radius-server host

Configures a RADIUS server to connect for external server authentication.

Syntax

radius-server host { ip-address | host-name } [ use-vrf { mgmt-vrf | default-vrf |vrf-name } ][ auth-port portnum ] [ radsec ] [ timeout secs ] [ retries num ] [ key shared-secret ] [ protocol { chap | pap | peap} ] [ encryption-level value-level ]
no radius-server host { ip-address | host-name } [ use-vrf { mgmt-vrf | default-vrf |vrf-name } ][ auth-port portnum ] [ radsec ] [ timeout secs ] [ retries num ] [ key shared-secret ] [ protocol { chap | pap | peap} ] [ encryption-level value-level ]

Command Default

By default, a RADIUS server is not configured.

Parameters

ip-address
Specifies the RADIUS server IP address. Both IPv4 and IPv6 addresses are supported.
host-name
Specifies the host name of the RADIUS server. The maximum supported length for the host name is 40 characters.
use-vrf
(Optional) Causes communication with the RADIUS server through a specific VRF and enters configuration mode for RADIUS server communications through that VRF.
mgmt-vrf
Specifies the management VRF.
default-vrf
Specifies the default-vrf.
vrf-name
Specifies a VRF name.
auth-port portnum
Specifies the port for authentication. The default is UDP port is 1812. The default TCP port (used for RADIUS over TLS) is 2083.
radsec
Specifies that RADIUS over TLS is to be used instead of RADIUS over UDP.
encryption-levelvalue-level
Designates the encryption level for the shared secret key operation. This operand supports JITC certification and compliance. The valid values are 0 and 7, with 0 being clear text and 7 being the most heavily encrypted. The default value is 7.
key shared-secret
Specifies the text string that is used as the shared secret between the device and the RADIUS server to make the message exchange secure. The key must be between 1 and 40 characters in length.
In RADIUS over UDP mode, the default key is sharedsecret. In RADIUS over TLS mode, the default key is radsec, which must not be modified per RFC 6614.
The exclamation mark (!) is supported in RADIUS and TACACS+ servers. You can specify the password in either double quotes or with the escape character (\), for example "secret!key" or secret\!key. The only other valid characters are alphanumeric characters (a-z and 0-9) and underscores. No other special characters are allowed.
protocol {chap | pap | peap}
Specifies the authentication protocol. Options include CHAP, PAP, and PEAP. The default is CHAP.
retries num
Specifies the number of attempts allowed to connect to a RADIUS server. The default is 5 attempts.

Modes

Global configuration mode

Usage Guidelines

When a RADIUS server with the specified IP address or hostname does not exist, it is added to the server list. When the RADIUS server already exists, this command modifies the configuration.

The no form of the command removes the indicated configuration.

Note

Note

When only one RADIUS is configured, you can remove the RADIUS server configuration only when both login (EXEC) and command accounting are disabled by using, for example, the no aaa accounting command and when the authentication mode has been set to "non-radius" with the no aaa authentication login radius command.

If the encryption-level is zero (0) but the key entered is encrypted then the following error message is displayed: Error: Input key must be plain text when encryption-level selected is 0.

Examples

This example configures a RADIUS server.

device# configure terminal
device(config)# radius-server host 10.24.65.6 
device(config-radius-server-10.24.65.6/mgmt-vrf)# 

This example configures a RADIUS server and specifies that communication with the server takes place through the green-vrf.

device# configure terminal
device(config)# radius-server host 10.24.65.6 use-vrf green-vrf
device(config-radius-server-10.24.65.6/green-vrf)#