Modify RADIUS Server Settings

About this task

Change a specified RADIUS server value without having to delete the server and recreate it again.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Modify a RADIUS server:

radius server host WORD <0–255> used-by {cli|eapol|endpoint-tracking|snmp|web} [acct-enable | acct-port <1-65536> | enable | key WORD<0-32> | port <1-65536> | priority <1-10> | retry <0-6> | secure-enable |secure-log-level <critical | debug | error | info | warning> | secure-mode <dtls | tls> |secure-profile WORD<1-16> | timeout <1-180>]

Example

Modify a RADIUS server:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#radius server host 4717:0000:0000:0000:0000:0000:7933:0001 used-by snmp port 12 retry 5 timeout 10 enable

Variable Definitions

The following table defines parameters for the radius server host command.


Variable	Value
host `WORD<0–113>`	Configures a host server. `WORD<0–113>` specifies the IPv4 address, IPv6 address, or fully qualified domain name (FQDN). If you use an FQDN, you must also configure the switch to use DNS.
acct-enable	Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.
acct-port `<1-65536>`	Configures the UDP port of the RADIUS accounting server. The default value is 1813. Important: The UDP port value set for the client must match the UDP value set for the RADIUS server.
enable	Enables the RADIUS server. The default is true.
key `WORD<0–32>`	Configures the secret key of the authentication client.
port `<1-65536>`	Configures the UDP port of the RADIUS authentication server. The default value is 1812.
priority `<1–10>`	Configures the priority value for this server. The default is 10.
retry `<0–6>`	Configures the number of authentication retries the server will accept. The default is 1.
secure-enable	Enable RADIUS Security (RADSec).
secure-log-level <critical \| debug \| error \| info \| warning>	Specifies the log severity level. The default is error.
secure-mode <dtls \| tls>	Specifies the protocol for establishing the secure connection with the server. The possible values are: dtls - Datagram Transport Layer Security (DTLS) encryption over User Datagram Protocol (UDP) tls - Transport Layer Security (TLS) encryption over Transmission Control Protocol (TCP) The default is TLS. Important: To avoid TLS handshake issues if the switch and RADsec proxy server run different versions of OpenSSL, manually force TLS version 2 negotiation through the RADsec proxy by adding the following text to the radsecproxy.conf configuration file: tls default{ ... TlsVersion TLS1_2 }
secure-ocsp	Enable RADIUS Online Certificate Status Protocol (OCSP) checking. The default is disabled.
secure-profile WORD<1-16>	Configures the secure profile for the server.
timeout `<1–180>`	Configures the number of seconds before the authentication request times out. The default is 8.
used-by {cli \| eapol \| endpoint-tracking \| snmp \| web}	Configures how the server functions: cli—configure the server for CLI authentication. eapol—configure the server for EAPoL authentication. endpoint-tracking—configure the server for Endpoint Tracking authentication. snmp—configure the server for SNMP accounting. web—configure the server for HTTP(s) authentication. The default is cli.