Steps for configuring RADIUS accounting

  1. Configure the switch for accessing a RADIUS server.

    You can configure up to three RADIUS servers (one primary, two backup). The switch operates on the assumption that a server can operate in both accounting and authentication mode. See the documentation for your RADIUS server application for additional information.

    • Use the same radius-server host command that you would use to configure RADIUS authentication.

    • Provide the following:
      • A RADIUS server IP address.

      • Optional — UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recommended).

      • Optional — if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are designating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. Default: null

  2. Configure accounting types and the controls for sending reports to the RADIUS server.
    1. Accounting types:
      • exec

      • network

      • system

      • commands

    2. Trigger for sending accounting reports to a RADIUS server: At session start and stop or only at session stop.
  3. (Optional) Configure session blocking and interim updating options.
    1. Updating: Periodically update the accounting data for sessions-in-progress.
    2. Suppress accounting: Block the accounting session for any unknown user with no username trying to access to the switch.