Note |
The
radius-server host command is deprecated
from Cisco IOS Release 15.4(2)S. To configure an IPv4 or IPv6 RADIUS server,
use the
radius server
name command. For more information about the
radius server command, see Cisco IOS
Security Command Reference: Commands M to R.
|
To specify a
RADIUS server host, use the
radius-server
host command in global configuration mode. To delete the
specified RADIUS host, use the
no form of
this command.
Cisco IOS Release 12.4T and
Later Releases
radius-server host {hostname | ip-address} [alias {hostname | ip-address} | [acct-port port-number] [auth-port port-number] [non-standard] [timeout seconds] [retransmit retries] [backoff exponential [max-delay minutes] [backoff-retry number-of-retransmits] ] [key encryption-key]]
no radius-server host {hostname | ip-address}
All Other Releases
radius-server host {hostname | ip-address} [alias {hostname | ip-address} | [acct-port port-number] [auth-port port-number] [non-standard] [timeout seconds] [retransmit retries] [test username user-name [ignore-acct-port] [ignore-auth-port] [idle-time minutes]] [backoff exponential [max-delay minutes] [backoff-retry number-of-retransmits] ] [key-wrap encryption-key encryption-key message-auth-code-key encryption-key [format {ascii | hex}] | pac] [key encryption-key]]
no radius-server host {hostname | ip-address}
Syntax Description
hostname
|
Domain
Name System (DNS) name of the RADIUS server host.
|
ip-address
|
IP
address of the RADIUS server host.
|
alias
|
(Optional) Allows up to eight aliases per line for any given RADIUS server.
|
acct-port
port-number
|
(Optional) UDP destination port for accounting requests.
- The host is not used for
authentication if the port number is set to zero. If the port number is not
specified, the default port number assigned is 1646.
|
auth-port
port-number
|
(Optional) UDP destination port for authentication requests.
- The host is not used for
authentication if the port number is set to zero. If the port number is not
specified, the default port number assigned is 1645.
|
non-standard
|
Parses
attributes that violate the RADIUS standard.
|
timeout
seconds
|
(Optional) Time interval (in seconds) that the device waits for the RADIUS
server to reply before retransmitting.
- The timeout keyword
overrides the global value of the
radius-server
timeout command.
- If no timeout value is
specified, a global value is used; the range is from 1 to 1000.
|
retransmit
retries
|
(Optional) Number of times a RADIUS request is resent to a server, if that
server is not responding or there is a delay in responding.
- The retransmit keyword
overrides the global setting of the
radius-server
retransmit command.
- If no retransmit value is
specified, a global value is used; the range is from 1 to 100.
|
test username
user-name
|
(Optional) Sets the test username for the automated testing feature for RADIUS
server load balancing.
|
ignore-acct-port
|
(Optional) Disables the automated testing feature for RADIUS server load
balancing on the accounting port.
|
ignore-auth-port
|
(Optional) Disables the automated testing feature for RADIUS server load
balancing on the authentication port.
|
idle-time
minutes
|
(Optional) Length of time (in minutes) the server remains idle before it is
quarantined and test packets are sent out. The range is from 1 to 35791. The
default is 60.
|
backoff exponential
|
(Optional) Sets the exponential retransmits backup mode.
|
max-delay
minutes
|
(Optional) Sets the maximum delay (in minutes) between retransmits.
-
max-delay
minutes
minutes —The
range is from 1 to 120. The default value is 3.
|
key-wrap encryption-key
|
(Optional) Specifies the key-wrap encryption key.
|
message-auth-code-key
|
Specifies the key-wrap message authentication code key.
|
format
|
(Optional) Specifies the format of the message authenticator
code key.
- Valid values are:
- ascii —Configures the key in ASCII format.
- hex —Configures the key in hexadecimal format.
|
backoff-retry
number-of-retransmits
|
(Optional) Specifies the exponential backoff retry.
-
number-of-retransmits —Number of backoff retries.
The range is from 1 to 50. The default value is 8.
|
pac
|
(Optional) Generates the per-server Protected Access Credential (PAC) key.
|
key
|
(Optional) Encryption key used between the device and the RADIUS daemon running
on this RADIUS server.
- The
key keyword
overrides the global setting of the
radius-server
key command. If no key string is specified, a global value is
used.
Note
|
The
key keyword
is a text string that must match the encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius-server
host command syntax because the leading spaces are ignored, but
spaces within and at the end of the key are used. If you use spaces in the key,
do not enclose the key in quotation marks unless the quotation marks themselves
are part of the key.
|
|
encryption-key
|
Specifies the encryption key.
- Valid values for
encryption-key are:
- 0 —Specifies that an unencrypted key follows.
- 7 —Specifies that a hidden key follows.
- String specifying the
unencrypted (clear-text) server key.
|
Command Default
No RADIUS host is
specified and RADIUS server load balancing automated testing is disabled by
default.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
11.1
|
This
command was introduced.
|
12.0(5)T
|
This
command was modified to add options for configuring timeout, retransmission,
and key values per RADIUS server.
|
12.1(3)T
|
This
command was modified. The
alias keyword
was added.
|
12.2(15)B
|
This
command was integrated into Cisco IOS Release 12.2(15)B. The
backoff
exponential ,
backoff-retry ,
key , and
max-delay
keywords and
number-of-retransmits,
encryption-key , and
minutes
arguments were added.
|
12.2(28)SB
|
This
command was integrated into Cisco release 12.2(28)SB. The
test
username
user-name ,
ignore-auth-port ,
ignore-acct-port , and
idle-time
seconds
keywords and arguments were added for configuring the RADIUS server load
balancing automated testing functionality.
|
12.2(33)SRA
|
This
command was integrated into Cisco IOS Release 12.2(33)SRA. The keywords and
arguments that were added in Cisco IOS Release 12.2(28)SB apply to Cisco IOS
Release 12.2(33)SRA and subsequent 12.2SR releases.
|
12.4(11)T
|
This
command was modified.
