radius-server host

Syntax

radius-server host {<FQDN> | <IPV4> | <IPV6>} [key {plaintext <PASSKEY> |
   ciphertext <PASSKEY>}] [timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]
   [auth-type {pap | chap}] [acct-port <ACCT-PORT>] [retries <RETRY-COUNT>]
   [tracking {enable | disable}] [vrf <VRF-NAME>] 
				
no radius-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>] [vrf <VRF-NAME>]

Description

Adds a RADIUS server. By default, the RADIUS server is associated with the server group named radius.

The no form of this command removes a previously added RADIUS server.

NOTE:

For enhanced security with IPsec, the alternative command radius-server host secure ipsec is available. The standard non-IPsec radius-server host command does not modify any existing IPsec configuration. If IPsec is already configured for the RADIUS server, then IPsec will remain enabled for the server.

Command context

config

Parameters

{<FQDN> | <IPV4> | <IPv6>}
Specifies the RADIUS server as:
  • <FQDN>: a fully qualified domain name.

  • <IPV4>: an IPv4 address.

  • <IPV6>: an IPv6 address.

key {plaintext <PASSKEY> | ciphertext <PASSKEY>}

Specifies either a plaintext or an encrypted local shared-secret passkey for the server. As per RFC 2865, the shared-secret can be a mix of alphanumeric and special characters. Plaintext passkeys are between 1 and 32 alphanumeric and special characters.

timeout <TIMEOUT-SECONDS>

Specifies the timeout. The range is 1 to 60 seconds. If a timeout is not specified, the value from the global timeout for RADIUS is used.

port <PORT-NUMBER>

Specifies the UDP authentication port number. Range: 1 to 65535. Default: 1812.

auth-type {pap | chap}

Selects either PAP (default) or CHAP authentication type. If this parameter is not specified, the RADIUS global default is used.

acct-port <ACCT-PORT>

Specifies the UDP accounting port number. Range: 1 to 65535. Default: 1813.

retries <RETRY-COUNT>

Specifies the number of retry attempts for contacting the specified RADIUS server. Range is 0 to 5 attempts. If no retry value is provided, the default value of 1 is used.

tracking {enable | disable}

Enables or disables server tracking for the server. Tracked servers are probed at the start of each server tracking interval to check if they are reachable. Unreachable servers are skipped in favor of servers that are proven to be reachable. Use command radius-server tracking to configure RADIUS server tracking.

vrf <VRF-NAME>

Specifies the VRF name to be used for communicating with the server. If no VRF name is provided, the default VRF named default is used.

Authority

Administrators or local user group members with execution rights for this command.

Usage

If no local passkey is provided in the command, the server will use the global passkey. This command requires either the global or local passkey to be set; otherwise, the server will not be contacted. To set the global passkey, see radius-server key.

If the fully qualified domain name is provided for the RADIUS server, a DNS server must be configured and accessible through the same VRF which is configured for the RADIUS server. This configuration is required for the resolution of the RADIUS server hostname to its IP address. If a DNS server is not available for this VRF, the RADIUS servers reachable through this VRF must be configured by means of their IP addresses only.

Examples

Adding a RADIUS server with an IPv4 address and a named VRF: 

switch(config)# radius-server host 1.1.1.1 vrf mgmt

Adding a RADIUS server with an IPv4 address, a port, and a named VRF: 

switch(config)# radius-server host 1.1.1.2 port 32 vrf mgmt

Adding a RADIUS server with an IPv6 address: 

switch(config)# radius-server host 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Deleting a RADIUS server with an IPv4 address and specified VRF: 
switch(config)# no radius-server host 1.1.1.1 vrf mgmt