Configure RADIUS Attributes

Configure RADIUS to authenticate user identity through a central database.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Configure RADIUS access priority:

radius access-priority-attribute <192-240>
Configure RADIUS accounting:

radius accounting {attribute-value <192-240>|enable|include-cli-commands}
Configure the RADIUS authentication info attribute value:

radius auth-info-attr-value <0-255>
Clear RADIUS statistics:

radius clear-stat
Configure the value of the CLI commands:

radius cli-commands-attribute <192-240>
Configure the value of the command access attribute:

radius command-access-attribute <192-240>
Configure the maximum number of servers allowed:

radius maxserver <1-10>
Configure the multicast address attribute:

radius mcast-addr-attr-value <0-255>
Enable RADSec globally:

radius secure-flag
Configure the RADSec profile:

radius secure-profile WORD<1-16> [ca-cert-file | cert-file | key-file | key-pwd]

Example

Configure RADIUS access priority:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#radius access-priority-attribute 192

Configure RADIUS accounting to include CLI commands:

Switch:1(config)#radius accounting include-cli-commands

Variable Definitions

The following table defines parameters for the radius command.


Variable	Value
access-priority-attribute <192-240>	Specifies the value of the access priority attribute. The default is 192.
accounting {attribute-value <192-240>\|enable\|include-cli-commands}	Configures the accounting attribute value, enable accounting, or configure if accounting includes CLI commands. The default is false.
auth-info-attr-value <0-255>	Specifies the value of the authentication information attribute.The default is 91.
clear-stat	Clears RADIUS statistics.
cli-cmd-count <1–40>	Specifies how many CLI commands before the system sends a RADIUS accounting interim request. The default value is 40.
cli-commands-attribute <192-240>	Specifies the value of CLI commands attribute. The default is 195.
cli-profile	Enable RADIUS CLI profiling. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access more for these commands. The default is false.
command-access-attribute <192-240>	Specifies the value of the command access attribute. The default is 194.
enable	Enable RADIUS authentication globally on the switch.
maxserver <1-10>	Specific to RADIUS authentication, configures the maximum number of servers allowed for the device. The default is 10.
mcast-addr-attr-value <0-255>	Specifies the value of the multicast address attribute. The default is 90.
secure-flag	Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled.
secure-profile	Specifies the RADSec profile name.
server host `WORD<0–46>` key `WORD<0–32>` [used-by {cli\|snmp\|web} [acct-enable] [acct-port `<1–65536>` ] [enable] [port `<1–65536>` ] [priority `<1–10>` ] [retry `<0–6>`secure-enablesecure-log-level `{critical \| debug \| error \| info \| warning}`secure-mode`{dtls \| tls}`secure-profile`WORD<1-16>` ] [timeout `<1–60>` ]	host `WORD<0–46>` Creates a host server. WORD<0–46> signifies an IP address. key `WORD<0–32>` Specifies a secret key in the range of 0–32 characters. used-by `{cli\|eapol\| endpoint-tracking\|snmp\|web}` Specifies how the server functions. Configures the server for: cli authentication eapol authentication endpoint-tracking authentication snmp accounting web authentication acct-enable Enables RADIUS accounting on this server. The system enables RADIUS accounting by default. acct-port `<1–65536>` Specifies a UDP port of the RADIUS accounting server. The default value is 1816. The UDP port value set for the client must match the UDP value set for the RADIUS server. enable Enables the server. The default is true. port `<1–65536>` Specifies a UDP port of the RADIUS server. The default value is 1812. priority `<1–10>` Specifies the priority value for this server. The default is 10. retry `<0–6>` Specifies the maximum number of authentication retries. The default is 3. secure-enable Enable secure mode on the server. secure-log-level`{critical \| debug \| error \| info \| warning}` Specifies the RADIUS secure server log severity level. secure-mode`{dtls \| tls}` Specifies the protocol for establishing the secure connection with the server. IPv4 supports both dtls and tls modes. IPv6 only supports tls mode. secure-profile`WORD<1-16>` Specifies the secure profile name. timeout `<1–60>` Specifies the number of seconds before the authentication request times out. The default is 3.