- Configuring RADIUS
- Framed-Route in RADIUS Accounting
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS Route Download
- RADIUS Server Load Balancing
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Index
- Finding Feature Information
- Information About RADIUS
- RADIUS Operation
- RADIUS Attributes
- Preauthentication on a RADIUS Server
- RADIUS Profile for DNIS or CLID Preauthentication
- RADIUS Profile for Call Type Preauthentication
- RADIUS Profile for Preauthentication Enhancements for Callback
- RADIUS Profile for a Remote Hostname Used for Large-Scale Dial-Out
- RADIUS Profile for Modem Management
- RADIUS Profile for Subsequent Authentication
- RADIUS Profile for Subsequent Authentication Types
- RADIUS Profile to Include the Username
- RADIUS Profile for Two-Way Authentication
- RADIUS Profile to Support Authorization
- RADIUS Authentication
- RADIUS Authorization
- RADIUS Accounting
- RADIUS Login-IP-Host
- RADIUS Prompt
- Vendor-Specific RADIUS Attributes
- Static Routes and IP Addresses on the RADIUS Server
- How to Configure RADIUS
- Configuring Device-to-RADIUS Server Communication
- Configuring a Device for Vendor-Proprietary RADIUS Server Communication
- Configuring a Device to Expand Network Access Server Port Information
- Replacing the NAS-Port Attribute with the RADIUS Attribute
- Configuring AAA Server Groups
- Configuring AAA Server Groups with a Deadtimer
- Configuring AAA DNIS Preauthentication
- Configuring AAA Server Group Selection Based on DNIS
- Configuring AAA Preauthentication
- Configuring DNIS Preauthentication
- Configuring a Guard Timer
- Configuring the Suffix and Password in RADIUS Access Requests
- Monitoring and Maintaining RADIUS
- Configuration Examples for RADIUS
- Example: RADIUS Authentication and Authorization
- Example: RADIUS Authentication, Authorization, and Accounting
- Example: Vendor-Proprietary RADIUS Configuration
- Example: RADIUS Server with Server-Specific Values
- Example: Device-to-RADIUS Server Communication
- Example: Multiple RADIUS Server Entries for the Same Server IP Address
- Examples: AAA Server Groups
- Example: Multiple RADIUS Server Entries Using AAA Server Groups
- Example: AAA Server Group Selection Based on DNIS
- Examples: AAA Preauthentication
- Example RADIUS User Profile with RADIUS Tunneling Attributes
- Examples: Guard Timer for ISDN and CAS
- Additional References
- Feature Information for Configuring RADIUS
Configuring RADIUS
The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
- Finding Feature Information
- Information About RADIUS
- How to Configure RADIUS
- Configuration Examples for RADIUS
- Additional References
- Feature Information for Configuring RADIUS
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About RADIUS
- RADIUS Operation
- RADIUS Attributes
- Preauthentication on a RADIUS Server
- RADIUS Authentication
- RADIUS Authorization
- RADIUS Accounting
- RADIUS Login-IP-Host
- RADIUS Prompt
- Vendor-Specific RADIUS Attributes
- Static Routes and IP Addresses on the RADIUS Server
RADIUS Operation
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:
- The user is prompted to enter the username and password.
- The username and encrypted password are sent over the network to the RADIUS server.
-
The user receives one of the following responses from the RADIUS server: - ACCEPT—The user is authenticated.
- CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.
- CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.
- REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
RADIUS Attributes
The network access server monitors the RADIUS authorization and accounting functions defined by RADIUS attributes in each user profile:
Vendor-Proprietary RADIUS Attributes
An Internet Engineering Task Force (IETF) standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco software supports a subset of vendor-proprietary RADIUS attributes.
RADIUS Tunnel Attributes
RADIUS is a security server AAA protocol originally developed by Livingston, Inc. RADIUS uses attribute value (AV) pairs to communicate information between the security server and the network access server.
RFC 2138 and RFC 2139 describe the basic functionality of RADIUS and the original set of IETF-standard AV pairs used to send AAA information. Two IETF standards, “RADIUS Attributes for Tunnel Protocol Support” and “RADIUS Accounting Modifications for Tunnel Protocol Support,” extend the IETF-defined set of AV pairs to include attributes specific to VPNs. These attributes are used to carry the tunneling information between the RADIUS server and the tunnel initiator.
RFC 2865 and RFC 2868 extend the IETF-defined set of AV pairs to include attributes specific to compulsory tunneling in VPNs by allowing the user to specify authentication names for the network access server and the RADIUS server.
Cisco devices and access servers support new RADIUS IETF-standard virtual private dialup network (VPDN) tunnel attributes.
Preauthentication on a RADIUS Server
RADIUS attributes are configured in the RADIUS preauthentication profiles to specify preauthentication behavior. In addition to configuring preauthentication on your Cisco device, you must set up the preauthentication profiles on the RADIUS server.
- RADIUS Profile for DNIS or CLID Preauthentication
- RADIUS Profile for Call Type Preauthentication
- RADIUS Profile for Preauthentication Enhancements for Callback
- RADIUS Profile for a Remote Hostname Used for Large-Scale Dial-Out
- RADIUS Profile for Modem Management
- RADIUS Profile for Subsequent Authentication
- RADIUS Profile for Subsequent Authentication Types
- RADIUS Profile to Include the Username
- RADIUS Profile for Two-Way Authentication
- RADIUS Profile to Support Authorization
RADIUS Profile for DNIS or CLID Preauthentication
To configure the RADIUS preauthentication profile, use the Dialed Number Identification Service (DNIS) or Calling Line Identification (CLID) number as the username, and use the password defined in the dnis or clid command as the password.
 Note |
The preauthentication profile must have “outbound” as the service type because the password is predefined on the network access server (NAS). Setting up the preauthentication profile in this manner prevents users from trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and an obvious password. The “outbound” service type is also included in the Access-Request packet sent to the RADIUS server. |
RADIUS Profile for Call Type Preauthentication
To set up the RADIUS preauthentication profile, use the call type string as the username, and use the password defined in the ctype command as the password. The table below lists the call type strings that can be used in the preauthentication profile.
