Configure an EAP-Enabled RADIUS Server
Before you begin
You must enable EAP globally.
About this task
The RADIUS server uses the secret key to validate users.
Procedure
Example
Add an EAP RADIUS server:
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#radius server host fe80:0:0:0:21b:4fff:fe5e:73fd key radiustest used-by eapol enable
Variable Definitions
The following table defines parameters for the radius server host command.
|
Variable |
Value |
|---|---|
|
acct-enable |
Enables accounting for the server. |
|
acct-port <1-65536> |
Specifies the accounting port. The default is 1813. |
|
enable |
Enables the RADIUS server host. |
|
host WORD<0–113> |
Configures a host server. WORD<0–113> specifies the IPv4 address, IPv6 address, or fully qualified domain name (FQDN). If you use an FQDN, you must also configure the switch to use DNS. |
|
key WORD<0-32> |
Specifies the secret key. |
|
port <1-65535> |
Specifies the port ID number. The default is 1812. |
|
priority <1-10> |
Specifies the priority. The lowest number is the highest priority. The default is 10. |
|
retry <0-6> |
Specifies the retry count. The default is 1. |
|
secure-enable |
Enables secure mode on the server. The default is disabled. |
|
secure-log-level <critical | debug | error | info | warning> |
Specifies the RADIUS secure server log severity level. The default is error. |
|
secure-mode <dtls | tls> |
Specifies the protocol for establishing the secure connection with the server. The possible values are:
The default is TLS. Important:
To avoid TLS handshake issues if the switch and
RADsec proxy server run different versions of
OpenSSL, manually force TLS version 2 negotiation
through the RADsec proxy by adding the following
text to the radsecproxy.conf configuration file:
tls default{
...
TlsVersion TLS1_2
}
|
|
secure-profile WORD<1-16> |
Specifies the secure profile name. |
|
timeout <1-180> |
Specifies the timeout of the server. The default is 8. |