Each device client must be individually configured to use RADIUS servers.
You use the radius-server host command to specify the server IP address and the VRF through which to communicate with the RADIUS server.
You can configure a maximum of 5 RADIUS servers on a device for AAA service.
Note
RADIUS Server must be configured to support Vendor-Specific-Attribute (VSA) in addition to configuring RADIUS Server support on the device.The following table describes configuration commands associated with the VRF used to connect to the RADIUS server.
|
Command |
Description |
|---|---|
|
auth-port |
Configures the user datagram protocol (UDP) port used to connect the RADIUS server for authentication. The port range is 0 through 65535; the default port is 1812. |
|
protocol |
Configures the authentication protocol to be used. Options include CHAP, PAP, and PEAP. The default protocol is CHAP. IPv6 hosts are not supported if PEAP is the configured protocol. |
|
key |
Configures the shared secret between the device and the RADIUS server. The default value is "sharedsecret." The key cannot contain spaces and must be from 8 through 40 characters in length. Empty keys are not supported. |
|
retries |
Configures the number of attempts permitted to connect to a RADIUS server. The range is 0 through 100, and the default value is 5. |
|
source-interface |
Configures a source IP address for RADIUS packets that originate on the device. |
|
timeout |
Configures the time to wait for a server to respond. The range is 1 through 60 seconds. The default value is 5 seconds. |
|
encryption-level |
Configures whether the encryption key should be stored in clear-text or in encrypted format. Default is 7 (encrypted). Possible values are 0 or 7, where 0 represents store the key in clear-text format and 7 represents encrypted format. |
Note
If you do not configure a shared secret using the key command, the authentication session is not encrypted. The shared secret configured using the key command must match the value configured in the RADIUS configuration file; otherwise, the communication between the server and the device fails.There may be situations/configurations where SSH server and RADIUS / TACACS+ server timeouts conflict. The default timeout for the SSH server max-login-timeout is 120 seconds. The default timeout for RADIUS / TACACS+ is 5 seconds, with a retry default of 5 attempts, which may create a scenario where the timeout value is 25 seconds.
Administrators should be aware that the following situation can occur:
If AAA Authentication has been configured with the local-authfallback/local option using five RADIUS / TACACS+ servers; and those servers are not reachable, then the login timeout effectively becomes 125 seconds (25 seconds x 5 servers = 125 seconds). Since the default timeout for the SSH server is 120 seconds, the SSH server will timeout before login can succeed, preventing even the admin from logging in.
It is recommended that Administrators evaluate the default timeouts if this scenario is possible, and make the necessary adjustments to the default values for timeout and retry attempts.