Note |
The preauthentication profile must have “outbound” as the service type because the password is predefined on the NAS. Setting up the preauthentication profile in this manner prevents users from trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and an obvious password. The “outbound” service type is also included in the Access-Request packet sent to the RADIUS server and should be a checkin item if the RADIUS server supports checkin items. |
RADIUS Profile for Preauthentication Enhancements for Callback
Callback allows remote network users such as telecommuters to dial in to the NAS without being charged. When callback is required, the NAS hangs up the current call and dials the caller back. When the NAS performs the callback, only information for the outgoing connection is applied. The rest of the attributes from the preauthentication access-accept message are discarded.
Note |
The destination IP address is not required to be returned from the RADIUS server. |
The following example shows a RADIUS profile configuration with a callback number of 555-0101 and the service type set to outbound. The cisco-avpair = “preauth:send-name=<string>” uses the string “user1” and the cisco-avpair = “preauth:send-secret=<string>” uses the password “cisco.”
5550101 password = “cisco”, Service-Type = Outbound Service-Type = Callback-Framed Framed-Protocol = PPP, Dialback-No = “5550119” Class = “ISP12” cisco-avpair = “preauth:send-name=user1” cisco-avpair = “preauth:send-secret=cisco”
RADIUS Profile for a Remote Hostname Used for Large-Scale Dial-Out
The following example protects against accidentally calling a valid telephone number but accessing the wrong device by providing the name of the remote device, for use in large-scale dial-out:
5550101 password = "PASSWORD1", Service-Type = Outbound
Service-Type = Callback-Framed
Framed-Protocol = PPP,
Dialback-No = "5550190"
Class = "ISP12"
cisco-avpair = "preauth:send-name=user1"
cisco-avpair = "preauth:send-secret=PASSWORD1"
cisco-avpair = "preauth:remote-name=Device2"
RADIUS Profile for Modem Management
When DNIS, CLID, or call type preauthentication is used, the affirmative response from the RADIUS server might include a modem string for modem management in the NAS through vendor-specific attribute (VSA) 26. The modem management VSA has this syntax:
cisco-avpair = “preauth:modem-service=modem min-speed < x > max-speed < y > modulation < z > error-correction < a > compression < b >”
The table below lists the modem management string elements within the VSA.
| Command |
Argument |
|---|---|
| min-speed |
300 to 56000, any |
| max-speed |
300 to 56000, any |
| modulation |
K56Flex, v22bis, v32bis, v34, v90, any |
| error-correction |
lapm, mnp4 |
| compression |
mnp5, v42bis |
When the modem management string is received from the RADIUS server in the form of a VSA, the information is passed to the Cisco software and applied on a per-call basis. Modem ISDN channel aggregation (MICA) modems provide a control channel through which messages can be sent during the call setup time. Hence, this modem management feature is supported only with MICA modems. This feature is not supported with Microcom modems.
RADIUS Profile for Subsequent Authentication
If preauthentication passes, you can use vendor-proprietary RADIUS attribute 201 (Require-Auth) in the preauthentication profile to determine whether subsequent authentication is performed. If attribute 201, returned in the access-accept message, has a value of 0, subsequent authentication is not performed. If attribute 201 has a value of 1, subsequent authentication is performed as usual.
Attribute 201 has this syntax:
cisco-avpair = “preauth:auth-required=< n >”
where <n> has the same value range as attribute 201 (that is, 0 or 1).
If attribute 201 is missing in the preauthentication profile, a value of 1 is assumed, and subsequent authentication is performed.
Note |
Before you can perform subsequent authentication, you must set up a regular user profile in addition to a preauthentication profile. |
RADIUS Profile for Subsequent Authentication Types
If you specified subsequent authentication in the preauthentication profile, you must also specify the authentication types to be used for subsequent authentication. To specify the authentication types allowed in subsequent authentication, use this VSA:
cisco-avpair = “preauth:auth-type=< string >”
The table below lists the allowed values for the <string> element.
| String |
Description |
|---|---|
| chap |
Requires the username and password for the Challenge-Handshake Authentication Protocol (CHAP) for PPP authentication. |
| ms-chap |
Requires the username and password for the MS-CHAP for PPP authentication. |
| pap |
Requires the username and password for the Password Authentication Protocol (PAP) for PPP authentication. |
To specify that multiple authentication types are allowed, you can configure more than one instance of this VSA in the preauthentication profile. The sequence of the authentication type VSAs in the preauthentication profile is significant because it specifies the order of authentication types to be used in the PPP negotiation.
This VSA is a per-user attribute and replaces the authentication type list in the ppp authentication interface configuration command.
Note |
You should use this VSA only if subsequent authentication is required because it specifies the authentication type for subsequent authentication. |
RADIUS Profile to Include the Username
If only preauthentication is used to authenticate a call, the NAS could be missing a username when it brings up the call. RADIUS can provide a username for the NAS to use through RADIUS attribute 1 (User-Name) or through a VSA returned in the Access-Accept packet. The VSA for specifying the username has this syntax:
cisco-avpair = “preauth:username=< string >”
If no username is specified, the DNIS number, CLID number, or call type is used, depending on the last preauthentication command configured (for example, if clid was the last preauthentication command configured, the CLID number is used as the username).
If subsequent authentication is used to authenticate a call, there might be two usernames: one provided by RADIUS and one provided by the user. In this case, the username provided by the user overrides the one contained in the RADIUS preauthentication profile. The username provided by the user is used for both authentication and accounting.
RADIUS Profile for Two-Way Authentication
In the case of two-way authentication, the calling networking device must authenticate the NAS. The PAP username and password or CHAP username and password need not be configured locally on the NAS. Instead, the username and password can be included in the Access-Accept messages for preauthentication.
