radius-server host

Syntax

radius-server host {<FQDN> | <IPV4> | <IPV6>} [key {plaintext <PASSKEY> |
   ciphertext <PASSKEY>}] [timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]
   [auth-type {pap | chap}] [acct-port <ACCT-PORT>] [retries <RETRY-COUNT>] [vrf <VRF-NAME>] 
				
no radius-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>] [vrf <VRF-NAME>]

Description

Adds a RADIUS server. By default, the RADIUS server is associated with the family group named radius.

The no form of this command removes a previously added RADIUS server.

NOTE:

For enhanced security with IPsec, the alternative command radius-server host secure ipsec is available. The standard non-IPsec radius-server host command does not modify any existing IPsec configuration. If IPsec is already configured for the RADIUS server, then IPsec will remain enabled for the server.

Command context

config

Parameters

{<FQDN> | <IPV4> | <IPv6>}
Specifies the RADIUS server as:
  • <FQDN>: a fully qualified domain name.
  • <IPV4>: an IPv4 address.

  • <IPV6>: an IPv6 address.

key {plaintext <PASSKEY> | ciphertext <PASSKEY>}

Selects either a plaintext or an encrypted local shared-secret passkey for the server. As per RFC 2865, shared-secret can be a mix of alphanumeric and special characters. Plaintext passkeys are between 1 and 32 alphanumeric and special characters.

timeout <TIMEOUT-SECONDS>

Specifies the timeout. The range is 1 to 60 seconds. If a timeout is not specified, the value from the global timeout for RADIUS is used.

port <PORT-NUMBER>

Specifies the UDP authentication port number. Range: 1 to 65535. Default: 1812.

auth-type {pap | chap}

Selects either the PAP (the default) or CHAP authentication types. If this parameter is not specified, the RADIUS global default is used.

acct-port <ACCT-PORT>

Specifies the UDP accounting port number. Range: 1 to 65535. Default: 1813.

retries <RETRY-COUNT>

Specifies the number of retry attempts for contacting the specified RADIUS server. Range is 0 to 5 attempts. If no retry value is provided, the default value of 1 is used.

vrf <VRF-NAME>

Specifies the VRF name to be used for communicating with the server. If no VRF name is provided, the default VRF named default is used.

Authority

Administrators

Usage

If no local passkey is provided in the command, the server will use the global passkey. This command requires either the global or local passkey to be set; otherwise, the server will not be contacted. To set the global passkey, see radius-server key.

If the fully qualified domain name is provided for the RADIUS server host, a DNS server must be configured and accessible through the same VRF as mentioned for the server host. This configuration is required for the resolution of the RADIUS server hostname to its IP address. If a DNS server is not available for this VRF, the RADIUS servers reachable through this VRF must be configured by means of their IP addresses only.

Examples

Adding a RADIUS server with an IPv4 address and a named VRF:

switch(config)# radius-server host 1.1.1.1 vrf mgmt

Adding a RADIUS server with an IPv4 address, a port, and a named VRF:

switch(config)# radius-server host 1.1.1.2 port 32 vrf mgmt

Adding a RADIUS server with an FQDN, a timeout, port number, and a named VRF:

switch(config)# radius-server host abc.com timeout 15 port 32 vrf vrf_blue

Adding a RADIUS server with an IPv6 address:

switch(config)# radius-server host 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Adding a RADIUS server with an IPv4 address, key, encrypted passkey, number of retries, and VRF name:

switch(config)# radius-server host 1.1.1.6 key ciphertext AQBapStbgHt1X2JlbcEcQl
xbbzWjrFr9UsfH3+00x5Qj0qcQBAAAAJ5WZBQ= retries 3 vrf vrf_red

Deleting a RADIUS server with an IPv4 address and specified VRF:

switch(config)# no radius-server host 1.1.1.1 vrf mgmt

Deleting a RADIUS server with an FQDN, port, and specified VRF:

switch(config)# no radius-server host abc.com port 32 vrf vrf_blue