radius-server host
Specifies a Remote Authentication Dial-In User Service (RADIUS) server, including the VRF to use for communication with the server, and enters RADIUS server host VRF configuration mode.
Syntax
radius-server host
{
ip-address
|
host_name
}
[ use-vrf
vrf-name ]
[
auth-port
portnum
]
[
encryption-level
value-level
]
[
key
shared_secret
]
[
protocol
{
chap
|
pap
}
]
[
retries
num
]
[
source-interface
ip_address
]
no radius-server host
{
ip-address
|
host_name
}
[ use-vrf
vrf-name ]
[
auth-port
portnum
]
[
encryption-level
value-level
]
[
key
shared_secret
]
[
protocol
{
chap
|
pap
}
]
[
retries
num
]
[
source-interface
ip_address
]
Command Default
A RADIUS server is not configured.
Parameters
-
ipaddr
- Specifies the RADIUS server IP address. Both
IPv4 and IPv6 addresses are supported.
-
host_name
- Specifies the RADIUS server hostname. The
maximum supported length for the hostname is 40 characters.
-
use-vrf
-
(Optional) Causes communication with the RADIUS server through a specific VRF and enters configuration mode for RADIUS server communications through that VRF.
- vrf-name
- (Optional) Specifies a VRF through which to communicate with the RADIUS server. By default and when a VRF is not specified, the management VRF (mgmt-vrf) is used for communication with the RADIUS server.
-
auth-portportnum
- Specifies the UDP port for authentication. The default is 1812.
-
encryption-levelvalue-level
- Designates the encryption level for the shared secret key operation. This
operand supports JITC certification and compliance. The valid values are 0
and 7, with 0 being clear text and 7 being the most heavily encrypted. The
default value is 7.
-
keyshared_secret
- Specifies the text string
that is used as the shared secret between the device and the RADIUS server
to make the message exchange secure. The key must be between 1 and 40
characters in length.
- The default key is sharedsecret. The exclamation mark (!) is supported in
RADIUS and TACACS+ servers. You can specify the password in either double
quotes or the escape character (\), for example "secret!key" or secret\!key. The only other valid characters are
alphanumeric characters (a-z and 0-9) and underscores. No other special
characters are allowed.
-
protocol
{
chap
|
pap
}
- Specifies the authentication
protocol. Options include CHAP and PAP. The default is CHAP.
-
retries
num
- Specifies the number of
attempts allowed to connect to a RADIUS server. The default is 5 attempts.
-
source-interface
ip_address
- Specifies the source interface for the RADIUS host.
Modes
Global configuration mode
Usage Guidelines
When a RADIUS server with the specified IP address or hostname does not exist, it is added to the server list. When the RADIUS server already exists, this command modifies the configuration.
The no form of the command
removes the indicated configuration.
Note
When only one RADIUS is configured, you can
remove the RADIUS server configuration only when both login (EXEC) and command
accounting are disabled by using, for example, the
no aaa accounting
command and when the authentication mode has been set to "non-radius" with the
no aaa authentication login radius command.
If the encryption-level is zero (0) but the key entered is encrypted
then the following error message is displayed: Error: Input key must be plain
text when encryption-level selected is 0.
Examples
The following example shows how to configure a RADIUS server.
device# configure terminal
device(config)# radius-server host 10.24.65.6
device(config-radius-server-10.24.65.6/mgmt-vrf)#
The following example shows how to configure a RADIUS server and specifies that communication with the server takes place through the green-vrf.
device# configure terminal
device(config)# radius-server host 10.24.65.6 use-vrf green-vrf
device(config-radius-server-10.24.65.6/green-vrf)#
