Add a RADIUS Server

About this task

Add a RADIUS server to provide RADIUS service on the switch.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Add a RADIUS server:

    radius server host WORD<0-113> key WORD<0-32> [acct-enable | acct-port <1-65536> | enable | port <1-65536> | priority <1-10> | retry <0-6> | secure-enable |secure-log-level <critical | debug | error | info | warning> | secure-mode <dtls | tls> |secure-profile WORD<1-16> | timeout <1-180> | used-by {cli|eapol|endpoint-tracking|snmp|web}]

Examples

Add a RADIUS server using an IPv6 address:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#radius server host 4717:0000:0000:0000:0000:0000:7933:0001 key testkey1 used-by snmp port 12 retry 5 timeout 10 enable

Add a RADIUS server using a Fully Qualified Domain Name (FQDN):

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#radius server host host.example.com key testkey1 used-by snmp port 12 retry 5 timeout 10 enable

Variable Definitions

The following table defines parameters for the radius server host command.

Variable

Value

host WORD<0–113>

Configures a host server. WORD<0–113> specifies the IPv4 address, IPv6 address, or fully qualified domain name (FQDN). If you use an FQDN, you must also configure the switch to use DNS.

acct-enable

Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.

acct-port <1-65536>

Configures the UDP port of the RADIUS accounting server. The default value is 1813.
Important:

The UDP port value set for the client must match the UDP value set for the RADIUS server.

enable

Enables the RADIUS server. The default is true.

key WORD<0–32>

Configures the secret key of the authentication client.

port <1-65536>

Configures the UDP port of the RADIUS authentication server. The default value is 1812.

priority <1–10>

Configures the priority value for this server. The default is 10.

retry <0–6>

Configures the number of authentication retries the server will accept. The default is 1.

secure-enable

Enable RADIUS Security (RADSec).

secure-log-level <critical | debug | error | info | warning>

Specifies the log severity level. The default is error.

secure-mode <dtls | tls>

Specifies the protocol for establishing the secure connection with the server. The possible values are:

  • dtls - Datagram Transport Layer Security (DTLS) encryption over User Datagram Protocol (UDP)
  • tls - Transport Layer Security (TLS) encryption over Transmission Control Protocol (TCP)

The default is TLS.

Important:
To avoid TLS handshake issues if the switch and RADsec proxy server run different versions of OpenSSL, manually force TLS version 2 negotiation through the RADsec proxy by adding the following text to the radsecproxy.conf configuration file:
tls default{
     ...         
     TlsVersion TLS1_2
}

secure-ocsp

Enable RADIUS Online Certificate Status Protocol (OCSP) checking.

The default is disabled.

secure-profile WORD<1-16>

Configures the secure profile for the server.

timeout <1–180>

Configures the number of seconds before the authentication request times out. The default is 8.

used-by {cli | eapol | endpoint-tracking | snmp | web}

Configures how the server functions:

  • cli—configure the server for CLI authentication.

  • eapol—configure the server for EAPoL authentication.

  • endpoint-tracking—configure the server for Endpoint Tracking authentication.

  • snmp—configure the server for SNMP accounting.

  • web—configure the server for HTTP(s) authentication.

The default is cli.