Add a RADIUS Server

About this task

Add a RADIUS server to allow RADIUS service on the switch.

RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration using CLI.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Add a RADIUS server:

    radius server host WORD <0–46> key WORD<0-32> [used-by {cli|eapol|endpoint-tracking|snmp|web}] [acct-enable][acct-port <1-65536>] [enable] [port <1-65536>][priority <1-10>][retry <0-6>] [secure-enable] [secure-log-level] [secure-mode] [secure-profile] [source-ip WORD <0–46>] [timeout <1-60>]

Example

Add a RADIUS server:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#radius server host 4717:0000:0000:0000:0000:0000:7933:0001 key testkey1 used-by snmp port 12 retry 5 timeout 10 enable

Variable Definitions

The following table defines parameters for the radius server host command.

Variable

Value

used-by {cli|eapol|endpoint-tracking|snmp|web}

Configures how the server functions:

  • cli—configure the server for CLI authentication.

  • eapol—configure the server for EAPoL authentication.

  • endpoint-tracking—configure the server for Endpoint Tracking authentication.

  • snmp—configure the server for SNMP accounting.

  • web—configure the server for HTTP(s) authentication.

Use the no option to remove a host server: no radius server host WORD<0–46> used-by {cli|eapol|endpoint-tracking|snmp|web}. The default is cli. The default command is: default radius server host WORD<0–46> used-by {cli|eapol|endpoint-tracking|snmp|web}.

host WORD <0–46>

Configures a host server. WORD <0–46> signifies an IPv4 address in the format A.B.C.D or an IPv6 address in the format x:x:x:x:x:x:x:x. RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration using CLI.

acct-enable

Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.

acct-port <1-65536>

Configures the UDP port of the RADIUS accounting server (1 to 65536). The default value is 1813.
Important:

The UDP port value set for the client must match the UDP value set for the RADIUS server.

enable

Enables the RADIUS server. The default is true.

key WORD<0–32>

Configures the secret key of the authentication client.

port <1-65536>

Configures the UDP port of the RADIUS authentication server. The default value is 1812.

priority <1–10>

Configures the priority value for this server. The default is 10.

retry <0–6>

Configures the number of authentication retries the server will accept. The default is 3.

secure-enable

Note:

Exception: not supported on VSP 8600 Series.

Enable RADIUS Security (RADSec).

secure-log-level

Note:

Exception: not supported on VSP 8600 Series.

Specifies the log severity level. Possible values are :

  • critical

  • debug

  • error

  • info

  • warning

secure-mode

Note:

Exception: not supported on VSP 8600 Series.

Specifies the protocol used for secure connection to the server.

secure-profile

Note:

Exception: not supported on VSP 8600 Series.

Configures the secure profile for the server.

source-ip WORD <0–46>
Note:

Exception: only supported on VSP 8600 Series.

Configures an IP address as the source address when transmitting RADIUS packets. To use this option, you must have the global RADIUS sourceip-flag set to true. RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration using CLI.

timeout <1–180>

Configures the number of seconds before the authentication request times out. The default is 8.