Note |
Do not configure the ppp authentication command with the radius command. |
To set up PAP, do not configure the ppp pap sent-name password command on the interface. The VSAs “preauth:send-name” and “preauth:send-secret” are used as the PAP username and PAP password for outbound authentication.
For CHAP, “preauth:send-name” is used not only for outbound authentication but also for inbound authentication. For a CHAP inbound case, the NAS uses the name defined in “preauth:send-name” in the challenge packet to the caller networking device. For a CHAP outbound case, both “preauth:send-name” and “preauth:send-secret” are used in the response packet.
The following example shows a configuration that specifies two-way authentication:
5550101 password = "PASSWORD2", Service-Type = Outbound Service-Type = Framed-User cisco-avpair = "preauth:auth-required=1" cisco-avpair = "preauth:auth-type=pap" cisco-avpair = "preauth:send-name=user1" cisco-avpair = "preauth:send-secret=PASSWORD2" class = "<some class>"
Note |
Two-way authentication does not work when resource pooling is enabled. |
RADIUS Profile to Support Authorization
If only preauthentication is configured, subsequent authentication is bypassed. Note that because the username and password are not available, authorization is also bypassed. However, you can include authorization attributes in the preauthentication profile to apply per-user attributes and avoid having to return subsequently to RADIUS for authorization. To initiate the authorization process, you must also configure the aaa authorization network command on the NAS.
You can configure authorization attributes in the preauthentication profile with one exception: the service-type attribute (attribute 6). The service-type attribute must be converted to a VSA in the preauthentication profile. This VSA has this syntax:
cisco-avpair = “preauth:service-type=< n >”
where <n> is one of the standard RFC 2865 values for attribute 6.
Note |
If subsequent authentication is required, the authorization attributes in the preauthentication profile are not applied. |
RADIUS Authentication
After you have identified the RADIUS server and defined the RADIUS authentication key, you must define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you must enter the aaa authentication command, specifying RADIUS as the authentication method.
RADIUS Authorization
AAA authorization lets you set parameters that restrict a user’s access to the network. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, AppleTalk Remote Access (ARA), and Telnet. Because RADIUS authorization is facilitated through AAA, you must enter the aaa authorization command, specifying RADIUS as the authorization method.
RADIUS Accounting
The AAA accounting feature enables you to track the services users are accessing and the amount of network resources they are consuming. Because RADIUS accounting is facilitated through AAA, you must enter the aaa accounting command, specifying RADIUS as the accounting method.
RADIUS Login-IP-Host
To enable the network access server (NAS) to attempt more than one login host when trying to connect a dial-in user, you can enter as many as three Login-IP-Host entries in the user’s profile on the RADIUS server. The following example shows that three Login-IP-Host instances are configured for the user user1, and that TCP-Clear is used for the connection:
user1 Password = xyz
Service-Type = Login,
Login-Service = TCP-Clear,
Login-IP-Host = 10.0.0.0,
Login-IP-Host = 10.2.2.2,
Login-IP-Host = 10.255.255.255,
Login-TCP-Port = 23
The order in which the hosts are entered is the order in which they are attempted. Use the ip tcp synwait-time command to set the number of seconds that the NAS waits before trying to connect to the next host on the list; the default is 30 seconds.
Your RADIUS server might permit more than three Login-IP-Host entries; however, the NAS supports only three hosts in Access-Accept packets.
RADIUS Prompt
To control whether user responses to Access-Challenge packets are echoed to the screen, you can configure the Prompt attribute in the user profile on the RADIUS server. This attribute is included only in Access-Challenge packets. The following example shows the Prompt attribute set to No-Echo, which prevents the user’s responses from echoing:
user1 Password = xyz Service-Type = Login, Login-Service = Telnet, Prompt = No-Echo, Login-IP-Host = 172.31.255.255
To allow user responses to echo, set the attribute to Echo. If the Prompt attribute is not included in the user profile, responses are echoed by default.
This attribute overrides the behavior of the radius-server challenge-noecho command configured on the access server. For example, if the access server is configured to suppress echoing, but the individual user profile allows echoing, the user responses are echoed.
Note |
If you want to use the Prompt attribute, your RADIUS server must be configured to support Access-Challenge packets. |
Vendor-Specific RADIUS Attributes
The IETF standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco’s vendor ID is 9, and the supported option has vendor type 1, which is named “cisco-avpair.” The value is a string with this format:
protocol : attribute sep value *
“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization; protocols that can be used include IP, Internetwork Packet Exchange (IPX), VPDN, VoIP, Secure Shell (SSH), Resource Reservation Protocol (RSVP), Serial Interface Processor (SIP), AirNet, and Outbound. “Attribute” and “value” are an appropriate AV pair defined in the Cisco TACACS+ specification, and “sep” is “=” for mandatory attributes and “*” for optional attributes, allowing the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be activated during IP authorization (during PPP’s Internet Protocol Control Protocol (IPCP) address assignment):
cisco-avpair= ”ip:addr-pool=first“
If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made optional:
cisco-avpair= ”ip:addr-pool*first“
The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Other vendors have their own unique vendor IDs, options, and associated VSAs.
Static Routes and IP Addresses on the RADIUS Server
Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. Each network access server then queries the RADIUS server for static route and IP pool information.
To have the Cisco device or access server query the RADIUS server for static routes and IP pool definitions when the device starts up, use the radius-server configure-nas command.
Because the radius-server configure-nas command is performed when the Cisco devcie starts up, it does not take effect until you enter a copy system:running-config nvram:startup-config command.
