Cisco Radius Configuration

RADIUS, also known as Remote Authentication Dial In User Service, allows for centralized management of Authentication, Authorization and Accounting (commonly known as AAA).

RADIUS is an industry standard protocol defined in RFC 2865

Being an open protocol, most vendors have their own implementation style for RADIUS. It uses UDP port 1812 for authentication and 1813 for authorization.

With RADIUS, only the password can be encrypted, the username is always sent in clear text.

 

Configuring a RADIUS server

Router(config)# radius-server host 200.1.1.1 auth-port 10012 acct-port 10013 timeout 15 retransmit 5 key certvideos

The above command specifies that the RADIUS server is located at the IP address 200.1.1.1, the ports to be used are 10012 and 10013, the timeout value is 15 seconds, the number of retransmissions is 5 and the key is certvideos.

 

Global RADIUS values
The encryption key, timeout value, retransmission and deadtime values can be globally configured in addition to per-server configuration. If these values are configured both on per-server basis and globally, the per-server values override the global values.

Router(config)# radius-server timeout 15
Router(config)# radius-server retransmit 5
Router(config)# radius-server deadtime 30
Router(config)# radius-server key 0 certvideos

Add support for Vendor Specific attributes
Since RADIUS is an open protocol, most vendors have a customized format. On a Cisco IOS, to specify that you’ll be using a non-standard (vendor-specific) implementation of RADIUS, use the following command:

Router(config)# radius-server host 200.1.1.1 non-standard

To specify the use of vendor specific attributes, use the following commands:

Router(config)# radius-server vsa send authentication
Router(config)# radius-server vsa send accounting

 

Configuring a AAA server group to use RADIUS

Router(config)# aaa group server radius CERTVIDEOS
Router(config-sg-radius)# server 200.1.1.1 auth-port 10012 acct-port 10013
Router(config-sg-radius)# server 200.1.1.2 auth-port 10012 acct-port 10013

 

Each server IP address that is being used inside the server group must have been already defined using the radius-server host command mentioned earlier.

 

Defining multiple host entries for the same IP address
A server group can also be configured with multiple servers having the same IP address but different port numbers. A combination of an IP address and a port number is known as identifier. If there are two entries for the same service, the second one acts as a fallback for the first one.

Router(config)# aaa group server radius CERTVIDEOS
Router(config-sg-radius)# server 200.1.1.1 auth-port 10012 acct-port 10013
Router(config-sg-radius)# server 200.1.1.1 auth-port 20012 acct-port 20013

In the above configuration, the UDP port 10012 on host 200.1.1.1 will be used first for authentication. If this fails, UDP port 20012 on the same host will be used as a fall back.

Add a Comment

Your email address will not be published. Required fields are marked *