RADIUS Configuration Command directory

debug radius

ip radius source-interface

radius challenge-noecho

radius dead-time

radius server

radius optional-passwords

radius key

radius retransmit

radius timeout

radius vsa send

 

This chapter introduces the commands for RADIUS configuration. RADIUS is a distributed client/server system capable of denying the unauthorized network access. RADIUS client is running on the router and sends the request of authentication, authorization and accounting to the central RADIUS server containing the authentication of all the user and the information of network service access.

The information and the Example regarding the configuration of RADIUS can be referred to the part of “Configuring RADIUS”.

debug radius

The command “debug radius” can be executed for tracing RADIUS event or packet. The “no” format of the command can be used for closing debug information.

 

debug radiusevent | packet

no debug radiusevent | packet

parameter:

event: Tracing RADIUS event

packet:Tracing RADIUS packet

Default:

none

Command mode:

Supervisor mode

Explanation:

The command can be used for debugging network system to find out the cause of authentication failure.

Router#debug radius event

RADIUS:return message to aaa, Give me your username

RADIUS:return message to aaa, Give me your password

RADIUS:inital transmit access-request [4] to 192.168.20.126  1812 <length=70>

RADIUS:retransmit access-request [4] to 192.168.20.126 1812 <length=70>

RADIUS:retransmit access-request [4] to 192.168.20.126 1812 <length=70>

RADIUS:192.168.20.126 is dead to response [4]

RADIUS:Have tried all servers,return error to aaa

Output Information

Explanation

Return packet to aaa, Give me your username

The username wantd

Return packet to aaa, Give me your password

The password corresponding to the username wanted.

inital transmit access-request [4] to 192.168.20.126  1812 <length=70>

The first authentication request is sent to the RADIUS server. The address of the server is 192.168.20.126, the port number is 1812, the length of packet is 70.

retransmit access-request [4] to 192.168.20.126 1812 <length=70>

Server does not echo the request and authentication request is retransmitted.

192.168.20.126 is dead to response [4]

After repeated retransmission, server is dead to response, the server is marked as dead.

Have tried all servers,return error to aaa

The authentication is completed by using RADIUS and the error is returned.

Example:

The following Example opens event trace of RADIUS.

debug radius event

ip radius source-interface

The global configuration command “ip radius source-interface” is used for compelling RADIUS to use IP address of the designated interface for all the packets transmitted by RADIUS. The “no” format of the command is used for restoring the default value.  

ip radius source-interface interface-name

no ip radius source-interface

parameter:

interface-nameRADIUS uses IP address of the interface for all RADIUS packet sent.

Default:

The command has no default value designated by the manufacturer, i.e., the source IP address should be determined on the real condition.

Command mode:

global configuration mode

Explanation:

The command is used for selecting the IP address of an interface as the source address of sending out RADIUS packet. So long as the interface is under “up” state, the address will be used continuously. Thus, for each client accessing the network, RADIUS server only uses one IP address rather than maintaining an IP address list. The command is especially useful when the router has many interfaces and intends to ensure that all RADIUS packets coming from some specific router has the same IP address.

The designated interface shall have IP address related to the interface. If the designated interface does not have an IP address or is under a “down” state, RADIUS will restore to the default value. In order to avoid the case, IP address should be added to the interface and the interface shall be ensured under “up” state.

Example:

The following Example allows RADIUS to use IP address of the interface s1/2 for all RADIUS packets used.  

ip radius source-interface s1/2

 

Relevant command:

ip tacacs source-interface

 

radius challenge-noecho

The command “radius challenge-noecho” shall be used for not showing the user data under the Access-Challenge Mode.  

radius challenge-noecho

no radius challenge-noecho

parameter:

none

Default:

The user data is shown under the Access-Challenge.

Command mode:

global configuration mode

Explanation:

none

Example:

radius challenge-noecho

radius dead-time

The global configuration command “radius dead-time” shall be used for improving the echo time of RADIUS when some servers are not workable. The command allows the system to skip the unworkable servers. The “no” format of the command can be used for setting dead-time as 0, namely, all the servers are thought to be workable.

radius dead-time minutes

no radius dead-time

parameter:

minutesThe time length of RADIUS server thought to be unworkable, the maximum length is 1440 minutes (24 hours)

Default:

The unworkable time is set as 0, meaning that the server is thought to be workable all the time.

Command mode:

global configuration mode

Explanation:

The command is used for labeling those RADIUS servers that do not respond to the authentication request as “dead”, which avoids too long waiting for the response before using the next server. The RADIUS server labeled as “dead” is skipped by all the requests during the set minutes unless otherwise all the servers are labeled as “dead”.

