radius attribute nas-port-type through rd
- radius-server attribute nas-port format
- radius-server configure-nas
- radius-server dead-criteria
- radius-server deadtime
- radius-server host
- radius-server key
- radius-server load-balance
- radius-server retransmit
- radius-server timeout
- radius-server vsa send
- rd
radius-server attribute nas-port format
To set the NAS-Port format used for RADIUS accounting features and restore the default NAS-port format, or to set the global attribute 61 session format e string or configure a specific service port type for attribute 61 support, use the radius-server attribute nas-port format command in global configuration mode. To stop sending attribute 61 to the RADIUS server, use the no form of this command.
NAS-Port for RADIUS Accounting Features and Restoring Default NAS-Port Format
radius-server attribute nas-port format format
no radius-server attribute nas-port format format
Extended NAS-Port Support
radius-server attribute nas-port format format [string] [ type nas-port-type ]
no radius-server attribute nas-port format format [string] [ type nas-port-type ]
Syntax Description
Command Default
Standard NAS-Port format for NAS-Port for RADIUS accounting features and restoring default NAS-Port format or extended NAS-Port support.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
11.3(7)T |
This command was introduced. |
11.3(9)DB |
The PPP extended NAS-Port format was added. |
12.1(5)T |
The PPP extended NAS-Port format was expanded to support PPPoE over ATM and PPPoE over IEEE 802.1Q VLANs. |
12.2(4)T |
Format e was introduced. |
12.2(11)T |
Format e was extended to support PPPoX information. |
12.3(3) |
Format e was extended to support Session ID U. |
12.3(7)XI1 |
Format e was extended to allow the format string to be NAS-Port-Type attribute specific. The following keyword and arguments were added: string, type nas-port-type. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC. |
Usage Guidelines
The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5).
The following NAS-Port formats are supported:
Standard NAS-Port format--This 16-bit NAS-Port format indicates the type, port, and channel of the controlling interface. This is the default format used by Cisco IOS software.
Extended NAS-Port format--The standard NAS-Port attribute field is expanded to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface that is undergoing authentication.
Shelf-slot NAS-Port format--This 16-bit NAS-Port format supports expanded hardware models requiring shelf and slot entries.
PPP extended NAS-Port format--This NAS-Port format uses 32 bits to indicate the interface, virtual path identifier (VPI), and virtual channel indicator (VCI) for PPPoA and PPPoEoA, and the interface and VLAN ID for PPPoE over Institute of Electrical and Electronic Engineers (IEEE) standard 802.1Q VLANs.
Format e
Before Cisco IOS Release 12.2(4)T formats a through c did not work with Cisco platforms such as the AS5400. For this reason, a configurable format e was developed. Format e requires you to explicitly define the usage of the 32 bits of attribute 25 (NAS-Port). The usage is defined with a given parser character for each NAS-Port field of interest for a given bit field. By configuring a single character in a row, such as x, only one bit is assigned to store that given value. Additional characters of the same type, such as x, will provide a larger available range of values to be stored. The table belowshows how the ranges may be expanded:
Character |
Range |
---|---|
x |
0-1 |
xx |
0-3 |
xxx |
0-7 |
xxxx |
0-F |
xxxxx |
0-1F |
It is imperative that you know what the valid range is for a given parameter on a platform that you want to support. The Cisco IOS RADIUS client will bitmask the determined value to the maximum permissible value on the basis of configuration. Therefore, if one has a parameter that turns out to have a value of 8, but only 3 bits (xxx) are configured, 8 and 0x7 will give a result of 0. Therefore, you must always configure a sufficient number of bits to capture the value required correctly. Care must be taken to ensure that format e is configured to properly work for all NAS port types within your network environment.
The table below shows the supported parameters and their characters:
Supported Parameters |
Characters |
---|---|
Zero |
0 (always sets a 0 to that bit) |
One |
1 (always sets a 0 to that bit) |
DS0 shelf |
f |
DS0 slot |
s |
DS0 adaptor |
a |
DS0 port |
p (physical port) |
DS0 subinterface |
i |
DS0 channel |
c |
Async shelf |
F |
Async slot |
S |
Async port |
P |
Async line |
L (modern line number, that is, physical terminal [TTY] number) |
PPPoX slot |
S |
PPPoX adaptor |
A |
PPPoX port |
P |
PPPoX VLAN ID |
V |
PPPoX VPI |
I |
PPPoX VCI |
C |
Session ID |
U |
All 32 bits that represent the NAS-Port must be set to one of the above characters because this format makes no assumptions for empty fields.
