Configure the RADIUS Scheme
To configure the RADIUS scheme, you need to configure the key parameters of the server.
Configuration Condition
None
Configure the RADIUS Server
When AAA needs to use the RADIUS method for authentication, authorization and accounting, it is necessary to configure RADIUS server parameters, including server IP address, authentication/authorization port, accounting port and shared key information.
Before entering the RADIUS server, we need to configure the RADIUS server group. Reference the server group name when configuring the method list, and we can use the RADIUS server group to authenticate, authorize and count the users.
Table 11-13 Configure the RADIUS server
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Configure the RADIUS server group name (the command also can enter the RADIUS server group configuration mode)
|
aaa server group radius group-name
|
Mandatory
By default, do not configure the RADIUS server group name.
|
|
Configure the RADIUS server
|
server { ip-address | ipv6 ip-address } [ acc-port acc-port-num ] [ auth-port auth-port-num ] [ priority priority ] { key [ 0 | 7 ] key }
|
Mandatory
By default, do not configure the RADIUS server.
|
|
Configure the RADIUS dead time
|
dead-time dead-time
|
Optional
By default, the dead time of the RADIUS server is 0, indicating not dead.
|
|
Configure the maximum re-transmit times of RADIUS
|
retransmit retries
|
Optional
By default, the maximum re-transmit times of the RADIUS server is three times.
|
|
Configure the response timeout of the RADIUS server
|
timeout timeout
|
Optional
By default, the timeout of waiting for the RADIUS server response is 5s.
|
|
Configure not checking TAG when resolving the tunnel attribute delivered by the RADIUS server
|
tunnel without-tag
|
Optional
By default, need the TAG when resolving the tunnel attribute delivered by the RADIUS server.
|
|
Configure the VRF of the RADIUS server group
|
ip vrf forwarding vrf-name
|
Optional
By default, the RADIUS server group belongs to the global VRF.
|
-
Devices select the order in which RADIUS servers are used according to the configured priority value.
- Dead time means that the device marks the RADIUS servers that do not respond to authentication requests as unavailable and no requests are sent to these servers during dead-time.
- The configured share keys on the device and RADIUS server must be consistent.
Configure the RADIUS Attributes
Table 11-14 Configure the RADIUS attributes
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Configure the attribute service-type value in the RADIUS packet of the login authentication
|
radius login service-type attr-value
|
Optional
By default, the service-type value in the RADIUS packet is 7.
|
|
Configure the maximum concurrent packets of the NAS device and the RADIUS server
|
radius control-speed pck-num
|
Optional
By default, the maximum concurrent packets of the NAS device and the RADIUS server is 100.
|
Configure the Source Address of Sending the RADIUS Packet
Table 11-15 Configure the source address of sending the RADIUS packet
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Configure the interface selected by the RADIUS source address
|
ip radius source-interface interface-name [ vrf vrf-name ]
|
Optional
By default, the device automatically selects the source interface.
|
Configure the accounting-on Function of RADIUS
The account-on function is mainly used to designate all online users on the RADIUS server when the AAA process is pulled up for the first time. By default, the accounting-on function is disabled; when the account-on function is enabled, the default retransmit interval is 6 seconds, and the maximum retransmit times is 50 times; due to the slow start-up time of the service card of the high-end device, it is recommended that users set the retransmit times and the interval time not lower than the default values as far as possible.
Table 11-16 Configure the accounting-on function of RADIUS
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enter the RADIUS server group mode
|
aaa server group radius group-name
|
-
|
|
Configure the account on function of RADIUS
|
accounting-on enable [interval seconds | send send-times]
|
Optional
By default, the accounting-on function is disabled.
|
Switch
.png){kind=icon}
.png){kind=logo}