Note
|
The keywords and arguments
that were added in Cisco IOS Release 12.2(28)SB do not apply to Cisco IOS
Release 12.4(11)T or to subsequent 12.4T releases.
|
|
12.2 SX
|
This
command is supported in the Cisco IOS Release 12.2SX train. Support in a
specific 12.2SX release of this train depends on your feature set, platform,
and platform hardware.
Note
|
The keywords and arguments
that were added in Cisco IOS Release 12.2(28)SB do not apply to Cisco IOS
Release 12.2SX.
|
|
Cisco
IOS XE Release 2.5
|
This
command was integrated into Cisco IOS XE Release 2.5.
|
15.3(1)S
|
This
command was modified. The
key-wrap encryption-key,
message-auth-code-key,
format,
ascii, and
hex keywords were added.
|
Cisco
IOS XE Release 3.2SE
|
This
command was integrated into Cisco IOS XE Release 3.2SE.
|
15.4(2)S
|
This command was deprecated in Cisco IOS Release 15.4(2)S.
|
Usage Guidelines
You can use
multiple
radius-server
host commands to specify multiple hosts. The software searches
for hosts in the order in which you specify them.
If no
host-specific timeout, retransmit, or key values are specified, the global
values apply to each host.
We recommend the
use of a test user who is not defined on the RADIUS server for the automated
testing of the RADIUS server. This is to protect against security issues that
can arise if the test user is not configured correctly.
If you configure
one RADIUS server with a nonstandard option and another RADIUS server without
the nonstandard option, the RADIUS server host with the nonstandard option does
not accept a predefined host. However, if you configure the same RADIUS server
host IP address for different UDP destination ports, where one UDP destination
port (for accounting requests) is configured using the
acct-port
keyword and another UDP destination port (for authentication requests) is
configured using the
auth-port
keyword with and without the nonstandard option, the RADIUS server does not
accept the nonstandard option. This results in resetting all the port numbers.
You must specify a host and configure accounting and authentication ports on a
single line.
To use separate
servers for accounting and authentication, use the zero port value as
appropriate.
RADIUS Server
Automated Testing
When you use the
radius-server host
command to enable automated testing for RADIUS server load
balancing:
- The authentication port is
enabled by default. If the port number is not specified, the default port
number (1645) is used. To disable the authentication port, specify the
ignore-auth-port keyword.
- The accounting port is
enabled by default. If the port number is not specified, the default port
number (1645) is used. To disable the accounting port, specify the
ignore-acct-port keyword.
Examples
The following
example shows how to specify host1 as the RADIUS server and to use default
ports for both accounting and authentication depending on the Cisco release
that you are using:
radius-server host host1
The following
example shows how to specify port 1612 as the destination port for
authentication requests and port 1616 as the destination port for accounting
requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616
Because entering
a line resets all the port numbers, you must specify a host and configure
accounting and authentication ports on a single line.
The following
example shows how to specify the host with IP address 192.0.2.46 as the RADIUS
server, uses ports 1612 and 1616 as the authorization and accounting ports,
sets the timeout value to six, sets the retransmit value to five, and sets
“rad123” as the encryption key, thereby matching the key on the RADIUS server:
radius-server host 192.0.2.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123
To use separate
servers for accounting and authentication, use the zero port value as
appropriate.
The following
example shows how to specify the RADIUS server host1 for accounting but not for
authentication, and the RADIUS server host2 for authentication but not for
accounting:
radius-server host host1.example.com auth-port 0
radius-server host host2.example.com acct-port 0
The following
example shows how to specify four aliases on the RADIUS server with IP address
192.0.2.1:
radius-server host 192.0.2.1 auth-port 1646 acct-port 1645
radius-server host 192.0.2.1 alias 192.0.2.2 192.0.2.3 192.0.2.4
The following
example shows how to enable exponential backoff retransmits on a per-server
basis. In this example, assume that the retransmit is configured for three
retries and the timeout is configured for five seconds; that is, the RADIUS
request will be transmitted three times with a delay of five seconds.
Thereafter, the device will continue to retransmit RADIUS requests with a
delayed interval that doubles each time until 32 retries have been achieved.
The device will stop doubling the retransmit intervals after the interval
surpasses the configured 60 minutes; it will transmit every 60 minutes.
The
pac keyword
allows the PAC-Opaque, which is a variable length field, to be sent to the
server during the Transport Layer Security (TLS) tunnel establishment phase.
The PAC-Opaque can be interpreted only by the server to recover the required
information for the server to validate the peer’s identity and authentication.
For example, the PAC-Opaque may include the PAC-Key and the PAC’s peer
identity. The PAC-Opaque format and contents are specific to the issuing PAC
server.
The following
example shows how to configure automatic PAC provisioning on a device. In seed
devices, the PAC-Opaque has to be provisioned so that all RADIUS exchanges can
use this PAC-Opaque to enable automatic PAC provisioning for the server being
used. All nonseed devices obtain the PAC-Opaque during the authentication phase
of a link initialization.
enable
configure terminal
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 pac
Examples
The following
example shows how to enable RADIUS server automated testing for load balancing
with the authorization and accounting ports specified depending on the Cisco
release that you are using:
radius-server host 192.0.2.176 test username test1 auth-port 1645 acct-port 1646