Access Router
The DS0 port on a T1-based card and on a T3-based card will give different results. On T1-based cards, the physical port is equal to the virtual port (because these are the same). So, p and d will give the same information for a T1 card. However, on a T3 system, the port will give you the physical port number (because there can be more than one T3 card for a given platform). As such, d will give you the virtual T1 line (as per configuration on a T3 controller). On a T3 system, p and d will be different, and one should capture both to properly identify the physical device. As a working example for the Cisco AS5400, the following configuration is recommended:
Router (config)# radius-server attribute nas-port format e SSSSPPPPPPPPPsssspppppccccc
This will give one an asynchronous slot (0-16), asynchronous port (0-512), DS0 slot (0-16), DS0 physical port (0-32), DS0 virtual port (0-32), and channel (0-32). The parser has been implemented to explicitly require 32-bit support, or it will fail.
Finally, format e is supported for channel-associated signaling (CAS), PRI, and BRI-based interfaces.
Note | This command replaces the radius-server attribute nas-port extended command. |
Extended NAS-Port-Type Attribute Support
This command allows you to configure a specific service port type for extended attribute 61 support which overrides the default global setting.
Examples
In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format:
radius-server host 192.0.2.96 auth-port 1645 acct-port 1646 radius-server attribute nas-port format d
The following example shows how to configure global support for extended NAS-Port-Type ports and how to specify two separate format e strings globally for two different types of ports:
type 30 (which is PPPoA)
type 33 which is (PPPoEoVLAN)
Router# configure terminal Router(config)# Router(config)# radius-server attribute 61 extended Router(config)# radius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU Router(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30 Router(config)# Router(config)# radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33
Related Commands
Command |
Description |
---|---|
radius attribute nas-port-type |
Configures subinterfaces such as Ethernet, vLANs, stacked VLAN (Q-in-Q), virtual circuit (VC), and VC ranges. |
radius-server attribute 61 extended |
Enables extended, non-RFC-compliant NAS-Port-Type attribute (RADIUS attribute 61). |
vpdn aaa attribute |
Enables the LNS to send PPP extended NAS-Port format values to the RADIUS server for accounting. |
radius-server configure-nas
To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode. To discontinue the query of the RADIUS server, use the no form of this command.
radius-server configure-nas
no radius-server configure-nas
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
11.3 |
This command was introduced. |
12.2(33)SRA |
This command was integrated into Cisco IOS release 12.(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.
Note | Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you issue a copy system:running-config nvram:startup-config command. |
Examples
The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:
radius-server configure-nas
Related Commands
Command |
Description |
---|---|
radius-server host non-standard |
Identifies that the security server is using a vendor-proprietary implementation of RADIUS. |
radius-server dead-criteria
To force one or both of the criteria--used to mark a RADIUS server as dead--to be the indicated constant, use the radius-server dead-criteria command in global configuration mode. To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria [ time seconds ] [ tries number-of-tries ]
no radius-server dead-criteria [ time seconds | tries number-of-tries ]
Syntax Description
Command Default
The number of seconds and number of consecutive timeouts that occur before the RADIUS server is marked as dead will vary, depending on the transaction rate of the server and the number of configured retransmissions.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.2(15)T |
This command was introduced. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
Note | Both the time criterion and the tries criterion must be met for the server to be marked as dead. |
The no form of this command has the following cases:
If neither the seconds nor the number-of-tries argument is specified with the no radius-server dead-criteriacommand, both time and tries will be reset to their defaults.
If the seconds argument is specified using the originally set value, the time will be reset to the default value range (10 to 60).
If the number-of-tries argument is specified using the originally set value, the number of tries will be reset to the default value range (10 to 100).
Examples
The following example shows how to configure the router so that it will be considered dead after 5 seconds and 4 tries:
Router (config)# radius-server dead-criteria time 5 tries 4
The following example shows how to disable the time and number-of-tries criteria that were set for the radius-server dead-criteria command.
Router (config)# no radius-server dead-criteria
The following example shows how to disable the time criterion that was set for the radius-server dead-criteria command.
Router (config)# no radius-server dead-criteria time 5
The following example shows how to disable the number-of-tries criterion that was set for the radius-server dead-criteria command.
Router (config)# no radius-server dead-criteria tries 4
Related Commands
Command |
Description |
---|---|
debug aaa dead-criteria transactions |
Displays AAA dead-criteria transaction values. |
show aaa dead-criteria |
Displays dead-criteria information for a AAA server. |
show aaa server-private |
Displays the status of all private RADIUS servers. |
show aaa servers |
Displays information about the number of packets sent to and received from AAA servers. |
radius-server deadtime
To improve RADIUS response time when some servers might be unavailable and to skip unavailable servers immediately, use the radius-server deadtime command in global configuration mode. To set deadtime to 0, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime
Syntax Description
minutes |
Length of time, in minutes (up to a maximum of 1440 minutes or 24 hours), for which a RADIUS server is skipped over by transaction requests. |
Command Default
Dead time is set to 0.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
11.1 |
This command was introduced. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
Use this command to enable the Cisco IOS software to mark as “dead” any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as “dead” is skipped by additional requests for the specified duration (in minutes) or unless there are no servers not marked as “dead.”
Note | If a RADIUS server that is marked as “dead” receives a directed-request, the directed- request is not omitted by the RADIUS server. The RADIUS server continues to process the directed-request because the request is directly sent to the RADIUS server. |
When the RADIUS Server Is Marked As Dead
For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a packet is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.
For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:
A valid response has not been received from the RADIUS server for any outstanding transaction for at least the timeout period that is used to determine whether to retransmit to that server, and
At at least the requisite number of retransmits plus one (for the initial transmission) have been sent consecutively across all transactions being sent to the RADIUS server without receiving a valid response from the server within the requisite timeout.
Examples
The following example specifies five minutes of deadtime for RADIUS servers that fail to respond to authentication requests:
radius-server deadtime 5
Related Commands
Command |
Description |
---|---|
deadtime (server-group configuration) |
Configures deadtime within the context of RADIUS server groups. |
radius-server host |
Specifies a RADIUS server host. |
radius-server retransmit |
Specifies the number of times that the Cisco IOS software searches the list of RADIUS server hosts before giving up. |
radius-server timeout |
Sets the interval for which a router waits for a server host to reply. |
radius-server host
Note | The radius-server host command is deprecated from Cisco IOS Release 15.4(2)S. To configure an IPv4 or IPv6 RADIUS server, use the radius server name command. For more information about the radius server command, see Cisco IOS Security Command Reference: Commands M to R. |
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
Cisco IOS Release 12.4T and Later Releases
radius-server host { hostname | ip-address } [ alias { hostname | ip-address } | [ acct-port port-number ] [ auth-port port-number ] [non-standard] [ timeout seconds ] [ retransmit retries ] [ backoff exponential [ max-delay minutes ] [ backoff-retry number-of-retransmits ] ] [ key encryption-key ] ]
no radius-server host { hostname | ip-address }
All Other Releases
radius-server host { hostname | ip-address } [ alias { hostname | ip-address } | [ acct-port port-number ] [ auth-port port-number ] [non-standard] [ timeout seconds ] [ retransmit retries ] [ test username user-name [ignore-acct-port] [ignore-auth-port] [ idle-time minutes ] ] [ backoff exponential [ max-delay minutes ] [ backoff-retry number-of-retransmits ] ] [ key-wrap encryption-key encryption-key message-auth-code-key encryption-key [ format { ascii | hex } ] | pac ] [ key encryption-key ] ]
no radius-server host { hostname | ip-address }
Syntax Description
hostname |
Domain Name System (DNS) name of the RADIUS server host. |
||
ip-address |
IP address of the RADIUS server host. |
||
alias |
(Optional) Allows up to eight aliases per line for any given RADIUS server. |
||
acct-port port-number |
(Optional) UDP destination port for accounting requests. |
||
auth-port port-number |
(Optional) UDP destination port for authentication requests. |
||
non-standard |
Parses attributes that violate the RADIUS standard. |
||
timeout seconds |
(Optional) Time interval (in seconds) that the device waits for the RADIUS server to reply before retransmitting. |
||
retransmit retries |
(Optional) Number of times a RADIUS request is resent to a server, if that server is not responding or there is a delay in responding. |
||
test username user-name |
(Optional) Sets the test username for the automated testing feature for RADIUS server load balancing. |
||
ignore-acct-port |
(Optional) Disables the automated testing feature for RADIUS server load balancing on the accounting port. |
||
ignore-auth-port |
(Optional) Disables the automated testing feature for RADIUS server load balancing on the authentication port. |
||
idle-time minutes |
(Optional) Length of time (in minutes) the server remains idle before it is quarantined and test packets are sent out. The range is from 1 to 35791. The default is 60. |
||
backoff exponential |
(Optional) Sets the exponential retransmits backup mode. |
||
max-delay minutes |
(Optional) Sets the maximum delay (in minutes) between retransmits. |
||
key-wrap encryption-key |
(Optional) Specifies the key-wrap encryption key. |
||
message-auth-code-key |
Specifies the key-wrap message authentication code key. |
||
format |
(Optional) Specifies the format of the message authenticator code key. |
||
backoff-retry number-of-retransmits |
(Optional) Specifies the exponential backoff retry. |
||
pac |
(Optional) Generates the per-server Protected Access Credential (PAC) key. |
||
key |
(Optional) Encryption key used between the device and the RADIUS daemon running on this RADIUS server.
|
||
encryption-key |
Specifies the encryption key. |
Command Default
No RADIUS host is specified and RADIUS server load balancing automated testing is disabled by default.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
||
---|---|---|---|
11.1 |
This command was introduced. |
||
12.0(5)T |
This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server. |
||
12.1(3)T |
This command was modified. The alias keyword was added. |
||
12.2(15)B |
This command was integrated into Cisco IOS Release 12.2(15)B. The backoff exponential, backoff-retry, key, and max-delay keywords and number-of-retransmits, encryption-key, and minutes arguments were added. |
||
12.2(28)SB |
This command was integrated into Cisco release 12.2(28)SB. The test username user-name, ignore-auth-port, ignore-acct-port, and idle-time seconds keywords and arguments were added for configuring the RADIUS server load balancing automated testing functionality. |
||
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. The keywords and arguments that were added in Cisco IOS Release 12.2(28)SB apply to Cisco IOS Release 12.2(33)SRA and subsequent 12.2SR releases. |
||
12.4(11)T |
This command was modified.
|
||
12.2 SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
||
Cisco IOS XE Release 2.5 |
This command was integrated into Cisco IOS XE Release 2.5. |
||
15.3(1)S |
This command was modified. The key-wrap encryption-key, message-auth-code-key, format, ascii, and hex keywords were added. |
||
Cisco IOS XE Release 3.2SE |
This command was integrated into Cisco IOS XE Release 3.2SE. |
||
15.4(2)S |
This command was deprecated in Cisco IOS Release 15.4(2)S. |
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.
We recommend the use of a test user who is not defined on the RADIUS server for the automated testing of the RADIUS server. This is to protect against security issues that can arise if the test user is not configured correctly.
If you configure one RADIUS server with a nonstandard option and another RADIUS server without the nonstandard option, the RADIUS server host with the nonstandard option does not accept a predefined host. However, if you configure the same RADIUS server host IP address for different UDP destination ports, where one UDP destination port (for accounting requests) is configured using the acct-port keyword and another UDP destination port (for authentication requests) is configured using the auth-port keyword with and without the nonstandard option, the RADIUS server does not accept the nonstandard option. This results in resetting all the port numbers. You must specify a host and configure accounting and authentication ports on a single line.
To use separate servers for accounting and authentication, use the zero port value as appropriate.
RADIUS Server Automated Testing
When you use the radius-server host command to enable automated testing for RADIUS server load balancing:
- The authentication port is enabled by default. If the port number is not specified, the default port number (1645) is used. To disable the authentication port, specify the ignore-auth-port keyword.
- The accounting port is enabled by default. If the port number is not specified, the default port number (1645) is used. To disable the accounting port, specify the ignore-acct-port keyword.
Examples
The following example shows how to specify host1 as the RADIUS server and to use default ports for both accounting and authentication depending on the Cisco release that you are using:
radius-server host host1
The following example shows how to specify port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example shows how to specify the host with IP address 192.0.2.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to six, sets the retransmit value to five, and sets “rad123” as the encryption key, thereby matching the key on the RADIUS server:
radius-server host 192.0.2.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123
To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example shows how to specify the RADIUS server host1 for accounting but not for authentication, and the RADIUS server host2 for authentication but not for accounting:
radius-server host host1.example.com auth-port 0 radius-server host host2.example.com acct-port 0
The following example shows how to specify four aliases on the RADIUS server with IP address 192.0.2.1:
radius-server host 192.0.2.1 auth-port 1646 acct-port 1645 radius-server host 192.0.2.1 alias 192.0.2.2 192.0.2.3 192.0.2.4
The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for three retries and the timeout is configured for five seconds; that is, the RADIUS request will be transmitted three times with a delay of five seconds. Thereafter, the device will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have been achieved. The device will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.
The pac keyword allows the PAC-Opaque, which is a variable length field, to be sent to the server during the Transport Layer Security (TLS) tunnel establishment phase. The PAC-Opaque can be interpreted only by the server to recover the required information for the server to validate the peer’s identity and authentication. For example, the PAC-Opaque may include the PAC-Key and the PAC’s peer identity. The PAC-Opaque format and contents are specific to the issuing PAC server.
The following example shows how to configure automatic PAC provisioning on a device. In seed devices, the PAC-Opaque has to be provisioned so that all RADIUS exchanges can use this PAC-Opaque to enable automatic PAC provisioning for the server being used. All nonseed devices obtain the PAC-Opaque during the authentication phase of a link initialization.
enable configure terminal radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 pac
Examples
The following example shows how to enable RADIUS server automated testing for load balancing with the authorization and accounting ports specified depending on the Cisco release that you are using:
radius-server host 192.0.2.176 test username test1 auth-port 1645 acct-port 1646
Related Commands
Command | Description |
---|---|
aaa accounting |
Enables AAA accounting of requested services for billing or security purposes. |
aaa authentication ppp |
Specifies one or more AAA authentication method for use on serial interfaces that run PPP. |
aaa authorization |
Sets parameters that restrict network access to a user. |
debug aaa test |
Shows when the idle timer or dead timer has expired for RADIUS server load balancing. |
load-balance |
Enables RADIUS server load balancing for named RADIUS server groups. |
ppp |
Starts an asynchronous connection using PPP. |
ppp authentication |
Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are to be selected on the interface. |
radius-server key |
Sets the authentication and encryption key for all RADIUS communications between the device and the RADIUS daemon. |
radius-server load-balance |
Enables RADIUS server load balancing for the global RADIUS server group. |
radius-server retransmit |
Specifies the number of times Cisco software searches the list of RADIUS server hosts before giving up. |
radius-server timeout |
Sets the interval that a device waits for a server host to reply. |
test aaa group |
Tests the RADIUS load balancing server response manually. |
username |
Establishes a username-based authentication system, such as PPP CHAP and PAP. |
radius-server key
Note | The radius-server key command is deprecated from Cisco IOS Release 15.4(2)S. To configure an IPv4 or IPv6 RADIUS server, use the radius server name key command. For more information about the key (config-radius-server) command, see Cisco IOS Security Command Reference: Commands D to L. |
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command.
radius-server key { 0 string | 7 string } string
no radius-server key
Syntax Description
0 string |
Specifies that an unencrypted key follows. The unencrypted (cleartext) shared key. |
7 string |
Specifies that a hidden key follows. The hidden shared key. |
string |
The unencrypted (cleartext) shared key. |
Command Default
The authentication and encryption key is disabled.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
11.1 |
This command was introduced. |
12.1(3)T |
This command was modified. The string argument was modified as follows: |
12.2(33)SRA |
This command was integrated into Cisco IOS release 12.(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Cisco IOS XE Release 3.3S |
This command was integrated into Cisco IOS XE Release 3.3S. |
15.4(2)S |
This command was deprecated in Cisco IOS Release 15.4(2)S. |
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
Note | Specify a RADIUS key after you issue the aaa new-model command. |
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to “key1”:
Device(config)# radius-server key key1
The following example sets the authentication and encryption key to “anykey.” The 7 specifies that a hidden key will follow.
service password-encryption radius-server key 7 anykey
After you save your configuration and use the show-running config command, an encrypted key will be displayed as follows:
Device# show running-config ! ! radius-server key 7 19283103834782sda ! The leading 7 indicates that the following text is encrypted.
Related Commands
Command |
Description |
---|---|
aaa accounting |
Enables AAA accounting of requested services for billing or security purposes. |
aaa authentication ppp |
Specifies one or more AAA authentication methods for use on serial interfaces running PPP. |
aaa authorization |
Sets parameters that restrict user access to a network. |
aaa new-model |
Enables AAA access control model. |
ppp |
Starts an asynchronous connection using PPP. |
ppp authentication |
Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface. |
radius-server host |
Specifies a RADIUS server host. |
service password-encryption |
Encrypt passwords. |
username |
Establishes a username-based authentication system, such as PPP CHAP and PAP. |
radius-server load-balance
To enable RADIUS server load balancing for the global RADIUS server group referred to as “radius” in the authentication, authorization and accounting (AAA) method lists, use the radius-server load-balance command in global configuration mode. To disable RADIUS server load balancing, use the no form of this command.
radius-server load-balance method least-outstanding [ batch-size number ] [ignore-preferred-server]
no radius-server load-balance
Syntax Description
method least-outstanding |
Enables least outstanding mode for load balancing. |
||
batch-size |
(Optional) The number of transactions to be assigned per batch. |
||
number |
(Optional) The number of transactions in a batch.
|
||
ignore-preferred-server |
(Optional) Indicates if a transaction associated with a single AAA session should attempt to use the same server or not.
|
Command Default
If this command is not configured, global RADIUS server load balancing will not occur.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(28)SB |
This command was introduced. |
12.4(11)T |
This command was integrated into Cisco IOS Release 12.4(11)T. |
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC. |
Examples
The following example shows how to enable load balancing for global RADIUS server groups. It is shown in three parts: the current configuration of RADIUS command output, debug output, and AAA server status information. You can use the delimiting characters to display only the relevant parts of the configuration.
Examples
The following shows the relevant RADIUS configuration:
Router# show running-config | inc radius aaa authentication ppp default group radius aaa accounting network default start-stop group radius radius-server host 192.0.2.238 auth-port 2095 acct-port 2096 key cisco radius-server host 192.0.2.238 auth-port 2015 acct-port 2016 key cisco radius-server load-balance method least-outstanding batch-size 5
The lines in the current configuration of RADIUS command output above are defined as follows:
The aaa authentication pppcommand authenticates all PPP users using RADIUS.
The aaa accounting command enables the sending of all accounting requests to the AAA server after the client is authenticated and after the disconnect using the keyword start-stop.
The radius-server host command defines the IP address of the RADIUS server host with the authorization and accounting ports specified and the authentication and encryption key identified.
The radius-server load-balance command enables load balancing for the global RADIUS server groups with the batch size specified.
Examples
The debug output below shows the selection of preferred server and processing of requests for the configuration above.
Router# show debug General OS: AAA server group server selection debugging is on Router# <sending 10 pppoe requests> Router# *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:0 *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0 *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[0] with load 0 *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):Server (192.0.2.238:2095,2096) now being used as preferred server *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0 *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:5 *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[1] with load 0 *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):Server (192.0.2.238:2015,2016) now being used as preferred server *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(0000001A):No preferred server available. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT(0000001A):Server (192.0.2.238:2015,2016) now being used as preferred server *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT(0000001B):No preferred server available. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT(0000001B):Server (192.0.2.238:2015,2016) now being used as preferred server *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT(0000001C):No preferred server available. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing server. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT(0000001C):Server (192.0.2.238:2015,2016) now being used as preferred server *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT(0000001D):No preferred server available. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT:Obtaining least loaded server. *Feb 28 13:40:32.203:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing server . . .
Server Status Information for Global RADIUS Server Group Example
The output below shows the AAA server status for the global RADIUS server group configuration example.
Router# show aaa server RADIUS:id 4, priority 1, host 192.0.2.238, auth-port 2095, acct-port 2096 State:current UP, duration 3175s, previous duration 0s Dead:total time 0s, count 0 Quarantined:No Authen:request 6, timeouts 1 Response:unexpected 1, server error 0, incorrect 0, time 1841ms Transaction:success 5, failure 0 Author:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Account:request 5, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 3303ms Transaction:success 5, failure 0 Elapsed time since counters last cleared:2m RADIUS:id 5, priority 2, host 192.0.2.238, auth-port 2015, acct-port 2016 State:current UP, duration 3175s, previous duration 0s Dead:total time 0s, count 0 Quarantined:No Authen:request 6, timeouts 1 Response:unexpected 1, server error 0, incorrect 0, time 1955ms Transaction:success 5, failure 0 Author:request 0, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 0ms Transaction:success 0, failure 0 Account:request 5, timeouts 0 Response:unexpected 0, server error 0, incorrect 0, time 3247ms Transaction:success 5, failure 0 Elapsed time since counters last cleared:2m Router#
The output shows the status of two RADIUS servers. Both servers are up and, in the last 2 minutes, have processed successfully:
5 out of 6 authentication requests
5 out of 5 accounting requests
Related Commands
Command |
Description |
---|---|
debug aaa sg-server selection |
Shows why the RADIUS and TACACS+ server group system in a router is selecting a particular server. |
debug aaa test |
Shows when the idle timer or dead timer has expired for RADIUS server load balancing. |
load-balance |
Enables RADIUS server load balancing for named RADIUS server groups. |
radius-server host |
Enables RADIUS automated testing for load balancing. |
test aaa group |
Tests RADIUS load balancing server response manually. |
radius-server retransmit
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command.
radius-server retransmit retries
no radius-server retransmit
Syntax Description
retries |
Maximum number of retransmission attempts. The range is 0 to 100. |
Command Default
The default number of retransmission attempts is 3.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
11.1 |
This command was introduced. |
12.2(31)SB |
This command was integrated into Cisco IOS Release 12.2(31)SB. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Cisco IOS XE Release 3.3S |
This command was integrated into Cisco IOS XE Release 3.3S. |
Usage Guidelines
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
If the RADIUS server is only a few hops from the router, we recommend that you configure the RADIUS server retransmit rate to 5.
Examples
The following example shows how to specify a retransmit counter value of five times:
Router(config)# radius-server retransmit 5
Related Commands
Command |
Description |
---|---|
aaa new-model |
Enables the AAA access control model. |
radius-server host |
Specifies a RADIUS server host. |
radius-server key |
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. |
radius-server timeout |
Sets the interval for which a router waits for a server host to reply. |
show radius statistics |
Displays the RADIUS statistics for accounting and authentication packets. |
radius-server timeout
To set the interval for which a router waits for a server host to reply, use the radius-server timeout command in global configuration mode. To restore the default, use the noform of this command.
radius-server timeout seconds
no radius-server timeout
Syntax Description
seconds |
Number that specifies the timeout interval, in seconds. The range is 1 to 1000. The default is 5 seconds . |
Command Default
5 seconds
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
11.1 |
This command was introduced. |
12.2(31)SB |
This command was integrated into Cisco IOS Release 12.2(31)SB. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
Use this command to set the number of seconds a router waits for a server host to reply before timing out.
If the RADIUS server is only a few hops from the router, we recommend that you configure the RADIUS server timeout to 15 seconds.
Examples
The following example shows how to set the interval timer to 10 seconds:
radius-server timeout 10
Related Commands
Command |
Description |
---|---|
radius-server host |
Specifies a RADIUS server host. |
radius-server key |
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. |
radius-server retransmit |
Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up. |
show radius statistics |
Displays the RADIUS statistics for accounting and authentication packets. |
radius-server vsa send
To configure the network access server (NAS) to recognize and use vendor-specific attributes (VSAs), use the radius-server vsa send command in global configuration mode. To disable the NAS from using VSAs, use the no form of this command.
radius-server vsa send [ accounting | authentication | cisco-nas-port ] [3gpp2]
no radius-server vsa send [ accounting | authentication | cisco-nas-port ] [3gpp2]
Syntax Description
accounting |
(Optional) Limits the set of recognized VSAs to only accounting attributes. |
||
authentication |
(Optional) Limits the set of recognized VSAs to only authentication attributes. |
||
cisco-nas-port |
(Optional) Returns the Cisco NAS port VSA.
|
||
3gpp2 |
(Optional) Adds Third Generation Partnership Project 2 (3GPP2) Cisco VSAs to the 3GPP2 packet type. |
Command Default
NAS is not configured to recognize and use VSAs.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
11.3T |
This command was introduced. |
12.2(27)SBA |
This command was integrated into Cisco IOS Release 12.2(27)SBA. |
12.2(33)SRA |
This command was modified. The cisco-nas-port and 3gpp2 keywords were added to provide backward compatibility for Cisco VSAs. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Cisco IOS XE Release 3.3S |
This command was integrated into Cisco IOS XE Release 3.3S. |
Cisco IOS XE Release 3.8S |
This command was modified. The accounting and authentication keywords were enabled by default for NAS to use VSAs in accounting and authentication requests, respectively. |
Usage Guidelines
The IETF draft standard specifies a method for communicating vendor-specific information between the NAS and the RADIUS server by using the VSA (attribute 26). VSAs allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the NAS to recognize and use both accounting and authentication VSAs. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized VSAs to accounting attributes only. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized VSAs to authentication attributes only. Use the show running-config all command to see the default radius-server vsa send accounting and radius-server vsa send authentication commands.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with the following format:
"protocol : attribute separator value"
In the preceding example, protocol is a value of the Cisco protocol attribute for a particular type of authorization; attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification; and separator is = for mandatory attributes. This solution allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes the Multiple Named IP Address Pools feature to be activated during IP authorization (that is, during the PPP Internet Protocol Control Protocol [IPCP] address assignment):
cisco-avpair= "ip:addr-pool=first"
The following example causes a NAS Prompt user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, see RFC 2138, Remote Authentication Dial-In User Service (RADIUS).
Examples
The following example shows how to configure the NAS to recognize and use vendor-specific accounting attributes:
Device(config)# radius-server vsa send accounting
Related Commands
Command |
Description |
---|---|
aaa nas port extended |
Replaces the NAS-Port attribute with RADIUS IETF attribute 26 and displays extended field information. |
show running-config all |
Displays complete configuration information, including the default settings and values. |
rd
To specify a route distinguisher (RD) for a VPN routing and forwarding (VRF) instance, use the rdcommand in VRF configuration mode. To remove a route distinguisher, use the no form of this command.
rd route-distinguisher
no rd route-distinguisher
Syntax Description
route-distinguisher |
An 8-byte value to be added to an IPv4 prefix to create a VPN IPv4 prefix. |
Command Default
No RD is specified.
Command Modes
VRF configuration (config-vrf)
Command History
Release |
Modification |
---|---|
12.0(5)T |
This command was introduced. |
12.0(21)ST |
This command was integrated into Cisco IOS 12.0(21)ST. |
12.0(22)S |
This command was integrated into Cisco IOS 12.0(22)S. |
12.2(13)T |
This command was integrated into Cisco IOS 12.2(13)T. |
12.2(14)S |
This command was integrated into Cisco IOS 12.2(14)S. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(33)SRB |
Support for IPv6 was added. |
12.2(33)SB |
This command was integrated into Cisco IOS Release 12.2(33)SB. |
12.2(33)SXI |
This command was integrated into Cisco IOS Release 12.2(33)SXI. |
12.2(54)SG |
This command was integrated into Cisco IOS Release 12.2(54)SG. |
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
15.1(2)SNG |
This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers. |
Usage Guidelines
An RD creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of the customer’s IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes.
An RD is either:
ASN-related--Composed of an autonomous system number and an arbitrary number.
IP-address-related--Composed of an IP address and an arbitrary number.
You can enter an RD in either of these formats:
16-bit autonomous-system-number : your 32-bit number For example, 101:3.
32-bit IP address : your 16-bit number For example, 192.168.122.15:1.
Examples
The following example shows how to configure a default RD for two VRFs. It illustrates the use of both autonomous-system-number-relative and IP-address-relative RDs:
Router(config)# ip vrf vrf1 Router(config-vrf)# rd 100:3 Router(config-vrf)# exit Router(config)# ip vrf vrf2 Router(config-vrf)# rd 10.13.0.12:200
The following is an example of a VRF for IPv4 and IPv6 that has common policies defined in the global part of the VRF configuration:
vrf definition vrf2 rd 200:1 route-target both 200:2 ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family end
Related Commands
Command |
Description |
---|---|
ip vrf |
Configures a VRF routing table. |
show ip vrf |
Displays the set of defined VRFs and associated interfaces. |
vrf definition |
Configures a VRF routing table and enters VRF configuration mode. |