radius-server host
Configures a RADIUS server to connect
for external server authentication.
Syntax
radius-server host
{
ip-address
|
host-name
}
[
use-vrf
{
mgmt-vrf
|
default-vrf
|vrf-name
}
][
auth-port
portnum
]
[
radsec
]
[
timeout
secs
]
[
retries
num
]
[
key
shared-secret
]
[
protocol
{
chap
|
pap
|
peap}
]
[
encryption-level
value-level
]
no radius-server host
{
ip-address
|
host-name
}
[
use-vrf
{
mgmt-vrf
|
default-vrf
|vrf-name
} ][
auth-port
portnum
]
[
radsec
]
[
timeout
secs
]
[
retries
num
]
[
key
shared-secret
]
[
protocol
{
chap
|
pap
|
peap}
]
[
encryption-level
value-level
]
Command Default
By default, a RADIUS server is not configured.
Parameters
-
ip-address
- Specifies the RADIUS server IP address. Both
IPv4 and IPv6 addresses are supported.
-
host-name
- Specifies the host name of the RADIUS server.
The maximum supported length for the host name is 40 characters.
-
use-vrf
- (Optional) Causes communication with the
RADIUS server through a specific VRF and enters configuration mode for
RADIUS server communications through that VRF.
-
mgmt-vrf
- Specifies the management VRF.
-
default-vrf
- Specifies the default-vrf.
- vrf-name
- Specifies a VRF
name.
-
auth-port
portnum
- Specifies the port for authentication. The
default is UDP port is 1812. The default TCP port (used for RADIUS over TLS)
is 2083.
- radsec
- Specifies that RADIUS over TLS is to be used instead of RADIUS over
UDP.
-
encryption-levelvalue-level
- Designates the encryption level for the shared secret key operation. This
operand supports JITC certification and compliance. The valid values are 0
and 7, with 0 being clear text and 7 being the most heavily encrypted. The
default value is 7.
-
key
shared-secret
- Specifies the text string
that is used as the shared secret between the device and the RADIUS server
to make the message exchange secure. The key must be between 1 and 40
characters in length.
- In RADIUS over UDP mode, the default key is
sharedsecret. In RADIUS over TLS mode, the default key is
radsec, which must not be modified per RFC
6614.
- The exclamation mark (!) is supported in RADIUS and TACACS+ servers. You can
specify the password in either double quotes or with the escape character
(\), for example "secret!key" or
secret\!key. The only other
valid characters are alphanumeric characters (a-z and 0-9) and underscores.
No other special characters are allowed.
-
protocol
{chap
|
pap
|
peap}
- Specifies the authentication protocol.
Options include CHAP, PAP, and PEAP. The default is CHAP.
-
retries
num
- Specifies the number of
attempts allowed to connect to a RADIUS server. The default is 5 attempts.
Modes
Global configuration mode
Usage Guidelines
When a RADIUS server with the specified IP address or hostname does not exist, it is added to the server list. When the RADIUS server already exists, this command modifies the configuration.
The no form of the command
removes the indicated configuration.
Note
When only one RADIUS is configured, you can
remove the RADIUS server configuration only when both login (EXEC) and command
accounting are disabled by using, for example, the
no aaa accounting
command and when the authentication mode has been set to "non-radius" with the
no aaa authentication login radius command.
If the encryption-level is zero (0) but the key entered is encrypted
then the following error message is displayed: Error: Input key must be plain
text when encryption-level selected is 0.
Examples
This example configures a RADIUS server.
device# configure terminal
device(config)# radius-server host 10.24.65.6
device(config-radius-server-10.24.65.6/mgmt-vrf)#
This example configures a RADIUS server and
specifies that communication with the server takes place through the green-vrf.
device# configure terminal
device(config)# radius-server host 10.24.65.6 use-vrf green-vrf
device(config-radius-server-10.24.65.6/green-vrf)#
