Configuring the switch to access a RADIUS server

This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services.

NOTE:

If you want to configure RADIUS accounting on the switch, see Accounting services.

Syntax:


radius-server host <ip-address>
no radius-server host <ip-address>

Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can configure up to three RADIUS servers, and up to 15 RADIUS server addresses. See Using multiple RADIUS server groups for information about grouping multiple RADIUS servers.

The switch uses the first server it successfully accesses, see Changing RADIUS-server access order.


[auth-port <port-number>]

Optional. Changes the UDP destination port for authentication requests to the specified RADIUS server (host). If you do not use this option with the radius-server host command, the switch automatically assigns the default authentication port number. The auth-port number must match its server counterpart.

Default: 1812


[acct-port <port-number>]

Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option with the radius-server host command, the switch automatically assigns the default accounting port number. The acct-port number must match its server counterpart.

Default: 1813


[dyn-authorization]

Enables or disables the processing of Disconnect and Change of Authorization messages from this host. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch. The UDP port specified in the radius-server dyn-autz-port command (defaults to 3799) is the port used to listen for Change of Authorization messages (CoA) or Disconnect messages (DM).

Default: Disabled


[key <key-string>]

Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.

NOTE:

Formerly, when you saved the configuration file using Xmodem or TFTP, the RADIUS encryption key information was not saved in the file. This caused RADIUS authentication to break when the startup configuration file was loaded back onto the switch. You now can save the configured RADIUS shared secret (encryption) key to a configuration file by entering the following commands:


include-credentials

write memory

[time-window <0-65535>]

The time window in seconds within which the received dynamic authorization requests are considered to be current and accepted for processing. A zero value means there is no time limit. A non-zero value indicates that the even-timestamp attribute is expected as part of all Change of Authorization and Disconnect request messages. If the timestamp attribute is not present the message is dropped.

Default: 300 seconds.


no radius-server host <ip-address> key

Use the no form of the command to remove the key for a specified server.

Suppose you have configured the switch as shown in the first figure and you now need to make the following changes:

Procedure
  1. Change the encryption key for the server at 10.33.18.127 to "source0127".
  2. Add a RADIUS server with an IP address of 10.33.18.119 and a server-specific encryption key of "source0119".

Configuration for RADIUS server before changing the key and adding another server
switch(config)#radius-server host 10.22.18.127 key source0127
switch(config)#radius-server host 10.22.18.119 key source0119

switch#show radius

 Status and Counters - General RADIUS Information

  Deadtime(min) : 0
  Timeout(secs) : 5
  Retransmit Attempts : 3
  Global Encryption Key :
  Dynamic Authorization UDP Port : 3799
  Source IP Selection : Outgoing Interface

                  Auth Acct DM/ Time
  Server IP Addr  Port Port CoA Window Encryption Key         OOBM
  --------------- ---- ---- --- ------ ---------------------------
  10.33.18.127    1812 1813 No  300    TempKey01              No

OOBM information is displayed only for switches that support OOBM.

To make these changes, perform the following:

Configuration for RADIUS server after changing the key and adding another server
switch(config)#radius-server host 10.33.18.127 key source0127 *
switch(config)#radius-server host 10.33.18.119 key source0119 **
switch(config)#show radius

 Status and Counters - General RADIUS Information

  Deadtime(min) : 0
  Timeout(secs) : 5
  Retransmit Attempts : 3
  Global Encryption Key :myg10balkey
  Dynamic Authorization UDP Port : 3799

                  Auth Acct DM/ Time
  Server IP Addr  Port Port CoA Window Encryption Key
  --------------- ---- ---- --- ------ ----------------
  10.33.18.127    1812 1813 No  10     source0127
  10.33.18.119    1812 1813 No  10     source0119
        

* Changes the key for the existing server to “source012 7” (step 1, above).

** Adds the new RADIUS server with its required “source0119” key.

To change the order in which the switch accesses RADIUS servers, see Changing RADIUS-server access order.