How to Configure RADIUS
- Configuring Device-to-RADIUS Server Communication
- Configuring a Device for Vendor-Proprietary RADIUS Server Communication
- Configuring a Device to Expand Network Access Server Port Information
- Replacing the NAS-Port Attribute with the RADIUS Attribute
- Configuring AAA Server Groups
- Configuring AAA Server Groups with a Deadtimer
- Configuring AAA DNIS Preauthentication
- Configuring AAA Server Group Selection Based on DNIS
- Configuring AAA Preauthentication
- Configuring DNIS Preauthentication
- Configuring a Guard Timer
- Configuring the Suffix and Password in RADIUS Access Requests
- Monitoring and Maintaining RADIUS
Configuring Device-to-RADIUS Server Communication
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
4. radius-server key {0 string | 7 string | string}
5. radius-server retransmit retries
6. radius-server timeout seconds
7. radius-server deadtime minutes
8. exit
DETAILED STEPS
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
||||
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
||||
| Step 3 | radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] Example: Device(config)# radius-server host 10.45.1.2 |
Specifies the IP address or hostname of the remote RADIUS server host and assigns authentication and accounting destination port numbers.
|
||||
| Step 4 | radius-server key {0 string | 7 string | string} Example: Device(config)# radius-server key myRaDIUSpassword |
Specifies the shared secret text string used between the device and a RADIUS server.
|
||||
| Step 5 | radius-server retransmit retries Example: Device(config)# radius-server retransmit 25 |
Specifies how many times the device transmits each RADIUS request to the server before giving up (the default is 3).
|
||||
| Step 6 | radius-server timeout seconds Example: Device(config)# radius-server timeout 6 |
Specifies for how many seconds a device waits for a reply to a RADIUS request before retransmitting the request.
|
||||
| Step 7 | radius-server deadtime minutes Example: Device(config)# radius-server deadtime 5 |
Specifies for how many minutes a RADIUS server that is not responding to authentication requests is passed over by requests for RADIUS authentication. |
||||
| Step 8 | exit Example: Device(config)# exit |
Returns to privileged EXEC mode. |
Configuring a Device for Vendor-Proprietary RADIUS Server Communication
Although an IETF standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco software supports a subset of vendor-proprietary RADIUS attributes.
To configure RADIUS (whether vendor-proprietary or IETF compliant), you must use the radius-server commands to specify the host running the RADIUS server daemon and the secret text string it shares with the Cisco device. To identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command. Vendor-proprietary attributes are not supported unless you use the radius-server host non-standard command.
Note |
|
1. enable
2. configure terminal
3. radius-server vsa send [accounting | authentication]
4. radius-server host {hostname | ip-address} non-standard
5. radius-server key {0 string | 7 string | string}
6. exit
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
||
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
||
| Step 3 | radius-server vsa send [accounting | authentication] Example: Device(config)# radius-server vsa send |
Enables the network access server to recognize and use VSAs as defined by RADIUS IETF attribute 26. |
||
| Step 4 | radius-server host {hostname | ip-address} non-standard Example: Device(config)# radius-server host host1 non-standard |
Specifies the IP address or hostname of the remote RADIUS server host and identifies that it is using a vendor-proprietary implementation of RADIUS.
|
||
| Step 5 | radius-server key {0 string | 7 string | string} Example: Device(config)# radius-server key myRaDIUSpassword |
Specifies the shared secret text string used between the device and the vendor-proprietary RADIUS server. |
||
| Step 6 | exit Example: Device(config)# exit |
Returns to privileged EXEC mode. |
Configuring a Device to Expand Network Access Server Port Information
Sometimes PPP or login authentication occurs on an interface that is different from the interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface “ttt”, but the call itself occurs on one of the channels of the ISDN interface.
The radius-server attribute nas-port extended command configures RADIUS to expand the size of the NAS-Port attribute (RADIUS IETF attribute 5) field to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.
Note |
The radius-server attribute nas-port format command replaces the radius-server extended-portnames command and the radius-server attribute nas-port extended command. |
1. enable
2. configure terminal
3. radius-server configure-nas
4. radius-server attribute nas-port format
5. exit
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
||
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
||
| Step 3 | radius-server configure-nas Example: Device(config)# radius-server configure-nas |
(Optional) Tells the Cisco device or access server to query the RADIUS server for the static routes and IP pool definitions used throughout its domain.
|
||
| Step 4 | radius-server attribute nas-port format Example: Device(config)# radius-server attribute nas-port format |
Expands the size of the NAS-Port attribute from 16 to 32 bits to display extended interface information. |
||
| Step 5 | exit Example: Device(config)# exit |
Returns to privileged EXEC mode. |
Replacing the NAS-Port Attribute with the RADIUS Attribute
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation does not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 appear as NAS-Port = 20101 because of the 16-bit field size limitation associated with the RADIUS IETF NAS-Port attribute. In this case, you can replace the NAS-Port attribute with a VSA (RADIUS IETF attribute 26). Cisco’s vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. VSAs can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF attribute 5) is sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. After this command is configured, the standard NAS-Port attribute is no longer sent.
1. enable
2. configure terminal
3. radius-server vsa send [accounting | authentication]
4. aaa nas port extended
5. exit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | radius-server vsa send [accounting | authentication] Example: Device(config)# radius-server vsa send |
Enables the network access server to recognize and use vendor-specific attributes as defined by RADIUS IETF attribute 26. |
| Step 4 | aaa nas port extended Example: Device(config)# aaa nas port extended |
Expands the size of the VSA NAS-Port field from 16 to 32 bits to display extended interface information. |
| Step 5 | exit Example: Device(config)# exit |
Returns to privileged EXEC mode. |
Configuring AAA Server Groups
To define a server host with a server group name, enter the following commands in global configuration mode. The listed server must exist in global configuration mode.
Each server in the group must be defined previously using the radius-server host command.
