to 15.
no radius server retransmit
The no version of this command sets the value of this global parameter to the default value.
Format: no radius server retransmit
Mode: Global Config
radius server timeout
This command configures the global parameter for the RADIUS client that specifies the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received. The timeout value is an integer in the range of 1 to 30.
Default: 5
Format: radius server timeout seconds
Mode: Global Config
retries: Maximum number of transmission attempts in the range 1-30
no radius server timeout
The no version of this command sets the timeout global parameter to the default value.
Format: no radius server timeout
Mode: Global Config
show radius
This command displays the values configured for the global parameters of the RADIUS client.
Format: show radius
Mode: Privileged EXEC
The display parameters for above command are:
Number of Configured Authentication Servers:The number of RADIUS Authentication servers that have been configured.
Number of Configured Accounting Servers: The number of RADIUS Accounting servers that have been configured.
Number of Named Authentication Server Groups: The number of configured named RADIUS server groups.
Number of Named Accounting Server Groups: The number of configured named RADIUS server groups.
Number of Retransmits: The configured value of the maximum number of times a request packet is retransmitted.
Time Duration: The configured timeout value, in seconds, for request re-transmissions.
RADIUS Accounting Mode: A global parameter to indicate whether the accounting mode for all the servers is enabled or not.
RADIUS Attribute 4 Mode: A global parameter to indicate whether the NAS-IP-Address attribute has been enabled to use in RADIUS requests.
RADIUS Attribute 4 Value: A global parameter that specifies the IP address to be used in the NAS-IPAddress attribute to be used in RADIUS requests.
show radius servers
This command displays the summary and details of RADIUS authenticating servers configured for the RADIUS client.
Format: show radius servers [{<ipaddr|dnsname> | name [servername]}]
Mode: Privileged EXEC
The display parameters for above command are:
ipaddr: The IP address of the authenticating server.
dnsname: The DNS name of the authenticating server.
servername: The alias name to identify the server.
Current: The * symbol preceding the server host address specifies that the server is currently active.
Host Address: The IP address of the host.
Server Name: The name of the authenticating server.
Port: The port used for communication with the authenticating server.
Type: Specifies whether this server is a primary or secondary type.
Current Host Address: The IP address of the currently active authenticating server.
Secret Configured: Yes or No Boolean value that indicates whether this server is configured with a secret.
Number of Retransmits: The configured value of the maximum number of times a request packet is retransmitted.
Message Authenticator: A global parameter to indicate whether the Message Authenticator attribute is enabled or disabled.
Time Duration: The configured timeout value, in seconds, for request retransmissions.
RADIUS Accounting Mode: A global parameter to indicate whether the accounting mode for all the servers is enabled or not.
RADIUS Attribute 4 Mode: A global parameter to indicate whether the NAS-IP-Address attribute has been enabled to use in RADIUS requests.
RADIUS Attribute 4 Value: A global parameter that specifies the IP address to be used in NAS-IP-Address attribute used in RADIUS requests.
show radius accounting
This command displays a summary of configured RADIUS accounting servers.
Format: show radius accounting name [<servername>]
Mode: Privileged EXEC
The display parameters for above command are:
servername: An alias name to identify the server.
RADIUS Accounting Mode: A global parameter to indicate whether the accounting mode for all the servers is enabled or not.
If you do not specify any parameters, then only the accounting mode and the RADIUS accounting server details are displayed.
Host Address: The IP address of the host.
Server Name: The name of the accounting server.
Port: The port used for communication with the accounting server.
Secret Configured: Yes or No Boolean value indicating whether this server is configured with a secret.
show radius accounting statistics
This command displays a summary of statistics for the configured RADIUS accounting servers.
Format: show radius accounting statistics {<ipaddr|dnsname>| name <servername>}
Mode: Privileged EXEC
The display parameters for above command are:
ipaddr: The IP address of the server.
dnsname: The DNS name of the server.
servername: The alias name to identify the server.
