Configure RADIUS Attributes

Configure RADIUS to authenticate user identity through a central database.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure RADIUS access priority:

    radius access-priority-attribute <192-240>

  3. Configure RADIUS accounting:

    radius accounting {attribute-value <192-240>|enable|include-cli-commands}

  4. Configure the RADIUS authentication info attribute value:

    radius auth-info-attr-value <0-255>

  5. Clear RADIUS statistics:

    radius clear-stat

  6. Configure the value of the CLI commands:

    radius cli-commands-attribute <192-240>

  7. Configure the value of the command access attribute:

    radius command-access-attribute <192-240>

  8. Configure the maximum number of servers allowed:

    radius maxserver <1-10>

  9. Configure the multicast address attribute:

    radius mcast-addr-attr-value <0-255>

  10. Enable RADSec globally:

    radius secure-flag

  11. Configure the RADSec profile:

    radius secure-profile WORD<1-16> [ca-cert-file | cert-file | key-file | key-pwd]

Example

Configure RADIUS access priority:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#radius access-priority-attribute 192

Configure RADIUS accounting to include CLI commands:

Switch:1(config)#radius accounting include-cli-commands 

Variable Definitions

The following table defines parameters for the radius command.

Variable

Value

access-priority-attribute <192-240>

Specifies the value of the access priority attribute. The default is 192.

accounting {attribute-value <192-240>|enable|include-cli-commands}

Configures the accounting attribute value, enable accounting, or configure if accounting includes CLI commands. The default is false.

auth-info-attr-value <0-255>

Specifies the value of the authentication information attribute.The default is 91.

clear-stat

Clears RADIUS statistics.

cli-cmd-count <1–40>

Specifies how many CLI commands before the system sends a RADIUS accounting interim request. The default value is 40.

cli-commands-attribute <192-240>

Specifies the value of CLI commands attribute. The default is 195.

cli-profile

Enable RADIUS CLI profiling. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access more for these commands. The default is false.

command-access-attribute <192-240>

Specifies the value of the command access attribute. The default is 194.

enable

Enable RADIUS authentication globally on the switch.

maxserver <1-10>

Specific to RADIUS authentication, configures the maximum number of servers allowed for the device. The default is 10.

mcast-addr-attr-value <0-255>

Specifies the value of the multicast address attribute. The default is 90.

secure-flag

Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled.

secure-profile

Specifies the RADSec profile name.

server host WORD<0–113> key WORD<0–32> [used-by {cli|snmp|web} [acct-enable] [acct-port <1–65536> ] [enable] [port <1–65536> ] [priority <1–10> ] [retry <0–6> secure-enable secure-ocsp secure-log-level {critical | debug | error | info | warning} secure-mode {dtls | tls} secure-profile WORD<1-16> ] [timeout <1–60> ]

  • host WORD<0–113>

    Creates a host server. WORD<0–113> signifies an IP address or Fully Qualified Domain Name (FQDN).

  • key WORD<0–32>

    Specifies a secret key in the range of 0–32 characters.

  • used-by {cli|eapol| endpoint-tracking|snmp|web}

    Specifies how the server functions. Configures the server for:
    • cli authentication

    • eapol authentication

    • endpoint-tracking authentication

    • snmp accounting

    • web authentication

  • acct-enable

    Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.

  • acct-port <1–65536>

    Specifies a UDP port of the RADIUS accounting server. The default value is 1816. The UDP port value set for the client must match the UDP value set for the RADIUS server.

  • enable

    Enables the server. The default is true.

  • port <1–65536>

    Specifies a UDP port of the RADIUS server. The default value is 1812.

  • priority <1–10>

    Specifies the priority value for this server. The default is 10.

  • retry <0–6>

    Specifies the maximum number of authentication retries. The default is 3.

  • secure-enable

    Enable secure mode on the server.

  • secure-ocsp

    Enable RADIUS secure Online Certificate Status Protocol (OCSP) checking for this server. The default is disabled.

  • secure-log-level{critical | debug | error | info | warning}

    Specifies the RADIUS secure server log severity level.

  • secure-mode{dtls | tls}

    Specifies the protocol for establishing the secure connection with the server. IPv4 supports both dtls and tls modes. IPv6 only supports tls mode.

  • secure-profileWORD<1-16>

    Specifies the secure profile name.

  • timeout <1–60>

    Specifies the number of seconds before the authentication request times out. The default is 3.