Configure an EAP-Enabled RADIUS Server

Before you begin

  • You must enable EAP globally.

About this task

The RADIUS server uses the secret key to validate users.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure a secret key:

    radius server host WORD<0–113> used-by eapol key WORD<0-32>

  3. Optional: Configure accounting parameters for the RADIUS server:
    1. Configure the UDP port:

      radius server host WORD<0–113> used-by eapol acct-port <1-65536>

    2. Enable accounting:

      radius server host WORD<0–113> used-by eapol acct-enable

  4. Optional: Configure secure options for the RADIUS server:
    1. Enable RADIUS Security (RADSec):

      radius server host WORD<0–113> used-by eapol secure-enable

    2. Select the protocol for secure mode:

      radius server host WORD<0–113> used-by eapol secure-mode <dtls | tls>

    3. Specify a secure profile for the server:

      radius server host WORD<0–113> used-by eapol secure-profile WORD<1-16>

    4. Configure the log level:

      radius server host WORD<0–113> used-by eapol secure-log-level <critical | debug | error | info | warning>

  5. Optional: Configure other optional parameters for the RADIUS server:
    1. Configure the UDP port:

      radius server host WORD<0–113> used-by eapol port <1-65536>

    2. Configure the server priority:

      radius server host WORD<0–113> used-by eapol priority <1-10>

    3. Configure the maximum number of retries:

      radius server host WORD<0–113> used-by eapol retry <0-6>

    4. Configure the server timeout:

      radius server host WORD<0–113> used-by eapol timeout <1-180>

  6. Enable the server:

    radius server host WORD<0–113> used-by eapol enable

Example

Add an EAP RADIUS server:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#radius server host fe80:0:0:0:21b:4fff:fe5e:73fd key radiustest used-by eapol enable

Variable Definitions

The following table defines parameters for the radius server host command.

Variable

Value

acct-enable

Enables accounting for the server.

acct-port <1-65536>

Specifies the accounting port. The default is 1813.

enable

Enables the RADIUS server host.

host WORD<0–113>

Configures a host server. WORD<0–113> specifies the IPv4 address, IPv6 address, or fully qualified domain name (FQDN). If you use an FQDN, you must also configure the switch to use DNS.

key WORD<0-32>

Specifies the secret key.

port <1-65535>

Specifies the port ID number. The default is 1812.

priority <1-10>

Specifies the priority. The lowest number is the highest priority. The default is 10.

retry <0-6>

Specifies the retry count. The default is 1.

secure-enable

Enables secure mode on the server. The default is disabled.

secure-log-level <critical | debug | error | info | warning>

Specifies the RADIUS secure server log severity level. The default is error.

secure-mode <dtls | tls>

Specifies the protocol for establishing the secure connection with the server. The possible values are:

  • dtls - Datagram Transport Layer Security (DTLS) encryption over User Datagram Protocol (UDP)
  • tls - Transport Layer Security (TLS) encryption over Transmission Control Protocol (TCP)

The default is TLS.

Important:
To avoid TLS handshake issues if the switch and RADsec proxy server run different versions of OpenSSL, manually force TLS version 2 negotiation through the RADsec proxy by adding the following text to the radsecproxy.conf configuration file:
tls default{
     ...         
     TlsVersion TLS1_2
}

secure-profile WORD<1-16>

Specifies the secure profile name.

timeout <1-180>

Specifies the timeout of the server. The default is 8.