RADIUS Accounting Server Name: The name of the accounting server.
Server Host Address: The IP address of the host.
Round Trip Time: The time interval, in hundredths of a second, between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server.
Requests: The number of RADIUS Accounting-Request packets sent to this server. This number does not include retransmissions.
Retransmission: The number of RADIUS Accounting-Request packets retransmitted to this RADIUS accounting server.
Responses: The number of RADIUS packets received on the accounting port from this server.
Malformed Responses: The number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature attributes or unknown types are not included as malformed accounting responses.
Bad Authenticators: The number of RADIUS Accounting-Response packets containing invalid authenticators received from this accounting server.
Pending Requests: The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Timeouts: The number of accounting timeouts to this server.
Unknown Types: The number of RADIUS packets of unknown types, which were received from this server on the accounting port.
Packets Dropped: The number of RADIUS packets received from this server on the accounting port and dropped for some other reason.
show radius statistics
This command displays the summary statistics and debug packet statistics for all the configured RADIUS Authenticating servers.
Format: show radius statistics {<ipaddr|hostname> | name <servername>}
Mode: Privileged EXEC
The display parameters for summary statistics command are:
ipaddr: The IP address of the server.
hostname: The host name of the server.
servername: The alias name to identify the server.
RADIUS Server Name: The name of the authenticating server.
Server Host Address: The IP address of the host.
Access Requests: The number of RADIUS Access-Request packets sent to this server. This number does not include retransmissions.
Access Retransmissions: The number of RADIUS Access-Request packets retransmitted to this RADIUS authentication server.
Access Accepts: The number of RADIUS Access-Accept packets, including both valid and invalid packets, that were received from this server.
Access Rejects: The number of RADIUS Access-Reject packets, including both valid and invalid packets, that were received from this server.
Access Challenges: The number of RADIUS Access-Challenge packets, including both valid and invalid packets, that were received from this server.
Malformed Access Responses: The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature: attributes or unknown types are not included as malformed access responses.
Bad Authenticators: The number of RADIUS Access-Response packets containing invalid authenticators or signature attributes received from this server.
Pending Requests: The number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response.
Timeouts: The number of authentication timeouts to this server.
Unknown Types: The number of packets of unknown type that were received from this server on the authentication port.
Packets Dropped: The number of RADIUS packets received from this server on the authentication port and dropped for some other reason.
Round trip time: The time interval, in hundredths of a second, between the most recent Access-Response and the Access-Request that matched it from this RADIUS accounting status.
The display parameters for Debug packet statistics command are:
Automate Test State: Indicates whether the automate test is RUNNING or STOPPED.
Radius Server Status: Indicates whether the particular radius server is ALIVE/DEAD.
Access Requests: The number of RADIUS Debug Access-Request packets sent to this server. This number does not include retransmissions.
Access Retransmissions: The number of RADIUS Debug Access-Request packets retransmitted to this RADIUS authentication server.
Access Accepts: The number of RADIUS Debug Access-Accept packets, including both valid and invalid packets, that were received from this server.
Access Rejects: The number of RADIUS Debug Access-Reject packets, including both valid and invalid Debug packets, that were received from this server.
Access Challenges: The number of RADIUS Debug Access-Challenge packets, including both valid and invalid Debug packets, that were received from this server.
Pending Requests: The number of RADIUS Debug Access-Request packets destined for this server that have not yet timed out or received a response.
Timeouts: The number of Debug authentication timeouts to this server.
Unknown Types: The number of Debug packets of unknown type that were received from this server on the authentication port.
Packets Dropped: The number of RADIUS Debug packets received from this server on the authentication port and dropped for some other reason.
radius server automate-tester auth all
Use the radius server automate-tester to start the radius keep-alive task of all the configured radius servers.
Format: radius server automate-tester auth all
Mode: Global Config
no radius server automate-tester auth all
Use the radius server automate-tester to stop the radius keep-alive task of all the configured radius servers.
