configure radius server client-ip

configure radius {mgmt-access | netlogin} [primary | secondary | index] server [host_ipaddr | host_ipV6addr | hostname] {udp_port | tls {tls_port}} client-ip [client_ipaddr | client_ipV6addr] {vr vr_name} {shared-secret {encrypted} secret}

Description

This command configures up to eight RADIUS authentication servers.
Note

Note

It is recommended to enable loopback mode on the VLAN associated with radius if the radius connectivity is established via a front panel port on a SummitStack.

Syntax Description

mgmt-access Specifies the RADIUS authentication server for switch management.
netlogin Specifies the RADIUS authentication server for network login.
primary Configures the primary RADIUS authentication server.
secondary Configures the secondary RADIUS authentication server.
index RADIUS server index. Range: 1 - 2147483641.
host_ipaddr The IP address of the server being configured.
host_ipV6addr Server IPv6 address.
hostname The host name of the server being configured.
udp_port The UDP port to use to contact the RADIUS authentication server.
tls Specifies using Transfer Layer Security (TLS).
tls_port The TLS port to use to contact the RADIUS authentication server.
ipaddress The IP address used by the switch to identify itself when communicating with the RADIUS authentication server.
client_ipV6addr Client IPv6 address.
vr_name Specifies the virtual router on which the client IP is located.
Note: User-created VRs are supported only on the platforms listed for this feature in the Switch Engine v33.1.1 Licensing Guide document.
shared-secret Shared secret
secret

Secret string.

Important: Use quotes to enclose the string. Failure to do so causes the CLI to treat the string as a comment, since the string starts with a"#" symbol.
encrypted Password is encrypted.

Default

The following lists the default behavior of this command:
  • The UDP port setting is 1812.
  • The TLS port setting is 2083.
  • The virtual router used is VR-Mgmt, the management virtual router.
  • Switch management and network login use the same primary and secondary RADIUS servers for authentication (only if the realm is not specified in the command).,

Usage Guidelines

Use this command to specify RADIUS server information.

Use of the hostname parameter requires that DNS be enabled.

The RADIUS server defined by this command is used for user name authentication and CLI command authentication.

Beginning with ExtremeXOS 11.2, you can specify one pair of RADIUS authentication servers for switch management and another pair for network login. To specify RADIUS authentication servers for switch management (Telnet, SSH, and console sessions), use the mgmt-access keyword. To specify RADIUS authentication servers for network login, use the netlogin keyword. If you do not specify a keyword, switch management and network login use the same pair of RADIUS authentication servers.

If you are running ExtremeXOS 11.1 or earlier and upgrade to ExtremeXOS 11.2, you do not lose your existing RADIUS server configuration. Both switch management and network login use the RADIUS authentication server specified in the older configuration.

Specifying mgmt-access or netlogin before the index will create a RADIUS entry with only that realm specified, if neither are specified both realms will be enabled.

Note

Note

You cannot use a stacking alternate IP address as the RADIUS client in primary RADIUS server configuration.

Example

The following example configures the primary RADIUS server on host radius1 using the default UDP port (1812) for use by the RADIUS client on switch 10.10.20.30 using a virtual router interface of VR-Default:

configure radius primary server radius1 client-ip 10.10.20.30 vr vr-Default

The following example configures the primary RADIUS server for network login authentication on host netlog1 using the default UDP port for use by the RADIUS client on switch 10.10.20.31 using, by default, the management virtual router interface:

configure radius netlogin primary server netlog1 client-ip 10.10.20.31

History

This command was first available in ExtremeXOS 10.1.

The mgmt-access and netlogin keywords were added in ExtremeXOS 11.2.

The index, host_ipV6addr, client_ipV6addr, shared-secret, and encrypted keywords were added in ExtremeXOS 16.1.

The tls keyword with tls_port variable was added in ExtremeXOS 31.4.

Platform Availability

This command is available on all Universal switches supported in this document.