The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To specify the authentication and encryption key for all RADIUS communications between the device and the RADIUS server, use the key command in RADIUS server configuration mode. To remove the configured key, use the no form of this command.
key { 0 string | 6 string | 7 string } string
no key
The authentication and encryption key is disabled.
RADIUS server configuration (config-radius-server)
Release |
Modification |
---|---|
15.2(2)T |
This command was introduced. |
15.4(1)T |
This command was modified. The 6 keyword was added. |
After enabling authentication, authorization, and accounting (AAA) authentication with the aaa new-model command, you must set the authentication and encryption key using the radius server key command.
Note | Specify a RADIUS key after you issue the aaa new-model command. |
The key entered must match the key used on the RADIUS server. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Use the password encryption aes command to configure type 6 AES encrypted keys.
The following example shows how to specify the host with IP address 192.0.2.2 as the RADIUS server and set rad123 as the encryption key:
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# radius server myserver Device(config-radius-server)# address ipv4 192.0.2.2 Device(config-radius-server)# key rad123
The following example shows how to set the authentication and encryption key to anykey. The keyword 7 specifies that a hidden key follows.
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# radius server myserver Device(config-radius-server)# address ipv4 192.0.2.2 Device(config-radius-server)# key 7 anykey
After you save your configuration and use the show running-config command, an encrypted key is displayed as follows:
Device> enable Device# show running-config radius server myserver address ipv4 192.0.2.2 key 7 19283103834782sda ! The leading 7 indicates that the following text is encrypted.
Command |
Description |
---|---|
aaa new-model |
Enables the AAA access control model. |
address ipv4 |
Configures the IPv4 address for the RADIUS server accounting and authentication parameters. |
password encryption aes |
Enables a type 6 encrypted preshared key. |
radius server |
Specifies the name for the RADIUS server configuration and enters RADIUS server configuration mode. |
show running-config |
Displays the current configuration of your routing device. |
To configure the per-server encryption key on the TACACS+ server, use the key command in TACACS+ server configuration mode. To remove the per-server encryption key, use the no form of this command.
key [ 0 | 6 | 7 ] key-string
no key [ 0 | 6 | 7 ] key-string
0 |
(Optional) Specifies that an unencrypted key follows. |
6 |
(Optional) Specifies that an advanced encryption scheme (AES) encrypted key follows. |
7 |
(Optional) Specifies that a hidden key follows. |
key-string |
The unencrypted shared key. |
No TACACS+ encryption key is configured.
TACACS+ server configuration (config-server-tacacs)
Release |
Modification |
---|---|
Cisco IOS XE Release 3.2S |
This command was introduced. |
15.4(1)T |
This command was integrated into Cisco IOS Release 15.4(1)T. The 6 keyword was added. |
The key command allows you to configure a per-server encryption key.
Use the password encryption aes command to configure type 6 AES encrypted keys.
The following example shows how to specify an unencrypted shared key named “key1”:
Device> enable Device# configure terminal Device(config)# tacacs server server1 Device(config-server-tacacs)# key 0 key1
Command |
Description |
---|---|
password encryption aes |
Enables a type 6 encrypted preshared key. |
tacacs server |
Configures the TACACS+ server for IPv6 or IPv4 and enters TACACS+ server configuration mode. |
To specify the Secure Shell (SSH) Rivest, Shamir, and Adleman (RSA) key type and name, use the key-hashcommand in SSH public key configuration mode. To remove the SSH RSA Rivest, Shamir, and Adleman (RSA) public key, use the no form of this command.
key-hash key-type key-name
no key-hash [ key-type key-name ]
key-type key-name |
The SSH RSA public key type and name. |
SSH key type and name are not specified.
SSH public key configuration (conf-ssh-pubkey-user)
Release |
Modification |
---|---|
12.2(33)SRA |
This command was introduced in release earlier than Cisco IOS Release 12.(33)SRA. |
The key type must be ssh-rsa for configuration of private-public key pairs. You can use a hashing software to compute the hash of the public key string or you can copy the hash value from another Cisco IOS router. Using the key-string command is the preferred method for entering the public key data for the first time.
