Configuring the switch global RADIUS parameters

Configure the switch for the following global RADIUS parameters:
  • Number of login attempts

    Specifies how many tries at entering the correct user name and password pair are allowed before access is denied and the session terminated. Number of login attempts is a general aaa authentication parameter and is not specific to RADIUS.

  • Global server key

    The server key the switch uses for contacts with all RADIUS servers for which there is not a server-specific key configured by radius-server host <ip-address> key <key-string>. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch. See Configuring the switch to access a RADIUS server.

  • Server timeout

    Defines the time period in seconds for authentication attempts. If the timeout period expires before a response is received, the attempt fails.

  • Server dead time

    Specifies the time in minutes during which the switch avoids requesting authentication from a server that has not responded to previous requests.

  • Retransmit attempts

    If the first attempt to contact a RADIUS server fails, retransmit attempts specifies how many retries to allow the switch to attempt on that server.

  • Change of Authorization port

    The dyn-autz-port parameter specifies the UDP port number that listens for the Change of Authorization and Disconnect messages. The UDP port range is 1024-49151. The default port is 3799.

Syntax

aaa authentication num-attempts <1-10>
    

Specifies how many tries for entering the correct user name and password are allowed before shutting down the session due to input errors.

Default: 3; Range: 1 - 10.

[no] radius-server
key <global-key-string>
    

Specifies the global encryption key the switch uses with servers for which the switch does not have a server-specific key assignment. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key.

Default: Null.

[encrypted-key <global-key-string>]
    

Global encryption key, specified using a base64–encoded aes-256 encrypted string.

dead-time <1-1440>
    

Optional. Specifies the time in minutes during which the switch does not attempt to use a RADIUS server that has not responded to an earlier authentication attempt.

Default: 0; Range: 1 - 1440 minute

dyn-autz-port <1024-49151>
    

Specifies the UDP port number that listens for Change of Authorization or Disconnect messages. The range of ports is 1024-49151.

Default: 3799

radius-server timeout <1-15>
    

Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure.

Default: 5 seconds; Range: 1 - 15 seconds

radius-server retransmit <1-5>
    

If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session.

Default: 3; Range: 1 - 5

NOTE:

To calculate RADIUS timeout value, use equation:

((retransmits + 1) * radius-server timeout)*number of RADIUS servers configured)

If three RADIUS servers are configured with default values of radius-server timeout and radius-server retransmit, the RADIUS timeout value will be ((3+1)*5)*3 = 60 seconds.

To apply secondary authentication methods (authorized or cached reauthentication) successfully, radius-server timeout value (as per the equation) must be lesser than the server-timeout value. If radius-server timeout value is higher than the server timeout value, the client will be placed in timed out-unauth vlan (if unauth-vid is configured) or timed out-no vlan state after trying for max-requests (default value is 3).

NOTE:

Where the switch has multiple RADIUS servers configured to support authentication requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on. If none of the servers respond, then the switch attempts to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH). For more information, see theTroubleshooting chapter of the Management and Configuration Guide for your switch.

Example

Suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case the plan is to configure the switch with the following global authentication parameters:

  • Allow only two tries to correctly enter user name and password.

  • Use the global encryption key to support the two servers that use the same key. (For this example, assume that you did not configure these two servers with a server-specific key.)

  • Use a dead time of five minutes for a server that fails to respond to an authentication request.

  • Allow three seconds for request timeouts.

  • Allow two retries following a request that did not receive a response.

Example of global configuration exercise for RADIUS authentication
Listings of global RADIUS parameters configured in Example of global configuration exercise for RADIUS authentication:
switch(config)# show authentication

 Status and Counters - Authentication Information
 Authorized enabled as backup for secondary login are preceded by *

  Login Attempts : 2 
  Lockout Delay : 0   
  Respect Privilege : Disabled 
  Bypass Username For Operator and Manager Access : Disabled 

                 | Login       Login        Login     
  Access Task    | Primary     Server Group Secondary 
  -------------- + ----------- ------------ ----------
  Console        | Local                    None      
  Telnet         | Radius                   None      
  Port-Access    | Local                    None      
  Webui          | Local                    None      
  SSH            | Local                    None      
  Web-Auth       | ChapRadius  radius       Authorized      
  MAC-Auth       | ChapRadius  radius       None      
  SNMP           | Local                    None      
  Local-MAC-Auth | Local                    None      
  REST           | Local                    None      

                 | Enable      Enable       Enable    
  Access Task    | Primary     Server Group Secondary 
  -------------- + ----------- ------------ ----------
  Console        | Tacacs                   Local     
  Telnet         | Local                    None      
  Webui          | Local                    None      
  SSH            | Local                    None      
  REST           | Local                    None  


switch(config)# show radius

 Status and Counters - General RADIUS Information

 Dead RADIUS server are preceded by *

  Deadtime (minutes)             : 5           
  Timeout (seconds)              : 3           
  Retransmit Attempts            : 2           
  Global Encryption Key          : My-Global-Key-1099                                            
  Dynamic Authorization UDP Port : 3799        
                      

                  Auth  Acct  DM/ Time   Encryption Key         OOBM
  Server IP Addr  Port  Port  CoA Window 
  --------------- ----- ----- --- ------ ---------------------- -----
  10.33.18.127    1812  1813  No  10     source0127             No
  10.33.18.119    1812  1813  No  10                            No
  10.33.18.151    1812  1813  No  10                            No
 
The last two IP addresses will use the global encryption key.