RADIUS Configuration Command directory
This chapter introduces the commands for RADIUS
configuration. RADIUS is a distributed client/server system capable of denying
the unauthorized network access. RADIUS client is running on the router and
sends the request of authentication, authorization and accounting to the
central RADIUS server containing the authentication of all the user and the
information of network service access.
The information and the
Example regarding the configuration of RADIUS can be
referred to the part of “Configuring RADIUS”.
The
command “debug radius” can be executed for tracing RADIUS event or packet. The “no”
format of the command can be used for closing debug information.
debug radius{event | packet}
no debug radius{event | packet}
parameter:
event:
Tracing RADIUS event
packet:Tracing RADIUS packet
Default:
none
Supervisor mode
Explanation:
The
command can be used for debugging network system to find out the cause of
authentication failure.
Router#debug radius event
RADIUS:return
message to aaa, Give me your username
RADIUS:return
message to aaa, Give me your password
RADIUS:inital
transmit access-request [4] to 192.168.20.126 1812 <length=70>
RADIUS:retransmit
access-request [4] to 192.168.20.126 1812 <length=70>
RADIUS:retransmit
access-request [4] to 192.168.20.126 1812 <length=70>
RADIUS:192.168.20.126
is dead to response [4]
RADIUS:Have
tried all servers,return error to aaa
Output Information |
Explanation |
Return
packet to aaa, Give me your username |
The username wantd |
Return
packet to aaa, Give me your password |
The password
corresponding to the username wanted. |
inital
transmit access-request [4] to 192.168.20.126 1812 <length=70> |
The first authentication
request is sent to the RADIUS server. The address of the server is
192.168.20.126, the port number is 1812, the length of packet is 70. |
retransmit access-request
[4] to 192.168.20.126 1812 <length=70> |
Server does not echo the
request and authentication request is retransmitted. |
192.168.20.126 is dead to
response [4] |
After repeated
retransmission, server is dead to response, the server is marked as dead. |
Have tried all servers,return
error to aaa |
The authentication is
completed by using RADIUS and the error is returned. |
Example:
The
following Example opens event trace of RADIUS.
debug radius event
The global configuration command “ip radius source-interface” is
used for compelling RADIUS to use IP address of the designated interface for
all the packets transmitted by RADIUS. The “no” format of the command is used
for restoring the default value.
ip
radius source-interface interface-name
no ip
radius source-interface
parameter:
interface-name:RADIUS uses IP address of
the interface for all RADIUS packet sent.
Default:
The command has no default value designated by the manufacturer,
i.e., the source IP address should be determined on the real condition.
Command mode:
global
configuration mode
Explanation:
The command is used for selecting the IP
address of an interface as the source address of sending out RADIUS packet. So
long as the interface is under “up” state, the address will be used
continuously. Thus, for each client accessing the network, RADIUS server only
uses one IP address rather than maintaining an IP address list. The command is
especially useful when the router has many interfaces and intends to ensure
that all RADIUS packets coming from some specific router has the same IP
address.
The designated interface
shall have IP address related to the interface. If the designated interface
does not have an IP address or is under a “down” state, RADIUS will restore to
the default value. In order to avoid the case, IP address should be added to
the interface and the interface shall be ensured under “up” state.
Example:
The following Example
allows RADIUS to use IP address of the interface s1/2 for all RADIUS packets
used.
ip radius source-interface
s1/2
Relevant command:
The
command “radius challenge-noecho” shall be used for not
showing the user data under the Access-Challenge Mode.
radius
challenge-noecho
no radius
challenge-noecho
parameter:
none
Default:
The user data is shown under the
Access-Challenge.
Command mode:
global
configuration mode
Explanation:
none
Example:
radius challenge-noecho
The global configuration command “radius dead-time” shall be used
for improving the echo time of RADIUS when some servers are not workable. The
command allows the system to skip the unworkable servers. The “no” format of
the command can be used for setting dead-time as 0, namely, all the servers are
thought to be workable.
radius
dead-time minutes
no
radius dead-time
parameter:
minutes:The time length of RADIUS server thought to be unworkable, the
maximum length is 1440 minutes (24 hours)
Default:
The unworkable time is
set as 0, meaning that the server is thought to be workable all the time.
Command mode:
global configuration mode
Explanation:
The command is used for
labeling those RADIUS servers that do not respond to the authentication request
as “dead”, which avoids too long waiting for the response before using the next
server. The RADIUS server labeled as “dead” is skipped by all the requests
during the set minutes unless otherwise all the servers are labeled as “dead”.