The following example shows how to specify the SSH key type and name:
Router(config)# ip ssh pubkey-chain Router(conf-ssh-pubkey)# username test Router(conf-ssh-pubkey-user)# key-hash ssh-rsa key1 Router(conf-ssh-pubkey-user))# exit Router(config-pubkey)# exit Router(config)# exit
Command |
Description |
---|---|
key-string |
Specifies the SSH RSA public key of the remote peer. |
To enable RADIUS server load balancing for a named RADIUS server group, use the load-balance command in server group configuration mode. To disable named RADIUS server load balancing, use the no form of this command.
load-balance method least-outstanding [ batch-size number ] [ignore-preferred-server]
no load-balance
If this command is not configured, named RADIUS server load balancing will not occur.
Server group configuration
Release |
Modification |
---|---|
12.2(28)SB |
This command was introduced. |
12.4(11)T |
This command was integrated into Cisco IOS Release 12.4(11)T. |
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC. |
The following example shows load balancing enabled for a named RADIUS server group. It is shown in three parts: the current configuration of RADIUS command output, debug output, and AAA server status information.
The following shows the relevant RADIUS configuration:
Router# show running-config . . . aaa group server radius server-group1 server 192.0.2.238 auth-port 2095 acct-port 2096 server 192.0.2.238 auth-port 2015 acct-port 2016 load-balance method least-outstanding batch-size 5 ! aaa authentication ppp default group server-group1 aaa accounting network default start-stop group server-group1 . . .
The lines in the current configuration of RADIUS command output above are defined as follows:
The aaa group server radius command shows the configuration of a server group with two member servers.
The load-balance command enables load balancing for the global RADIUS server groups with the batch size specified.
The aaa authentication pppcommand authenticates all PPP users using RADIUS.
The aaa accounting command enables the sending of all accounting requests to the AAA server after the client is authenticated and after the disconnect using the start-stop keyword.
The debug output below shows the selection of a preferred server and the processing of requests for the configuration above.
Router# *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002C):No preferred server available. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Server[0] load:0 *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Server[1] load:0 *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Selected Server[0] with load 0 *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002C):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002D):No preferred server available. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002D):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002E):No preferred server available. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002E):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002F):No preferred server available. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002F):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(00000030):No preferred server available. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing server. *Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(00000030):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT(00000031):No preferred server available. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new server. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Server[1] load:0 *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Server[0] load:5 *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Selected Server[1] with load 0 *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT(00000031):Server (192.0.2.238:2015,2016) now being used as preferred server *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT(00000032):No preferred server available. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing server. . . .
Server Status Information for Named RADIUS Server Group Example
The output below shows the AAA server status for the named RADIUS server group configuration example.
Router# show aaa servers RADIUS:id 8, priority 1, host 192.0.2.238, auth-port 2095, acct-port 2096 State:current UP, duration 3781s, previous duration 0s Dead:total time 0s, count 0 Quarantined:No Authen:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Author:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Account:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Elapsed time since counters last cleared:0m RADIUS:id 9, priority 2, host 192.0.2.238, auth-port 2015, acct-port 2016 State:current UP, duration 3781s, previous duration 0s Dead:total time 0s, count 0 Quarantined:No Authen:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Author:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Account:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Elapsed time since counters last cleared:0m Router#
The output shows the status of two RADIUS servers. Both servers are alive, and no requests have been processed since the counters were cleared 0 minutes ago.
Command |
Description |
---|---|
debug aaa sg-server selection |
Shows why the RADIUS and TACACS+ server group system in a router is selecting a particular server. |
debug aaa test |
Shows when the idle timer or dead timer has expired for RADIUS load balancing. |
radius-server host |
Enables RADIUS automated testing for load balancing. |
radius-server load-balance |
Enables RADIUS server load balancing for the global RADIUS server group. |
test aaa group |
Tests RADIUS load balancing server response manually. |