Add a RADIUS Server
About this task
Add a RADIUS server to provide RADIUS service on the switch.
Procedure
Examples
Add a RADIUS server using an IPv6 address:
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#radius server host 4717:0000:0000:0000:0000:0000:7933:0001 key testkey1 used-by snmp port 12 retry 5 timeout 10 enable
Add a RADIUS server using a Fully Qualified Domain Name (FQDN):
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#radius server host host.example.com key testkey1 used-by snmp port 12 retry 5 timeout 10 enable
Variable Definitions
The following table defines parameters for the radius server host command.
Variable |
Value |
---|---|
host WORD <0–255> |
Configures a host server. WORD <0–255> specifies the IPv4 address, IPv6 address, or fully qualified domain name (FQDN). If you use an FQDN, you must also configure the switch to use DNS. |
acct-enable |
Enables RADIUS accounting on this server. The system enables RADIUS accounting by default. |
acct-port <1-65536> |
Configures the UDP port of the RADIUS accounting server. The
default value is 1813.
Important:
The UDP port value set for the client must match the UDP value set for the RADIUS server. |
enable |
Enables the RADIUS server. The default is true. |
key WORD<0–32> |
Configures the secret key of the authentication client. |
port <1-65536> |
Configures the UDP port of the RADIUS authentication server. The default value is 1812. |
priority <1–10> |
Configures the priority value for this server. The default is 10. |
retry <0–6> |
Configures the number of authentication retries the server will accept. The default is 1. |
secure-enable |
Enable RADIUS Security (RADSec). |
secure-log-level <critical | debug | error | info | warning> |
Specifies the log severity level. The default is error. |
secure-mode <dtls | tls> |
Specifies the protocol for establishing the secure connection with the server. The possible values are:
The default is TLS. Important:
To avoid TLS handshake issues if the switch and RADsec proxy
server run different versions of OpenSSL, manually force TLS
version 2 negotiation through the RADsec proxy by adding the
following text to the radsecproxy.conf configuration file:
tls default{ ... TlsVersion TLS1_2 } |
secure-profile WORD<1-16> |
Configures the secure profile for the server. |
timeout <1–180> |
Configures the number of seconds before the authentication request times out. The default is 8. |
used-by {cli | eapol | endpoint-tracking | snmp | web} |
Configures how the server functions:
The default is cli. |