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
4. aaa group server {radius | tacacs+} group-name
5. server ip-address [auth-port port-number] [acct-port port-number]
6. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] Example: Device(config)# radius-server host 10.45.1.2 |
Specifies and defines the IP address of the server host before configuring the AAA server group. |
| Step 4 | aaa group server {radius | tacacs+} group-name Example: Device(config)# aaa group server radius group1 |
Defines the AAA server group with a group name. |
| Step 5 | server ip-address [auth-port port-number] [acct-port port-number] Example: Device(config-sg-radius)# server 172.16.1.1 acct-port 1616 |
Associates a particular RADIUS server with the defined server group. |
| Step 6 | end Example: Device(config-sg-radius)# end |
Exits server group RADIUS configuration mode and returns to privileged EXEC mode. |
Configuring AAA Server Groups with a Deadtimer
1. enable
2. configure terminal
3. aaa group server radius group
4. deadtime minutes
5. end
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
||
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
||
| Step 3 | aaa group server radius group Example: Device(config)# aaa group server radius group1 |
Defines a RADIUS type server group and enters server group RADIUS configuration mode. |
||
| Step 4 | deadtime minutes Example: Device(config-sg-radius)# deadtime 1 |
Configures and defines a deadtime value in minutes.
|
||
| Step 5 | end Example: Device(config-sg-radius)# end |
Exits server group RADIUS configuration mode and returns to privileged EXEC mode. |
Configuring AAA DNIS Preauthentication
DNIS preauthentication enables preauthentication at call setup based on the number dialed. The DNIS number is sent directly to the security server when a call is received. If the call authenticated by AAA, it is accepted.
1. enable
2. configure terminal
3. aaa preauthorization
4. group {radius | tacacs+ | server-group}
5. dnis [password string]
6. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | aaa preauthorization Example: Device(config)# aaa preauthorization |
Enters AAA preauthentication configuration mode. |
| Step 4 | group {radius | tacacs+ | server-group} Example: Device(config-preauth)# group radius |
(Optional) Selects the security server to use for AAA preauthentication requests. |
| Step 5 | dnis [password string] Example: Device(config-preauth)# dnis password dnispass |
Enables preauthentication using DNIS and optionally specifies a password to use in Access-Request packets. |
| Step 6 | end Example: Device(config-preauth)# end |
Exits AAA preauthentication configuration mode and returns to privileged EXEC mode. |
Configuring AAA Server Group Selection Based on DNIS
To configure the device to select a particular AAA server group based on the DNIS of the server group, configure DNIS mapping. To map a server group with a group name with a DNIS number, perform the following task.
1. enable
2. configure terminal
3. aaa dnis map enable
4. aaa dnis map dnis-number authentication ppp group server-group-name
5. aaa dnis map dnis-number authorization network group server-group-name
6. aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name
7. exit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | aaa dnis map enable Example: Device(config)# aaa dnis map enable |
Enables DNIS mapping. |
| Step 4 | aaa dnis map dnis-number authentication ppp group server-group-name Example: Device(config)# aaa dnis map 7777 authentication ppp group sg1 |
Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authentication. |
| Step 5 | aaa dnis map dnis-number authorization network group server-group-name Example: Device(config)# aaa dnis map 7777 authorization network group sg1 |
Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authorization. |
| Step 6 | aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name Example: Device(config)# aaa dnis map 8888 accounting network stop-only group sg2 |
Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for accounting. |
| Step 7 | exit Example: Device(config)# exit |
Exits global configuration mode and returns to privileged EXEC mode. |
Configuring AAA Preauthentication
1. enable
2. configure terminal
3. aaa preauthorization
4. group server-group
5. clid [if-avail | required] [accept-stop] [password string]
6. ctype [if-avail | required] [accept-stop] [password string]
7. dnis [if-avail | required] [accept-stop] [password string]
8. dnis bypass dnis-group-name
9. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | aaa preauthorization Example: Device(config)# aaa preauthorization |
Enters AAA preauthentication configuration mode. |
| Step 4 | group server-group Example: Device(config-preauth)# group sg2 |
Specifies the AAA RADIUS server group to use for preauthentication. |
| Step 5 | clid [if-avail | required] [accept-stop] [password string] Example: Device(config-preauth)# clid required |
Preauthenticates calls on the basis of the CLID number. |
| Step 6 | ctype [if-avail | required] [accept-stop] [password string] Example: Device(config-preauth)# ctype required |
Preauthenticates calls on the basis of the call type. |
| Step 7 | dnis [if-avail | required] [accept-stop] [password string] Example: Device(config-preauth)# dnis required |
Preauthenticates calls on the basis of the DNIS number. |
| Step 8 | dnis bypass dnis-group-name Example: Device(config-preauth)# dnis bypass group1 |
Specifies a group of DNIS numbers that will be bypassed for preauthentication. |
| Step 9 | end Example: Device(config-preauth)# end |
Exits preauthentication configuration mode and returns to privileged EXEC mode. |
Configuring DNIS Preauthentication
To configure DNIS preauthentication, perform the following task.
1. enable
2. configure terminal
3. aaa preauthorization
4. group {radius | tacacs+ | server-group}
5. dnis [password string]
6. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | aaa preauthorization Example: Router(config)# aaa preauthorization |
Enters AAA preauthentication mode. |
| Step 4 | group {radius | tacacs+ | server-group} Example: Router (config-preauth)# group radius |
(Optional) Selects the security server to use for AAA preauthentication requests.
|
| Step 5 | dnis [password string] Example: Router(config-preauth)# dnis password dnispass |
Enables preauthentication using DNIS and optionally specifies a password to use in Access-Request packets. |
| Step 6 | end Example: Router(config-preauth)# end |
Exits AAA preauthentication configuration mode and returns to privileged EXEC mode. |
Configuring a Guard Timer
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to an authentication or preauthentication request, perform the following task.
