Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 11.3

Configuring Timeout, Retransmission, and Key Per RADIUS Server

Downloads

Table Of Contents

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Feature Summary

Benefits

Platforms

Prerequisites

Supported MIBs and RFCs

Configuration Tasks

Configuration Examples

Command Reference

radius-server host

Syntax Description

Default

Command Mode

Usage Guidelines

Examples

Related Commands


Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Feature Summary

The radius-server host command functions have been extended to include timeout, retransmission, and encryption key values on a per-server basis. Currently, timeout, retransmission, and encryption key values are applied globally to all RADIUS servers in the router configuration with three unique global commands: radius-server timeout, radius-server retransmit, and radius-server key.

Benefits

Offering per-server key, timeout, and retransmit functions provides the system administrator with greater flexibility when configuring RADIUS servers. Unique key values help improve network security requiring different keys for different servers. Per-server timeout and retransmit settings can help improve server access on busy networks where overall response times may vary widely from network to network.

Platforms

This feature is supported on the following platforms:

Cisco AS5200

Cisco AS5300

Cisco AS5800

Cisco 7200 series

Prerequisites

Enable AAA authentication with the aaa new-model command and configure AAA security services on the router or access server to support the RADIUS security protocol. Refer to the Security Configuration Guide for details on how to configure AAA services for RADIUS servers.

If you have at least one RADIUS server that does not have a per-server key, use the radius-server key command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS server.

Supported MIBs and RFCs

No MIBs or RFCs are supported by this feature.

Configuration Tasks

describes the tasks for configuring timeout, retransmission, and key values for a specific RADIUS server. Enter these commands in global configuration mode

Table 1 Configuring Timeout, Retransmission, and Key Values per RADIUS Server

Command
Description

aaa new-model

Use this command to enable the AAA access control model. Configure AAA security services (authentication, authorization, and accounting) on the router or access server to support the RADIUS security protocol. Refer to the Security Configuration Guide for details on how to configure AAA services.

radius-server timeout seconds

(Optional) Use this command to set the interval a router waits for a server host to reply for all RADIUS servers. The default value is 5 seconds.

radius-server retransmit retries

(Optional) Use this command to specify the number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. The default is 3 retries.

radius-server key {string}

(Optional) Use this command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. The radius-server key has no default value; however, the key must match the encryption key used on the RADIUS server. This command is optional if you configure per-server keys for all RADIUS servers. If you have at least one RADIUS server that does not have a per-server key, you should set this value.

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]

(Optional) Use this command to specify a RADIUS server host and to configure timeout, retransmit, and encryption key values on a per-server basis.

Note   The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.


:

Configuration Examples

The following example configures server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46: 

radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123

The following configuration example configures two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the router, while specific authentication, authorization, and accounting commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46. 

! Enable AAA services on the router and define those services.

aaa new-model

aaa authentication login default radius

aaa authentication login console-login none

aaa authentication ppp default radius

aaa authorization network default radius

aaa accounting exec default start-stop radius

aaa accounting network default start-stop radius

enable password tryit1

!

! Change the global retransmission value for all RADIUS servers.

radius-server retransmit 4

!

! Configure per-server specific timeout, retransmission, and key values. 

! Change the default auth-port and acct-port values. 

radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key 
radkey

!

! Configure per-server specific timeout and key values. This server uses the global

! retransmission value.

radius-server host 172.29.39.46 timeout 6 key rad123

Command Reference

The radius-server host command has been modified to add support for configuring timeout, retransmission, and key values per RADIUS server.

radius-server host

To specify a RADIUS server host, use the radius-server host configuration command. Use the no form of this command to delete the specified RADIUS host.

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries] [key string]
no radius-server host {hostname | ip-address}

Syntax Description

hostname

DNS name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

auth-port

(Optional) Specifies the UDP destination port for authentication requests.

port-number

(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default authorization port number is 1645.

acct-port

(Optional) Specifies the UDP destination port for accounting requests.

port-number

(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default accounting port number is 1646.

timeout

(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.

seconds

(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.

retransmit

(Optional) The number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.

retries

(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.

key

(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.

The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

string

(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.


Default

No RADIUS host is specified; use global radius-server command values.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3. Options for configuring timeout, retransmission, and key values per RADIUS server were added in release 11.3(8) AA.

You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.

If no host specific timeout, retransmit, or key values are specified, the global values apply to that host.

For a list of supported vendor-specific RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide.

Examples

The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication: 

radius-server host host1

The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1: 

radius-server host host1 auth-port 1612 acct-port 1616

Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.

The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server: 

radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 
key rad123

To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting: 

radius-server host host1.domain.com auth-port 0

radius-server host host2.domain.com acct-port 0

Related Commands

aaa new-model
radius-server timeout
radius-server retransmit
radius-server key