RADIUS Client Commands

Parent topic: Configuration Commands

radius

Syntax

[no] radius

Context

config>system>security

Description

This command enables the context to configure RADIUS authentication on the 7705 SAR.

For redundancy, multiple server addresses can be configured for each 7705 SAR.

The no form of the command removes the RADIUS configuration.

access-algorithm

Syntax

access-algorithm {direct | round-robin}

[no] access-algorithm

Context

config>system>security>radius

Description

This command configures the algorithm used to access the set of RADIUS servers. Up to five servers can be configured.

In direct mode, the first server, as defined by the server command, is the primary server. This server is always used first when authenticating a request. In round-robin mode, the server used to authenticate a request is the next server in the list, following the last authentication request. For example, if server 1 is used to authenticate the first request, server 2 is used to authenticate the second request, and so on.

Default

direct

Parameters

direct

first server is always used to authenticate a request

round-robin

server used to authenticate a request is the next server in the list, following the last authentication request

accounting

Syntax

[no] accounting

Context

config>system>security>radius

Description

This command enables RADIUS accounting. The no form of this command disables RADIUS accounting.

Default

no accounting

accounting-port

Syntax

accounting-port port

no accounting-port

Context

config>system>security>radius

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Parameters

port

specifies the UDP port number

Values

1 to 65535

Default

1813

authorization

Syntax

[no] authorization

Context

config>system>security>radius

Description

This command configures RADIUS authorization parameters for the system.

The no form of this command disables RADIUS authorization for the system.

Default

no authorization

port

Syntax

port port

no port

Context

config>system>security>radius

Description

This command configures the TCP port number to contact the RADIUS server.

The no form of the command reverts to the default value.

Default

1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS))

Parameters

port

the TCP port number to contact the RADIUS server

Values

1 to 65535

retry

Syntax

retry count

no retry

Context

config>system>security>radius

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of the command reverts to the default value.

Default

3

Parameters

count

the retry count

Values

1 to 10

server

Syntax

server server-index address ip-address secret key [hash | hash2]

no server server-index

Context

config>system>security>radius

Description

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher-indexed server is only queried if no response is received from a lower-indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of the command removes the server from the configuration.

Default

no RADIUS servers are configured

Parameters

index

the index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values

1 to 5

ip-address

the IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address:       a.b.c.d (host bits must be 0)

ipv6-address:        x:x:x:x:x:x:x:x (eight 16-bit pieces)

                                 x:x:x:x:x:x:d.d.d.d

                                   x:   [0 to FFFF]H

                                   d:   [0 to 255]D

key

the secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.

Values

up to 20 characters in length

hash

specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

timeout

Syntax

timeout seconds

no timeout

Context

config>system>security>radius

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Default

3

Parameters

seconds

the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer

Values

1 to 90

use-default-template

Syntax

[no] use-default-template

Context

config>system>security>radius

Description

This command specifies whether the user template defined by this entry is to be actively applied to the RADIUS user.

Default

no use-default-template