1. enable
2. configure terminal
3. interface type number
4. isdn guard-timer milliseconds [on-expiry {accept | reject}]
5. call guard-timer milliseconds [on-expiry {accept | reject}]
6. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | interface type number Example: Device(config)# interface serial 1/0/0:23 |
Enters interface configuration mode. |
| Step 4 | isdn guard-timer milliseconds [on-expiry {accept | reject}] Example: Device(config-if)# isdn guard-timer 8000 on-expiry reject |
Sets an ISDN guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request. |
| Step 5 | call guard-timer milliseconds [on-expiry {accept | reject}] Example: Device(config-if)# call guard-timer 2000 on-expiry accept |
Sets a CAS guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request. |
| Step 6 | end Example: Device(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
Configuring the Suffix and Password in RADIUS Access Requests
Large-scale dial-out eliminates the need to configure dialer maps on every NAS for every destination. Instead, you can create remote site profiles that contain outgoing call attributes on the AAA server. The profile is downloaded by the NAS when packet traffic requires a call to be placed to a remote site.
You can configure the username in the Access-Request message to RADIUS. The default suffix of the username, “-out,” is appended to the username. The format for composing the username attribute is the IP address plus the configured suffix.
1. enable
2. configure terminal
3. aaa new-model
4. aaa route download time
5. aaa authorization configuration default
6. interface dialer number
7. dialer aaa
8. dialer aaa suffix suffix password password
9. exit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 | aaa new-model Example: Device(config)# aaa new-model |
Enables the AAA access control model. |
| Step 4 | aaa route download time Example: Device(config)# aaa route download 450 |
Enables the download static route feature and sets the amount of time in minutes between downloads. |
| Step 5 | aaa authorization configuration default Example: Device(config)# aaa authorization configuration default |
Downloads static route configuration information from the AAA server using TACACS+ or RADIUS. |
| Step 6 | interface dialer number Example: Device(config)# interface dialer 1 |
Defines a dialer rotary group and enters interface configuration mode. |
| Step 7 | dialer aaa Example: Device(config-if)# dialer aaa |
Allows a dialer to access the AAA server for dialing information. |
| Step 8 | dialer aaa suffix suffix password password Example: Device(config-if)# dialer aaa suffix @samp password password12 |
Allows a dialer to access the AAA server for dialing information and specifies a suffix and nondefault password for authentication. |
| Step 9 | exit Example: Device(config-if)# exit |
Exits interface configuration mode and returns to privileged EXEC mode. |
Monitoring and Maintaining RADIUS
1. enable
2. debug radius
3. show radius statistics
4. show aaa servers
5. exit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 | debug radius Example: Device# debug radius |
Displays information associated with RADIUS. |
| Step 3 | show radius statistics Example: Device# show radius statistics |
Displays the RADIUS statistics for accounting and authentication packets. |
| Step 4 | show aaa servers Example: Device# show aaa servers |
Displays the status and number of packets that are sent to and received from all public and private AAA RADIUS servers as interpreted by the AAA Server MIB. |
| Step 5 | exit Example: Device# exit |
Exits the device session. |
Configuration Examples for RADIUS
- Example: RADIUS Authentication and Authorization
- Example: RADIUS Authentication, Authorization, and Accounting
- Example: Vendor-Proprietary RADIUS Configuration
- Example: RADIUS Server with Server-Specific Values
- Example: Device-to-RADIUS Server Communication
- Example: Multiple RADIUS Server Entries for the Same Server IP Address
- Examples: AAA Server Groups
- Example: Multiple RADIUS Server Entries Using AAA Server Groups
- Example: AAA Server Group Selection Based on DNIS
- Examples: AAA Preauthentication
- Example RADIUS User Profile with RADIUS Tunneling Attributes
- Examples: Guard Timer for ISDN and CAS
Example: RADIUS Authentication and Authorization
The following example shows how to configure the device to authenticate and authorize using RADIUS:
aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius
The lines in this sample RADIUS authentication and authorization configuration are defined as follows:
- The aaa authentication login use-radius group radius local command configures the device to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. In this example, use-radius is the name of the method list, which specifies RADIUS and then local authentication.
- The aaa authentication ppp user-radius if-needed group radius command configures the Cisco software to use RADIUS authentication for lines using PPP with CHAP or PAP if the user has not already been authorized. If the EXEC facility has authenticated the user, RADIUS authentication is not performed. In this example, user-radius is the name of the method list defining RADIUS as the if-needed authentication method.
- The aaa authorization exec default group radius command sets the RADIUS information that is used for EXEC authorization, autocommands, and access lists.
- The aaa authorization network default group radius command sets RADIUS for network authorization, address assignment, and access lists.
Example: RADIUS Authentication, Authorization, and Accounting
The following example shows a general configuration using RADIUS with the AAA command set:
radius-server host 10.45.1.2 radius-server key myRaDiUSpassWoRd username root password ALongPassword aaa authentication ppp dialins group radius local aaa authorization network default group radius local aaa accounting network default start-stop group radius aaa authentication login admins local aaa authorization exec default local line 1 16 autoselect ppp autoselect during-login login authentication admins modem ri-is-cd interface group-async 1 encaps ppp ppp authentication pap dialins
The lines in this example RADIUS authentication, authorization, and accounting configuration are defined as follows:
- The radius-server host command defines the IP address of the RADIUS server host.
- The radius-server key command defines the shared secret text string between the network access server and the RADIUS server host.
- The aaa authentication ppp dialins group radius local command defines the authentication method list “dialins,” which specifies that RADIUS authentication and then (if the RADIUS server does not respond) local authentication is used on serial lines using PPP.
- The aaa authorization network default group radius local command is used to assign an address and other network parameters to the RADIUS user.
- The aaa accounting network default start-stop group radius command tracks PPP usage.
- The aaa authentication login admins local command defines another method list, “admins,” for login authentication.
- The login authentication admins command applies the “admins” method list for login authentication.
- The ppp authentication pap dialins command applies the “dialins” method list to the lines specified.
