Configure RADIUS Attributes

Configure RADIUS to authenticate user identity through a central database.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure RADIUS access priority:

    radius access-priority-attribute <192-240>

  3. Configure RADIUS accounting:

    radius accounting {attribute-value <192-240>|enable|include-cli-commands}

  4. Configure the RADIUS authentication info attribute value:

    radius auth-info-attr-value <0-255>

  5. Clear RADIUS statistics:

    radius clear-stat

  6. Configure the value of the CLI commands:

    radius cli-commands-attribute <192-240>

  7. Configure the value of the command access attribute:

    radius command-access-attribute <192-240>

  8. Configure the maximum number of servers allowed:

    radius maxserver <1-10>

  9. Configure the multicast address attribute:

    radius mcast-addr-attr-value <0-255>

  10. Enable RADSec globally:

    radius secure-flag

  11. Configure the RADSec profile:

    radius secure-profile WORD<1-16> [ca-cert-file | cert-file | key-file | key-pwd]

Example

Switch:1>enable
Switch:1#configure terminal

Configure RADIUS access priority:

 Switch:1(config)#radius access-priority-attribute 192 

Configure RADIUS accounting to include CLI commands:

 Switch:1(config)#radius accounting include-cli-commands 

Variable Definitions

The following table defines parameters for the radius command.

Variable

Value

access-priority-attribute <192-240>

Specifies the value of the access priority attribute in the range of 192 to 240. The default is 192.

accounting {attribute-value <192-240>|enable|include-cli-commands}

Configures the accounting attribute value, enable accounting, or configure if accounting includes CLI commands. The default is false. Use the no option to disable the accounting attribute value: no radius accounting enable.

auth-info-attr-value <0-255>

Specifies the value of the authentication information attribute in the range of 0 to 255.The default is 91.

clear-stat

Clears RADIUS statistics.

cli-cmd-count <1–40>

Specifies how many CLI commands, from 1 to 40, before the system sends a RADIUS accounting interim request. The default value is 40.

cli-commands-attribute <192-240>

Specifies the value of CLI commands attribute in the range of 192 to 240. The default is 195.

cli-profile

Enable RADIUS CLI profiling. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access more for these commands. The default is false.

command-access-attribute <192-240>

Specifies the value of the command access attribute in the range of 192 to 240. The default is 194.

enable

Enable RADIUS authentication globally on the switch.

maxserver <1-10>

Specific to RADIUS authentication, configures the maximum number of servers allowed for the device. The range is between 1 and 10. The default is 10.

mcast-addr-attr-value <0-255>

Specifies the value of the multicast address attribute in the range of 0 to 255. The default is 90.

secure-flag

Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled.

secure-profile

Specifies the RADSec profile name.

server host WORD<0–46> key WORD<0–32> [used-by {cli|snmp|web} [acct-enable] [acct-port <1–65536> ] [enable] [port <1–65536> ] [priority <1–10> ] [retry <0–6>secure-enablesecure-log-level {critical | debug | error | info | warning}secure-mode{dtls | tls}secure-profileWORD<1-16> ] [timeout <1–60> ]

  • host WORD<0–46>

    Creates a host server. WORD<0–46> signifies an IP address.

  • key WORD<0–32>

    Specifies a secret key in the range of 0–32 characters.

  • used-by {cli|eapol| endpoint-tracking|snmp|web}

    Specifies how the server functions. Configures the server for:
    • cli authentication

    • eapol authentication

    • endpoint-tracking authentication

    • snmp accounting

    • web authentication

  • acct-enable

    Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.

  • acct-port <1–65536>

    Specifies a UDP port of the RADIUS accounting server (1 to 65536). The default value is 1816. The UDP port value set for the client must match the UDP value set for the RADIUS server.

  • enable

    Enables the server. The default is true.

  • port <1–65536>

    Specifies a UDP port of the RADIUS server. The default value is 1812.

  • priority <1–10>

    Specifies the priority value for this server. The default is 10.

  • retry <0–6>

    Specifies the maximum number of authentication retries. The default is 3.

  • secure-enable

    Enable secure mode on the server.

  • secure-log-level{critical | debug | error | info | warning}

    Specifies the RADIUS secure server log severity level.

  • secure-mode{dtls | tls}

    Specifies the protocol for establishing the secure connection with the server. IPv4 supports both dtls and tls modes. IPv6 only supports tls mode.

  • secure-profileWORD<1-16>

    Specifies the secure profile name.

  • timeout <1–60>

    Specifies the number of seconds before the authentication request times out. The default is 3.