radius-server host secure ipsec

Syntax

Syntax for a RADIUS server that uses IPsec for authentication:

radius-server host {<FQDN> | <IPV4> | <IPV6>} [key {plaintext <PASSKEY> |
   ciphertext <PASSKEY>}] [timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]
   [auth-type {pap | chap}] [acct-port <ACCT-PORT>] [retries <RETRY-COUNT>] [vrf <VRF-NAME>]
   secure ipsec authentication spi <SPI-INDEX> <AUTH-TYPE> <AUTH_KEY-TYPE> <AUTH-KEY>
 			
no radius-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>] [vrf <VRF-NAME>]
   secure ipsec authentication

Syntax for a RADIUS server that uses IPsec for both authentication and encryption:

radius-server host {<FQDN> | <IPV4> | <IPV6>} [key {plaintext <PASSKEY> |
   ciphertext <PASSKEY>}] [timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]
   [auth-type {pap | chap}] [acct-port <ACCT-PORT>] [retries <RETRY-COUNT>] [vrf <VRF-NAME>]
   secure ipsec encryption spi <SPI-INDEX> <AUTH-TYPE> <AUTH_KEY-TYPE> <AUTH-KEY>
   <ENCRYPT-TYPE> <ENCRYPT-KEY-TYPE> <ENCRYPT-KEY>
				
no radius-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>] [vrf <VRF-NAME>]
   secure ipsec encryption

Description

Adds a RADIUS server that uses IPsec for enhanced security (authentication and possibly encryption). By default, the RADIUS server is associated with the server group named radius.

The no form of this command removes a previously added RADIUS (with IPsec) server.

NOTE:

Unless enhanced security with IPsec is required, use the radius-server host command instead.

Command context

config

Parameters

{<FQDN> | <IPV4> | <IPv6>}
Specifies the RADIUS server as:
  • <FQDN>: a fully qualified domain name.
  • <IPV4>: an IPv4 address.

  • <IPV6>: an IPv6 address.

key {plaintext <PASSKEY> | ciphertext <PASSKEY>}

Selects either a plaintext or an encrypted local shared-secret passkey for the server. As per RFC 2865, shared-secret can be a mix of alphanumeric and special characters. Plaintext passkeys are between 1 and 32 alphanumeric and special characters.

timeout <TIMEOUT-SECONDS>

Specifies the timeout. The range is 1 to 60 seconds. If a timeout is not specified, the value from the global timeout for RADIUS is used.

port <PORT-NUMBER>

Specifies the UDP authentication port number. Range: 1 to 65535. Default: 1812.

auth-type {pap | chap}

Selects either the PAP (the default) or CHAP authentication types. If this parameter is not specified, the RADIUS global default is used.

acct-port <ACCT-PORT>

Specifies the UDP accounting port number. Range: 1 to 65535. Default: 1813.

retries <RETRY-COUNT>

Specifies the number of retry attempts for contacting the specified RADIUS server. Range is 0 to 5 attempts. If no retry value is provided, the default value of 1 is used.

vrf <VRF-NAME>

Specifies the VRF name to be used for communicating with the server. If no VRF name is provided, the default VRF named default is used.

spi <SPI-INDEX>

Specifies the Security Parameters Index. The SPI is an identification tag carried in the IPsec AH header. The SPI must be unique on the switch. Range: 256 to 4294967295.

<AUTH-TYPE>

Specifies the authentication algorithm: md5, sha1, or sha256.

<AUTH_KEY-TYPE>

Specifies the authentication key type: plaintext, hex-string, or ciphertext.

<AUTH-KEY>

Specifies the authentication key. For <AUTH-TYPE> of ciphertext, this is the ciphertext string.

For <AUTH-TYPE> of plaintext or hex-string:
  • md5 (plaintext): 1 to 16 characters, (hex-string): 2 to 32 hexadecimal digits.

  • sha1 (plaintext): 1 to 20 characters, (hex-string): 2 to 40 hexadecimal digits.

  • sha256 (plaintext): 1 to 32 characters, (hex-string): 2 to 64 hexadecimal digits.

<ENCRYPT-TYPE>

Specifies the encryption algorithm: 3des, aes, des, or null.

<ENCRYPT-KEY-TYPE>

Specifies the encryption key type: plaintext, hex-string, or ciphertext.

<ENCRYPT-KEY>

Specifies the encryption key. For <ENCRYPT-TYPE> of ciphertext, this is the ciphertext string.

For <ENCRYPT-TYPE> of plaintext or hex-string:
  • 3des (plaintext): 24 characters, (hex-string): 48 hexadecimal digits.

  • aes (plaintext): 16, 24, or 32 characters, (hex-string): 32, 48, or 64 hexadecimal digits.

  • des (plaintext): 8 characters, (hex-string): 16 hexadecimal digits.

Authority

Administrators or local user group members with execution rights for this command.

Usage

If no local passkey is provided in the command, the server will use the global passkey. This command requires either the global or local passkey to be set; otherwise, the server will not be contacted. To set the global passkey, see radius-server key.

If the fully qualified domain name is provided for the RADIUS server host, a DNS server must be configured and accessible through the same VRF as mentioned for the server host. This configuration is required for the resolution of the RADIUS server hostname to its IP address. If a DNS server is not available for this VRF, the RADIUS servers reachable through this VRF must be configured by means of their IP addresses only.

Examples

Adding a RADIUS server with an IPv4 address, a plaintext passkey, and IPsec authentication (md5 plaintext).

switch(config)# radius-server host 1.1.1.1 key plaintext 98ab vrf mgmt secure
   ipsec authentication spi 261 md5 plaintext 1abc

Adding a RADIUS server with an IPv4 address, IPsec authentication (MD5 plaintext), and IPsec encryption (AES plaintext):

switch(config)# radius-server host 1.1.1.2 vrf mgmt secure
   ipsec encryption spi 262 md5 plaintext 9xyz aes plaintext 1234567890abcdef

Removing a RADIUS server with an IPv4 address and IPsec authentication:

switch(config)# no radius-server host 1.1.1.1 vrf mgmt secure ipsec authentication

Removing a RADIUS server with an IPv4 address and IPsec authentication and IPsec encryption:

switch(config)# no radius-server host 1.1.1.2 vrf mgmt secure ipsec encryption