- Cisco IOS Release 12.0 Security Command Reference
Table Of Contents
radius-server attribute nas-port extended
radius-server attribute nas-port format
radius-server extended-portnames
radius-server host non-standard
radius-server optional passwords
RADIUS Commands
This chapter describes the commands used to configure RADIUS.
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. Cisco supports RADIUS under its Authentication, Authorization, and Accounting (AAA) security paradigm.
For information on how to configure RADIUS, refer to the "Configuring RADIUS" chapter in the Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "RADIUS Configuration Examples" section located at the end of the "Configuring RADIUS" chapter in the Security Configuration Guide.
aaa nas-port extended
To replace the NAS-Port attribute with RADIUS IETF Attribute 26 and to display extended field information, use the aaa nas-port extended global configuration command. Use the no form of this command to not display extended field information.
aaa nas-port extended
no aaa nas-port extended
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101.
Once again, this is because of the 16-bit field size limitation associated with RADIUS IETF NAS-port attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the cisco-nas-port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port format command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server vsa sendaaa nas-port extendedRelated Commands
Displays expanded interface information in the NAS-Port attribute.
Configures the network access server to recognize and use vendor-specific attributes.
ip radius source-interface
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface global configuration command.
ip radius source-interface subinterface-name
no ip radius source-interface
Syntax Description
Defaults
This command has no factory-assigned default.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have a IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2Related Commands
radius-server attribute nas-port extended
The radius-server attribute nas-port extended command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command in this chapter for more information.
radius-server attribute nas-port format
To select the NAS-Port format used for RADIUS accounting features, and to restore the default NAS-Port format, use the radius-server attribute nas-port format global configuration command. If the no form of this command is used, attribute 5 (NAS-Port) will no longer be sent to the RADIUS server.
radius-server attribute nas-port format format
no radius-server attribute nas-port format format
Syntax Description
format
NAS-Port format. Possible values for the format argument are as follows:
a—Standard NAS-Port format
b—Extended NAS-Port format
c—Shelf-slot NAS-Port format
d—PPP extended NAS-Port format
Defaults
Standard NAS-Port format
Command Modes
Global configuration
Command History
11.3(7)T
This command was introduced.
11.3(9)DB
The PPP extended NAS-Port format was added.
Usage Guidelines
The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5).
The following NAS-Port formats are supported:
•
Standard NAS-Port format—This 16-bit NAS-Port format indicates the type, port, and channel of the controlling interface. This is the default format used by Cisco IOS software.
•
•
•
Note
Examples
In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format:
radius-server host 172.31.5.96 auth-port 1645 acct-port 1646radius-server attribute nas-port format dRelated Commands
vpdn aaa attribute
Enables reporting of NAS AAA attributes related to a VPDN to the AAA server.
radius-server configure-nas
To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas global configuration command.
radius-server configure-nas
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.
Note
Examples
The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:
radius-server configure-nasRelated Commands
Identifies that the security server is using a vendor-proprietary implementation of RADIUS.
radius-server deadtime
To improve RADIUS response times when some servers might be unavailable, use the radius-server deadtime global configuration command to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.
radius-server deadtime minutes
no radius-server deadtime
Syntax Description
minutes
Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Dead time is set to 0.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."
Examples
The following example specifies five minutes dead-time for RADIUS servers that fail to respond to authentication requests:
radius-server deadtime 5Related Commands
radius-server extended-portnames
The radius-server extended-portnames command is replaced by the radius-server attribute nas-port extended command. See the description of the radius-server attribute nas-port extended command in this chapter for more information.
radius-server host
To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.
If no host specific timeout, retransmit, or key values are specified, the global values apply to that host.
For a list of supported vendor-specific RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide.
Examples
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on a RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.domain.com auth-port 0radius-server host host2.domain.com acct-port 0Related Commands
radius-server host non-standard
To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard global configuration command. This command tells the Cisco IOS software to support nonstandard RADIUS attributes. Use the no form of this command to delete the specified vendor-proprietary RADIUS host.
radius-server host {hostname | ip-address} non-standard
no radius-server host {hostname | ip-address} non-standard
Syntax Description
Defaults
No RADIUS host is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
For a list of supported vendor-specific RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide.
Examples
The following example specifies a vendor-proprietary RADIUS server host named alcatraz:
radius-server host alcatraz non-standardRelated Commands
radius-server optional passwords
To specify that the first RADIUS request to a RADIUS server be made without password verification, use the radius-server optional-passwords global configuration command. Use the no form of this command to restore the default.
radius-server optional-passwords
no radius-server optional-passwords
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When the user enters the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the RADIUS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The RADIUS server must support authentication for users without passwords to make use of this feature.
Examples
The following example configures the first login to not require RADIUS verification:
radius-server optional-passwordsradius-server key
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key global configuration command. Use the no form of this command to disable the key.
radius-server key {string}
no radius-server key
Syntax Description
string
The key used to set authentication and encryption for all RADIUS communications between the router and the RADIUS server.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
Note
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
radius-server key dare to goRelated Commands
radius-server retransmit
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit global configuration command. Use the no form of this command to disable retransmission.
radius-server retransmit retries
no radius-server retransmit
Syntax Description
retries
Maximum number of retransmission attempts. Enter a value in the range 1 to 100. If no retransmit value is specified, the global default of 3 attempts is used.
Defaults
Three retries
Command Modes
Global configuration
Command History
Usage Guidelines
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
Examples
The following example specifies a retransmit counter value of five times:
radius-server retransmit 5Related Commands
radius-server timeout
To set the interval a router waits for a server host to reply, use the radius-server timeout global configuration command. Use the no form of this command to restore the default.
radius-server timeout seconds
no radius-server timeout
Syntax Description
seconds
Number that specifies the timeout interval in seconds. Enter a value in the range 1 to 1000. The default is 5 seconds.
Defaults
5 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the number of seconds a router waits for a server host to reply before timing out.
Examples
The following example changes the interval timer to 10 seconds:
radius-server timeout 10Related Commands
radius-server vsa send
To configure the network access server to recognize and use vendor-specific attributes, use the radius-server vsa send global configuration command. Use the no form of this command to restore the default.
radius-server vsa send [accounting | authentication]
no radius-server vsa send [accounting | authentication]
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string with the following format:
protocol : attribute sep value *"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute/value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
Examples
The following example configures the network access server to recognize and use vendor-specific accounting attributes:
radius-server vsa send accountingRelated Commands
Replaces the NAS-Port attribute with RADIUS IETF Attribute 26 and displays extended field information.
vpdn aaa attribute
To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute command in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.
vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port vpdn-nas}
no vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port}
Syntax Description
nas-ip-address vpdn-nas
Enable reporting of the VPDN NAS IP address to the AAA server.
nas-port vpdn-nas
Enable reporting of the VPDN NAS port to the AAA server.
Command Default
AAA attributes are not reported to the AAA server.
Command Modes
Global configuration
Command History
11.3 NA
This command was introduced.
11.3(8.1)T
This command was integrated into Cisco IOS Release 11.3(8.1)T.
Usage Guidelines
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.
Examples
The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:
vpdn enablevpdn-group 1accept-dialinprotocol anyvirtual-template 1!terminate-from hostname nas1local name ts1!vpdn aaa attribute nas-ip-address vpdn-nasvpdn aaa attribute nas-port vpdn-nas