Example:
The following Example
designates 5-minute dead time for the RADIUS server that does not respond to
the request.
radius
dead-time 5
Relevant command:
The global configuration command “radius
server” is used for designating IP address of radius server. The “no” format of
the command is used for deleting the designated RADIUS host.
radius server ip-address [auth-port
port-number1] [acct-port port-number2]
no radius server ip-address
parameter:
ip-address: the ip address of RADIUS server
auth-port:
(optional item) Designating UDP destination port for authentication
request.
port-number1: (optional item) The port number of authentication
request. If the setting is 0, the host is not used for authentication.
acct-port: (optional item) Designating UDP
destination port for accounting request.
port-number2: (optional item) The port number of accounting request.
If the setting is 0, the host is not used for accounting.
Default:
Any
RADIUS host is not designated.
Command mode:
global configuration mode
Explanation:
The
command “radius server” can be used repeatedly for designating multiple
servers. The polling can be made under the order of configuration when
necessary.
Example:
The
Example below designates RADIUS host whose IP address is 1.1.1.1. The default
port is used for accounting and authentication.
radius server 1.1.1.1
The following Example
designates Port 12 as the destination port of authentication request on the
RADIUS host whose IP address is 1.2.1.2. Port 16 is used as the destination
port of accounting request.
radius server 1.2.1.2 auth-port 12 acct-port 16
Relevant command:
The global configuration
command “radius optional-passwords” is used for verifying the username without
checking password when RADIUS authentication request is transmitted to RADIUS
server for the first time. The “no” format of the command can be used for
restoring the default value.
radius optional-passwords
no radius optional-passwords
parameter:
none
Default:
optional-password mode is not used.
Command mode:
global configuration mode
Explanation:
When the user enters login name, the
authentication request will include the user name and zero length password. If
the authentication request is accepted, the login authentication process is
completed. If RADIUS server refuses the request, the server will prompt the
password input. When the user enters the password, the second authentication
will be tried. RADIUS server shall support the authentication of the user of no
password so as to take advantage of this feature.
Example:
The
following Example configures the exclusion of user password when the first
authentication request is transmitted.
radius
optional-passwords
Relevant command:
The global configuration
command shall be used for setting encryption key for RADIUS communication
between the router and RADIUS server. The “no” format of command can be used
for invalidating the encryption key.
radius key string
no
radius key
parameter:
string: The secret key used for encrypting. The
secret key shall match with the one used by RADIUS server.
Default:
The
secret key is a null character string.
Command mode:
global configuration mode
Explanation:
The entered secret key
shall match with the one used by RADIUS server. All the zero space character is
neglected. The secret key contains no space character.
Example:
The
following Example sets encryption key as “firstime”.
radius
key firstime
Relevant command:
The global configuration
command is used for designating the times of trial before abandoning some
server. The “no” format of the command can be used for restoring default value.
radius retransmit retries
no radius retransmit
parameter:
retries:The maximum times of repeated trial, the
default value is 3 trials.
Default:
3
trials
Command mode:
global configuration mode
Explanation:
The command is usually used together with
the command “radius timeout”, indicating the time of the timeout of server
response and the times of repeated trails after the timeout.
Example:
The
Example below designates the value of retrial of counter as 5.
radius
retransmit 5
Relevant command:
The global configuration command “radius
timeout” is used for setting the time to wait for the server response to the
router. The “no” format of the command is used for restoring default value.
radius timeout seconds
no radius
timeout
parameter:
seconds:Designating the timeout (unit: second), the default value is 5
seconds.
Default:
5 seconds
Command mode:
global configuration mode
Explanation:
The
command is usually used together with the command “radius retransmit”.
Example:
The Example below sets
the value of timeout timer as 10 seconds.
radius
timeout 10
The global configuration
command “radius vsa send” can be used for configuring the router into the one
that is identified and uses special attribute of manufacturer (VSA). The “no”
format of the command can be used for restoring the default value.
radius vsa send [accounting | authentication]
no radius vsa send [accounting | authentication]
parameter:
accounting: (optional item) The
identified special attribute of the manufacturer is limited to the accounting
attribute.
authentication: (optional item) The
identified special attribute of the manufacturer is limited to the
authentication attribute.
Default:
VSA is not used.
Command mode:
global configuration mode
explanation:
IETF uses special attribute of
manufacturer (VSA) (attribute 26) and designates the method for exchanging the
special information of the manufacturer between the router and RADIUS server.
VSA allows manufacturers to support their own extended attribute not suitable
to universal purposes. The command “radius vsa send” enables the router to
identify and use the special attribute of the manufacturer (VSA) of
authentication and accounting. The keyword “accounting” is used in the command “radius
vsa send” to limit the identified special attribute of the manufacturer to the
attribute of accounting. The keyword “authentication” is used in the command “radius
vsa send” to limit the identified special attribute of the manufacturer to the
attribute of authentication.
Example:
The Example below
configures the router to enable it to identify and use the special accounting
attribute of manufacturer.
radius
vsa send accounting
Relevant command: