RADIUS is a distributed client and server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays encrypted keys.
Example 20-1 shows the steps required to configure RADIUS on MDS Switch.
Example 20-1 RADIUS Configuration on MDS Switch
! Entering configuration mode
switch# configure terminal
! Configuring the host IP and the preshared key for the selected RADIUS server.
In this example, the host is 10.71.58.91 and the key is RadKey.
switch(config)# radius-server host 10.71.58.91 key RadKey
! Configuring the destination UDP port number to which the RADIUS authentication
messages should be sent. In this example, the host is 10.71.58.91 and the
authentication port is 2003. The default authentication port is 1812, and the
valid range is 0 to 65366.
switch(config)# radius-server host 10.71.58.91 auth-port 2003
! Configuring the destination UDP port number to which RADIUS accounting
messages should be sent. The default accounting port is 1813, and the valid
range is 0 to 65366.
switch(config)# radius-server host 10.71.58.91 acct-port 2004
! Configuring the AAA server to be used for accounting purposes. If neither
the authentication nor the accounting options are specified, the server is used
for both accounting and authentication purposes.
switch(config)# radius-server host 10.71.58.91 accounting
! Configuring the global timeout period in seconds for the switch to wait for
a response from all RADIUS+ servers before the switch declares a timeout
failure. The time ranges from 1 to 1440 seconds.
switch(config)# radius-server timeout 30
! Configuring the number of times (3) the switch tries to connect to a RADIUS
server(s) before reverting to local authentication. By default, a switch
retries transmission to a RADIUS server only once before reverting to local
authentication. You can increase this number up to a maximum of five retries
per server.
switch(config)# radius-server retransmit 3
! Configuring the dead timer interval value in minutes. The valid range is 1
to 1440 minutes. The dead timer specifies the interval that the MDS switch waits,
after declaring that a RADIUS server is dead, before sending out a test packet
to determine if the server is now alive.
switch(config)# radius-server deadtime 5
switch(config)# end
! Verifying RADIUS server details
switch# show radius-server
retransmission count:3
timeout value:30
deadtime value:5
total number of servers:1
following RADIUS servers are configured:
10.71.58.91:
available for authentication on port:2003
available for accounting on port:2004
RADIUS shared secret:********
! Verifying the radius-server statistics
switch# show radius-server statistics 10.71.58.91
Server is not monitored
Authentication Statistics
failed transactions: 0
sucessfull transactions: 0
requests sent: 0
requests timed out: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
Accounting Statistics
failed transactions: 0
sucessfull transactions: 0
requests sent: 0
requests timed out: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
! Creating a server group named DCCORE and configuring the radius server at
IPv4 address 10.71.58.91 to be tried first within the server group DCCORE.
switch(config)# aaa group server radius DCCORE
switch(config-radius)# server 10.71.58.91
switch(config-radius)# end
! Verifying radius-server groups
switch# show radius-server groups
total number of groups:2
following RADIUS server groups are configured:
group radius:
server: all configured radius servers
deadtime is 5
group DCCORE:
server: 10.71.58.91 on auth-port 2003, acct-port 2004
deadtime is 5