Configure RADIUS Authentication and RADIUS Accounting Attributes

About this task

Configure RADIUS authentication and RADIUS accounting attributes to determine the size of the packets received.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the RADIUS authentication attribute value:

    radius command-access-attribute <192-240>

  3. Configure the RADIUS accounting attribute value:

    radius accounting attribute-value <192-240>

Example

Switch:1>enable 
Switch:1#configure terminal 
Switch:1(config)#radius command-access-attribute 192 
Switch:1(config)#radius accounting attribute-value 192 

Variable Definitions

The following table defines parameters for the radius command.

Variable

Value

access-priority-attribute <192-240>

Specifies the value of the access priority attribute. The default is 192.

accounting {attribute-value <192-240>|enable|include-cli-commands}

Configures the accounting attribute value, enable accounting, or configure if accounting includes CLI commands. The default is false.

auth-info-attr-value <0-255>

Specifies the value of the authentication information attribute.The default is 91.

clear-stat

Clears RADIUS statistics.

cli-cmd-count <1–40>

Specifies how many CLI commands before the system sends a RADIUS accounting interim request. The default value is 40.

cli-commands-attribute <192-240>

Specifies the value of CLI commands attribute. The default is 195.

cli-profile

Enable RADIUS CLI profiling. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access more for these commands. The default is false.

command-access-attribute <192-240>

Specifies the value of the command access attribute. The default is 194.

enable

Enable RADIUS authentication globally on the switch.

maxserver <1-10>

Specific to RADIUS authentication, configures the maximum number of servers allowed for the device. The default is 10.

mcast-addr-attr-value <0-255>

Specifies the value of the multicast address attribute. The default is 90.

secure-flag

Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled.

secure-profile

Specifies the RADSec profile name.

server host WORD<0–113> key WORD<0–32> [used-by {cli|snmp|web} [acct-enable] [acct-port <1–65536> ] [enable] [port <1–65536> ] [priority <1–10> ] [retry <0–6> secure-enable secure-ocsp secure-log-level {critical | debug | error | info | warning} secure-mode {dtls | tls} secure-profile WORD<1-16> ] [timeout <1–60> ]

  • host WORD<0–113>

    Creates a host server. WORD<0–113> signifies an IP address or Fully Qualified Domain Name (FQDN).

  • key WORD<0–32>

    Specifies a secret key in the range of 0–32 characters.

  • used-by {cli|eapol| endpoint-tracking|snmp|web}

    Specifies how the server functions. Configures the server for:
    • cli authentication

    • eapol authentication

    • endpoint-tracking authentication

    • snmp accounting

    • web authentication

  • acct-enable

    Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.

  • acct-port <1–65536>

    Specifies a UDP port of the RADIUS accounting server. The default value is 1816. The UDP port value set for the client must match the UDP value set for the RADIUS server.

  • enable

    Enables the server. The default is true.

  • port <1–65536>

    Specifies a UDP port of the RADIUS server. The default value is 1812.

  • priority <1–10>

    Specifies the priority value for this server. The default is 10.

  • retry <0–6>

    Specifies the maximum number of authentication retries. The default is 3.

  • secure-enable

    Enable secure mode on the server.

  • secure-ocsp

    Enable RADIUS secure Online Certificate Status Protocol (OCSP) checking for this server. The default is disabled.

  • secure-log-level{critical | debug | error | info | warning}

    Specifies the RADIUS secure server log severity level.

  • secure-mode{dtls | tls}

    Specifies the protocol for establishing the secure connection with the server. IPv4 supports both dtls and tls modes. IPv6 only supports tls mode.

  • secure-profileWORD<1-16>

    Specifies the secure profile name.

  • timeout <1–60>

    Specifies the number of seconds before the authentication request times out. The default is 3.