configure radius server client-ip

configure radius {mgmt-access | netlogin} [primary | secondary | index] server [host_ipaddr | host_ipV6addr | hostname] {udp_port | tls {tls_port} reference-identifier [identifier_value | none]}} client-ip [client_ipaddr | client_ipV6addr] | client-vlan [vlan_name | future_vlan_name] {ipv4 | ipv6}] {vr vr_name} {shared-secret {encrypted} secret}

Description

This command configures up to eight RADIUS authentication servers.

Note

It is recommended to enable loopback mode on the VLAN associated with radius if the radius connectivity is established via a front panel port on a SummitStack.

Syntax Description


mgmt-access	Specifies the RADIUS authentication server for switch management.
netlogin	Specifies the RADIUS authentication server for network login.
primary	Configures the primary RADIUS authentication server.
secondary	Configures the secondary RADIUS authentication server.
`index`	RADIUS server index. Range: 1 - 2147483641.
`ipaddress`	The IP address of the server being configured.
`host_ipV6addr`	Server IPv6 address.
`hostname`	The host name of the server being configured.
`udp_port`	The UDP port to use to contact the RADIUS authentication server.
tls	Specifies using Transfer Layer Security (TLS).
`tls_port`	The TLS port to use to contact the RADIUS authentication server.
reference-identifier	Specifies the remote RADIUS TLS server certificate reference identifier. This should match the SAN or CN of the server certificate.
`identifier_value`	Specifies the value of the identifier. DNS hostname type is supported. Range is 1-255.
none	Specifies to remove the existing reference identifier configuration.
`ipaddress`	The IP address used by the switch to identify itself when communicating with the RADIUS authentication server.
`client_ipV6addr`	Client IPv6 address.
client-vlan	Specifies client VLAN.
`vlan_name`	Specifies the VLAN name.
`future_vlan_name`	Specifies the VLAN name that will be created in the future. Range 1-32.
ipv4	Specifies the primary IPv4 address will be used as the client IP address.
ipv6	Specifies the primary IPv6 address will be used as the client IP address.
`vr_name`	Specifies the virtual router on which the client IP is located. Note: User-created VRs are supported only on the platforms listed for this feature in the ExtremeXOS v33.2.1 Licensing Guide document.
shared-secret	Shared secret
`secret`	Secret string. Important: Use quotes to enclose the string. Failure to do so causes the CLI to treat the string as a comment, since the string starts with a"#" symbol.
encrypted	Password is encrypted.

Default

The following lists the default behavior of this command:

The UDP port setting is 1812.
The TLS port setting is 2083.
The virtual router used is VR-Mgmt, the management virtual router.
Switch management and network login use the same primary and secondary RADIUS servers for authentication (only if the realm is not specified in the command).,

Usage Guidelines

Use this command to specify RADIUS server information.

Use of the hostname parameter requires that DNS be enabled.

The RADIUS server defined by this command is used for user name authentication and CLI command authentication.

Beginning with ExtremeXOS 11.2, you can specify one pair of RADIUS authentication servers for switch management and another pair for network login. To specify RADIUS authentication servers for switch management (Telnet, SSH, and console sessions), use the mgmt-access keyword. To specify RADIUS authentication servers for network login, use the netlogin keyword. If you do not specify a keyword, switch management and network login use the same pair of RADIUS authentication servers.

If you are running ExtremeXOS 11.1 or earlier and upgrade to ExtremeXOS 11.2, you do not lose your existing RADIUS server configuration. Both switch management and network login use the RADIUS authentication server specified in the older configuration.

Specifying mgmt-access or netlogin before the index will create a RADIUS entry with only that realm specified, if neither are specified both realms will be enabled.

Note

You cannot use a stacking alternate IP address as the RADIUS client in primary RADIUS server configuration.

Example

The following example configures the primary RADIUS server on host radius1 using the default UDP port (1812) for use by the RADIUS client on switch 10.10.20.30 using a virtual router interface of VR-Default:

configure radius primary server radius1 client-ip 10.10.20.30 vr vr-Default

The following example configures the primary RADIUS server for network login authentication on host netlog1 using the default UDP port for use by the RADIUS client on switch 10.10.20.31 using, by default, the management virtual router interface:

configure radius netlogin primary server netlog1 client-ip 10.10.20.31

The following example configures the primary RADIUS server at 10.127.6.195, using the IP address of VLAN Mgmt as the client source, with shared secret "testing" over the VR-Mgmt virtual router.

configure radius primary server 10.127.6.195 client-vlan Mgmt vr VR-Mgmt shared-secret "testing"
Note: Shared secrets created with this version of software are not compatible with version 21.x and earlier.

The following example configures the reference identifier for the given server:

# configure radius netlogin primary server 10.127.6.195 tls 2083 reference-identifier testing client-ip 10.127.2.33 vr VR-Mgmt shared-secret radsec
Note: Shared secrets created with this version of software are not compatible with version 21.x and earlier.

History

This command was first available in ExtremeXOS 10.1.

The mgmt-access and netlogin keywords were added in ExtremeXOS 11.2.

The index, host_ipV6addr, client_ipV6addr, shared-secret, and encrypted keywords were added in ExtremeXOS 16.1.

The tls keyword with tls_port variable was added in ExtremeXOS 31.4.

The client-vlan keyword was added in version 33.4.1.

The reference-identifier keyword was added in version 33.4.1.