Example: Vendor-Proprietary RADIUS Configuration
Note |
|
radius server myserver radius server address ipv4 192.0.2.2 radius server non-standard radius server key 7 anykey radius-server configure-nas username root password ALongPassword aaa authentication ppp dialins group radius local aaa authorization network default group radius local aaa accounting network default start-stop group radius aaa authentication login admins local aaa authorization exec default local
The lines in this RADIUS authentication, authorization, and accounting configuration example are defined as follows:
- The radius server name non-standard command defines the name of the RADIUS server host and identifies that this RADIUS host uses a vendor-proprietary version of RADIUS.
- The radius server name key command defines the shared secret text string between the network access server and the RADIUS server host.
- The radius-server configure-nas command defines that the Cisco device or access server queries the RADIUS server for static routes and IP pool definitions when the device first starts up.
- The aaa authentication ppp dialins group radius local command defines the authentication method list “dialins,” which specifies that RADIUS authentication and then (if the RADIUS server does not respond) local authentication is used on serial lines using PPP.
- The aaa authorization network default group radius local command assigns an address and other network parameters to the RADIUS user.
- The aaa accounting network default start-stop group radius command tracks PPP usage.
- The aaa authentication login admins local command defines another method list, “admins,” for login authentication.
Example: RADIUS Server with Server-Specific Values
The following example shows how to configure server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46:
radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123
Example: Device-to-RADIUS Server Communication
The following example shows how to configure two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the device, and specific AAA commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46.
! Enable AAA services on the device and define those services. aaa new-model aaa authentication login default group radius aaa authentication login console-login none aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius enable password tryit1 ! ! Change the global retransmission value for all RADIUS servers. radius-server retransmit 4 ! ! Configure per-server specific timeout, retransmission, and key values. ! Change the default auth-port and acct-port values. radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key radkey ! ! Configure per-server specific timeout and key values. This server uses the global ! retransmission value. radius-server host 172.29.39.46 timeout 6 key rad123
Example: Multiple RADIUS Server Entries for the Same Server IP Address
The following example shows how to configure the network access server to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as failover backup to the first one. (The RADIUS host entries are tried in the order they are configured.)
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group radius ! The next set of commands configures multiple host entries for the same IP address. radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 2000 acct-port 2000
Examples: AAA Server Groups
The following example shows how to create server group radgroup1 with three different RADIUS server members, each using the default authentication port (1645) and accounting port (1646):
aaa group server radius radgroup1 server 172.16.1.11 server 172.17.1.21 server 172.18.1.31
The following example shows how to create server group radgroup2 with three RADIUS server members, each with the same IP address but with unique authentication and accounting ports:
aaa group server radius radgroup2 server 172.16.1.1 auth-port 1000 acct-port 1001 server 172.16.1.1 auth-port 2000 acct-port 2001 server 172.16.1.1 auth-port 3000 acct-port 3001
Example: Multiple RADIUS Server Entries Using AAA Server Groups
The following example shows how to configure the network access server to recognize two different RADIUS server groups. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as failover backup to the first one. Each group is individually configured for the deadtime; the deadtime for group 1 is one minute, and the deadtime for group 2 is two minutes.
Note |
In cases where both global commands and server commands are used, the server command takes precedence over the global command. |
! This command enables AAA. aaa new-model ! The next command configures default RADIUS parameters. aaa authentication ppp default group group1 ! The following commands define the group1 RADIUS server group and associate servers ! with it and configures a deadtime of one minute. aaa group server radius group1 server 10.1.1.1 auth-port 1645 acct-port 1646 server 10.2.2.2 auth-port 2000 acct-port 2001 deadtime 1 ! The following commands define the group2 RADIUS server group and associate servers ! with it and configures a deadtime of two minutes. aaa group server radius group2 server 10.2.2.2 auth-port 2000 acct-port 2001 server 10.3.3.3 auth-port 1645 acct-port 1646 deadtime 2 ! The following set of commands configures the RADIUS attributes for each host entry ! associated with one of the defined server groups. radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 radius-server host 10.2.2.2 auth-port 2000 acct-port 2001 radius-server host 10.3.3.3 auth-port 1645 acct-port 1646
Example: AAA Server Group Selection Based on DNIS
The following example shows how to select RADIUS server groups based on DNIS to provide specific AAA services:
! This command enables AAA. aaa new-model ! ! The following set of commands configures the RADIUS attributes for each server ! that will be associated with one of the defined server groups. radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco1 radius-server host 172.17.0.1 auth-port 1645 acct-port 1646 key cisco2 radius-server host 172.18.0.1 auth-port 1645 acct-port 1646 key cisco3 radius-server host 172.19.0.1 auth-port 1645 acct-port 1646 key cisco4 radius-server host 172.20.0.1 auth-port 1645 acct-port 1646 key cisco5 ! The following commands define the sg1 RADIUS server group and associate servers ! with it. aaa group server radius sg1 server 172.16.0.1 server 172.17.0.1 ! The following commands define the sg2 RADIUS server group and associate a server ! with it. aaa group server radius sg2 server 172.18.0.1 ! The following commands define the sg3 RADIUS server group and associate a server ! with it. aaa group server radius sg3 server 172.19.0.1 ! The following commands define the default-group RADIUS server group and associate ! a server with it. aaa group server radius default-group server 172.20.0.1 ! The next set of commands configures default-group RADIUS server group parameters. aaa authentication ppp default group default-group aaa accounting network default start-stop group default-group ! ! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined ! RADIUS server groups. In this configuration, all PPP connection requests using ! DNIS 7777 are sent to the sg1 server group. The accounting records for these ! connections (specifically, start-stop records) are handled by the sg2 server group. ! Calls with a DNIS of 8888 use server group sg3 for authentication and server group ! default-group for accounting. Calls with a DNIS of 9999 use server group ! default-group for authentication and server group sg3 for accounting records ! (stop records only). All other calls with DNIS other than the ones defined use the ! server group default-group for both authentication and stop-start accounting records. aaa dnis map enable aaa dnis map 7777 authentication ppp group sg1 aaa dnis map 7777 accounting network start-stop group sg2 aaa dnis map 8888 authentication ppp group sg3 aaa dnis map 9999 accounting network stop-only group sg3
Examples: AAA Preauthentication
The following is a simple configuration that specifies that the DNIS number be used for preauthentication:
aaa preauthentication group radius dnis required
The following example shows a configuration that specifies that both the DNIS number and the CLID number be used for preauthentication. DNIS preauthentication is performed first, followed by CLID preauthentication.