Example:

The following Example designates 5-minute dead time for the RADIUS server that does not respond to the request.

radius dead-time 5

Relevant command:

radius server

radius retransmit

radius timeout

radius server

The global configuration command “radius server” is used for designating IP address of radius server. The “no” format of the command is used for deleting the designated RADIUS host.

radius server ip-address [auth-port port-number1] [acct-port port-number2]
no radius server ip-address

parameter:

ip-address      the ip address of RADIUS server

auth-port      (optional item) Designating UDP destination port for authentication request.

port-number1   (optional item) The port number of authentication request. If the setting is 0, the host is not used for authentication.

acct-port      (optional item) Designating UDP destination port for accounting request.

port-number2   (optional item) The port number of accounting request. If the setting is 0, the host is not used for accounting.

Default:

Any RADIUS host is not designated.

Command mode:

global configuration mode

Explanation:

The command “radius server” can be used repeatedly for designating multiple servers. The polling can be made under the order of configuration when necessary.

Example:

The Example below designates RADIUS host whose IP address is 1.1.1.1. The default port is used for accounting and authentication.

radius server 1.1.1.1

The following Example designates Port 12 as the destination port of authentication request on the RADIUS host whose IP address is 1.2.1.2. Port 16 is used as the destination port of accounting request.

radius server 1.2.1.2 auth-port 12 acct-port 16

Relevant command:

aaa authentication

radius key

tacacs server

username

radius optional-passwords

The global configuration command “radius optional-passwords” is used for verifying the username without checking password when RADIUS authentication request is transmitted to RADIUS server for the first time. The “no” format of the command can be used for restoring the default value.

radius optional-passwords

no radius optional-passwords

parameter:

none

Default:

optional-password mode is not used.

Command mode:

global configuration mode

Explanation:

When the user enters login name, the authentication request will include the user name and zero length password. If the authentication request is accepted, the login authentication process is completed. If RADIUS server refuses the request, the server will prompt the password input. When the user enters the password, the second authentication will be tried. RADIUS server shall support the authentication of the user of no password so as to take advantage of this feature.

 

Example:

The following Example configures the exclusion of user password when the first authentication request is transmitted.

radius optional-passwords

Relevant command:

radius server

radius key

The global configuration command shall be used for setting encryption key for RADIUS communication between the router and RADIUS server. The “no” format of command can be used for invalidating the encryption key.

radius key string

no radius key

parameter:

string The secret key used for encrypting. The secret key shall match with the one used by RADIUS server.

Default:

The secret key is a null character string.

Command mode:

global configuration mode

Explanation:

The entered secret key shall match with the one used by RADIUS server. All the zero space character is neglected. The secret key contains no space character.

Example:

The following Example sets encryption key as “firstime”.

radius key firstime

Relevant command:

radius server

tacacs server

username

radius retransmit

The global configuration command is used for designating the times of trial before abandoning some server. The “no” format of the command can be used for restoring default value.

radius retransmit retries

no radius retransmit

parameter:

retriesThe maximum times of repeated trial, the default value is 3 trials.

Default:

3 trials

Command mode:

global configuration mode

Explanation:

The command is usually used together with the command “radius timeout”, indicating the time of the timeout of server response and the times of repeated trails after the timeout.

Example:

The Example below designates the value of retrial of counter as 5.

radius retransmit 5

Relevant command:

radius timeout

radius timeout

The global configuration command “radius timeout” is used for setting the time to wait for the server response to the router. The “no” format of the command is used for restoring default value.

radius timeout seconds

no radius timeout

parameter:

secondsDesignating the timeout (unit: second), the default value is 5 seconds.

Default:

5 seconds

Command mode:

global configuration mode

Explanation:

The command is usually used together with the command “radius retransmit”.

Example:

The Example below sets the value of timeout timer as 10 seconds.

radius timeout 10

 

radius vsa send

The global configuration command “radius vsa send” can be used for configuring the router into the one that is identified and uses special attribute of manufacturer (VSA). The “no” format of the command can be used for restoring the default value.

radius vsa send [accounting | authentication]

no radius vsa send [accounting | authentication]

parameter:

accounting        (optional item) The identified special attribute of the manufacturer is limited to the accounting attribute.

authentication       (optional item) The identified special attribute of the manufacturer is limited to the authentication attribute.

Default:

VSA is not used.

 

Command mode:

global configuration mode

explanation:

IETF uses special attribute of manufacturer (VSA) (attribute 26) and designates the method for exchanging the special information of the manufacturer between the router and RADIUS server. VSA allows manufacturers to support their own extended attribute not suitable to universal purposes. The command “radius vsa send” enables the router to identify and use the special attribute of the manufacturer (VSA) of authentication and accounting. The keyword “accounting” is used in the command “radius vsa send” to limit the identified special attribute of the manufacturer to the attribute of accounting. The keyword “authentication” is used in the command “radius vsa send” to limit the identified special attribute of the manufacturer to the attribute of authentication.

Example:

The Example below configures the router to enable it to identify and use the special accounting attribute of manufacturer.

radius vsa send accounting

Relevant command:

radius server