Configure RADIUS Attributes

Configure RADIUS to authenticate user identity through a central database.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure RADIUS access priority:

    radius access-priority-attribute <192-240>

  3. Configure RADIUS accounting:

    radius accounting {attribute-value <192-240>|enable|include-cli-commands}

  4. Configure the RADIUS authentication info attribute value:

    radius auth-info-attr-value <0-255>

  5. Clear RADIUS statistics:

    radius clear-stat

  6. Configure the value of the CLI commands:

    radius cli-commands-attribute <192-240>

  7. Configure the value of the command access attribute:

    radius command-access-attribute <192-240>

  8. Configure the maximum number of servers allowed:

    radius maxserver <1-10>

  9. Configure the multicast address attribute:

    radius mcast-addr-attr-value <0-255>

  10. Enable RADSec globally:

    radius secure-flag

    Note

    Note

    RADSec is not supported on the VSP 8600 Series.

  11. Configure the RADSec profile:

    radius secure-profile WORD<1-16> [ca-cert-file | cert-file | key-file | key-pwd]

    Note

    Note

    RADSec is not supported on the VSP 8600 Series.

Example

Switch:1>enable

Switch:1#configure terminal

Configure RADIUS access priority:

Switch:1(config)#radius access-priority-attribute 192

Configure RADIUS accounting to include CLI commands:

Switch:1(config)#radius accounting include-cli-commands

Variable Definitions

The following table defines parameters for the radius command.

Variable

Value

access-priority-attribute <192-240>

Specifies the value of the access priority attribute in the range of 192 to 240. The default is 192.

accounting {attribute-value <192-240>|enable|include-cli-commands}

Configures the accounting attribute value, enable accounting, or configure if accounting includes CLI commands. The default is false. Use the no option to disable the accounting attribute value: no radius accounting enable.

auth-info-attr-value <0-255>

Specifies the value of the authentication information attribute in the range of 0 to 255.The default is 91.

clear-stat

Clears RADIUS statistics.

cli-cmd-count <1–40>

Specifies how many CLI commands, from 1 to 40, before the system sends a RADIUS accounting interim request. The default value is 40.

cli-commands-attribute <192-240>

Specifies the value of CLI commands attribute in the range of 192 to 240. The default is 195.

cli-profile

Enable RADIUS CLI profiling. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access more for these commands. The default is false.

command-access-attribute <192-240>

Specifies the value of the command access attribute in the range of 192 to 240. The default is 194.

enable

Enable RADIUS authentication globally on the switch.

maxserver <1-10>

Specific to RADIUS authentication, configures the maximum number of servers allowed for the device. The range is between 1 and 10. The default is 10.

mcast-addr-attr-value <0-255>

Specifies the value of the multicast address attribute in the range of 0 to 255. The default is 90.

secure-flag

Note:

Exception: not supported on VSP 8600 Series.

Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled.

secure-profile

Note:

Exception: not supported on VSP 8600 Series.

Specifies the RADSec profile name.

server host WORD<0–46> key WORD<0–32> [used-by {cli|snmp|web} [acct-enable] [acct-port <1–65536> ] [enable] [port <1–65536> ] [priority <1–10> ] [retry <0–6>secure-enablesecure-log-level {critical | debug | error | info | warning}secure-mode{dtls | tls}secure-profileWORD<1-16>] [source-ip WORD<0–46> ] [timeout <1–60> ]

  • host WORD<0–46>

    Creates a host server. WORD<0–46> signifies an IP address.

  • key WORD<0–32>

    Specifies a secret key in the range of 0–32 characters.

  • used-by {cli|eapol| endpoint-tracking|snmp|web}

    Specifies how the server functions. Configures the server for:
    • cli authentication

    • eapol authentication

    • endpoint-tracking authentication

    • snmp accounting

    • web authentication

  • acct-enable

    Enables RADIUS accounting on this server. The system enables RADIUS accounting by default.

  • acct-port <1–65536>

    Specifies a UDP port of the RADIUS accounting server (1 to 65536). The default value is 1816. The UDP port value set for the client must match the UDP value set for the RADIUS server.

  • enable

    Enables the server. The default is true.

  • port <1–65536>

    Specifies a UDP port of the RADIUS server. The default value is 1812.

  • priority <1–10>

    Specifies the priority value for this server. The default is 10.

  • retry <0–6>

    Specifies the maximum number of authentication retries. The default is 3.

  • secure-enable

    Enable secure mode on the server.

    Note:

    Exception: not supported on VSP 8600 Series.

  • secure-log-level{critical | debug | error | info | warning}

    Specifies the RADIUS secure server log severity level.

    Note:

    Exception: not supported on VSP 8600 Series.

  • secure-mode{dtls | tls}

    Specifies the protocol for establishing the secure connection with the server. IPv4 supports both dtls and tls modes. IPv6 only supports tls mode.

    Note:

    Exception: not supported on VSP 8600 Series.

  • secure-profileWORD<1-16>

    Specifies the secure profile name.

    Note:

    Exception: not supported on VSP 8600 Series.

  • source-ip WORD<0–46>

    Specifies a configured IP address as the source address when transmitting RADIUS packets. WORD<0–46> signifies an IP address.

    Note:

    Exception: Only supported on VSP 8600 Series.

  • timeout <1–60>

    Specifies the number of seconds before the authentication request times out. The default is 3.

sourceip-flag

Note:

Exception: only supported on VSP 8600 Series.

Enable the source IP so the switch uses a configured source IP address. If the outgoing interface on the switch fails, a different source IP address is used — requiring that you make configuration changes to define the new RADIUS client on the RADIUS server. To simplify RADIUS server configuration, you can configure the switch to use a Circuitless IP (CLIP) address as the source IP and NAS IP address when transmitting RADIUS packets. A CLIP is not associated with a physical interface and is always in an active and operational state. You can configure the switch with multiple CLIP interfaces.

By default, the switch uses the IP address of the outgoing interface as the source IP, and the NAS Ip address for RADIUS packets that it transmits.