aaa preauthentication group radius dnis required clid required
The following example specifies that preauthentication be performed on all DNIS numbers except the two DNIS numbers specified in the DNIS group called “dnis-group1”:
aaa preauthentication group radius dnis required dnis bypass dnis-group1 dialer dnis group dnis-group1 number 12345 number 12346
The following is a sample AAA configuration with DNIS preauthentication:
aaa new-model aaa authentication login CONSOLE none aaa authentication login RADIUS_LIST group radius aaa authentication login TAC_PLUS group tacacs+ enable aaa authentication login V.120 none aaa authentication enable default enable group tacacs+ aaa authentication ppp RADIUS_LIST if-needed group radius aaa authorization exec RADIUS_LIST group radius if-authenticated aaa authorization exec V.120 none aaa authorization network default group radius if-authenticated aaa authorization network RADIUS_LIST if-authenticated group radius aaa authorization network V.120 group radius if-authenticated aaa accounting suppress null-username aaa accounting exec default start-stop group radius aaa accounting commands 0 default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting system default start-stop group radius aaa preauthentication dnis password Cisco-DNIS aaa nas port extended ! radius-server configure-nas radius-server host 10.0.0.0 auth-port 1645 acct-port 1646 non-standard radius-server host 10.255.255.255 auth-port 1645 acct-port 1646 non-standard radius-server retransmit 2 radius-server deadtime 1 radius-server attribute nas-port format c radius-server unique-ident 18 radius-server key MyKey
Note |
To configure preauthentication, you must also set up preauthentication profiles on the RADIUS server. |
Example RADIUS User Profile with RADIUS Tunneling Attributes
The following example shows a RADIUS user profile (Merit Daemon format) that includes RADIUS tunneling attributes. This entry supports two tunnels, one for L2F and the other for L2TP. The tag entries with :1 support L2F tunnels, and the tag entries with :2 support L2TP tunnels.
cisco.com Password = "PASSWORD3", Service-Type = Outbound Service-Type = Outbound, Tunnel-Type = :1:L2F, Tunnel-Medium-Type = :1:IP, Tunnel-Client-Endpoint = :1:"10.0.0.2", Tunnel-Server-Endpoint = :1:"10.0.0.3", Tunnel-Client-Auth-Id = :1:"l2f-cli-auth-id", Tunnel-Server-Auth-Id = :1:"l2f-svr-auth-id", Tunnel-Assignment-Id = :1:"l2f-assignment-id", Cisco-Avpair = "vpdn:nas-password=l2f-cli-pass", Cisco-Avpair = "vpdn:gw-password=l2f-svr-pass", Tunnel-Preference = :1:1, Tunnel-Type = :2:L2TP, Tunnel-Medium-Type = :2:IP, Tunnel-Client-Endpoint = :2:"10.0.0.2", Tunnel-Server-Endpoint = :2:"10.0.0.3", Tunnel-Client-Auth-Id = :2:"l2tp-cli-auth-id", Tunnel-Server-Auth-Id = :2:"l2tp-svr-auth-id", Tunnel-Assignment-Id = :2:"l2tp-assignment-id", Cisco-Avpair = "vpdn:l2tp-tunnel-password=l2tp-tnl-pass", Tunnel-Preference = :2:2
Examples: Guard Timer for ISDN and CAS
The following example shows an ISDN guard timer that is set at 8000 milliseconds. A call is rejected if the RADIUS server does not respond to a preauthentication request when the timer expires.
interface serial 1/0/0:23 isdn guard-timer 8000 on-expiry reject aaa preauthentication group radius dnis required
The following example shows a CAS guard timer that is set at 20,000 milliseconds. A call is accepted if the RADIUS server does not respond to a preauthentication request when the timer expires.
controller T1 0 framing esf clock source line primary linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 call guard-timer 20000 on-expiry accept aaa preauthentication group radius dnis required
Additional References
Related Documents
| Related Topic |
Document Title |
|---|---|
| Cisco IOS commands |
|
| AAA and RADIUS commands |
Cisco IOS Security Command Reference |
| RADIUS attributes |
RADIUS Attributes Configuration Guide (part of the Securing User Services Configuration Library) |
| AAA |
Authentication, Authorization, and Accounting Configuration Guide (part of the Securing User Services Configuration Library) |
| L2TP, VPN, or VPDN |
Dial Technologies Configuration Guide and VPDN Configuration Guide |
| Modem configuration and management |
Dial Technologies Configuration Guide |
| RADIUS port identification for PPP |
Wide-Area Networking Configuration Guide |
RFCs
| RFC |
Title |
|---|---|
| Remote Authentication Dial-In User Service (RADIUS) |
|
| RADIUS Accounting |
|
| RADIUS |
|
| RADIUS Accounting Modifications for Tunnel Protocol Support |
|
| RADIUS Attributes for Tunnel Protocol Support |
Technical Assistance
| Description |
Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring RADIUS
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Feature Name |
Releases |
Feature Information |
|---|---|---|
| Configuring RADIUS |
11.1 12.1(5)T 12.2(13)T 12.2(27)SBA 12.2(33)SRC 15.4(1)S |
The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. In Cisco IOS Release 15.4(1)S, support was added for the Cisco ASR 901S Router. |
| RADIUS Statistics via SNMP |
15.1(1)S 15.1(1)SY 15.1(4)M |
This feature provides statistics related to RADIUS traffic and private RADIUS servers. The following commands were introduced or modified: show aaa servers, show radius statistics. |
Feedback