Table Of Contents
Configuring RADIUS for Multiple
User Datagram Protocol PortsRelated Features and Technologies
Supported Standards, MIBs, and RFCs
Defining the Security Server Parameters for Each Server
Defining the AAA Server Group by Name
Verifying Configuring RADIUS for Multiple UDP Ports
Configuring Multiple Entries for the Same Server IP Address
Configuring Multiple Entries Using AAA Server Groups
Configuring RADIUS for Multiple
User Datagram Protocol Ports
This feature module describes how to configure a Cisco router or access server acting as a network access server to forward authentication, authorization and accounting (AAA) requests to different User Datagram Protocol (UDP) ports on RADIUS servers.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
In past Cisco IOS releases, RADIUS hosts were uniquely identified by their IP address; therefore, only one definition of a RADIUS server per IP address was allowed. The Configuring RADIUS for Multiple UDP Ports feature expands RADIUS implementation so that RADIUS security servers are identified on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
The Configuring RADIUS for Multiple UDP Ports feature also applies to RADIUS server groups—server groups can now include multiple service definitions for host entries for the same server, as long as each entry has a unique identifier.
Benefits
The Configuring RADIUS for Multiple UDP Ports feature provides the following benefits:
•
•
Restrictions
The Cisco implementation of AAA server groups recognize two different remote security protocols: RADIUS and TACACS+. The Configuring RADIUS for Multiple UDP Ports feature extends the functionality of RADIUS server groups, not TACACS+ server groups.
Related Features and Technologies
•
•
•
Related Documents
•
•
Supported Platforms
The Configuring RADIUS for Multiple UDP Ports feature is supported on all platforms supporting AAA.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBS are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Before you can configure the network access server to support this extended RADIUS functionality, you need to configure the applicable RADIUS servers. For more information about configuring your network access server to support RADIUS, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
Configuration Tasks
See the following sections for configuration tasks for the Configuring RADIUS for Multiple UDP Ports feature. Each task in the list indicates if the task is optional or required.
•
•
•
Enabling AAA
To configure your network access server to identify RADIUS hosts using both the IP address and UDP port number, enable AAA using the following command:
For more information about enabling AAA, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
Defining the Security Server Parameters for Each Server
Next, define the parameters associated with each RADIUS security server. The syntax for the radius-server host command has not changed in this feature, but the functionality of it has been expanded to accept more than one host entry with the same IP address, as long as there is a unique UDP port number. To configure RADIUS for multiple UDP ports, simply issue this command for every RADIUS host instance, making sure that each one has a unique UPD port number.
For more information about configuring RADIUS on the network access server, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
Defining the AAA Server Group by Name
The next step is optional, depending on whether you are using RADIUS server groups. If you are using RADIUS server groups, you need to define the name of the security server group and then associate the appropriate security servers (in this case, host instances) to the group. Server groups can now include multiple host entry definitions for the same server, as long as each entry has a unique identifier. The Configuring RADIUS for Multiple UDP Ports feature has added optional arguments to the server command so that you can identify multiple host entries on a RADIUS server by using a unique UPD port number for each entry. If you do not configure values for the optional arguments, the network access server will automatically use default port numbers (1645 for authentication and 1646 for accounting).
For more information about configuring RADIUS security server groups, refer to the Cisco IOS Release 12.0(5)T AAA Server Groups feature module and the 12.0(6)T Selecting AAA Server Groups Based on DNIS feature module.
Verifying Configuring RADIUS for Multiple UDP Ports
•
•
Configuration Examples
The following examples configure a Cisco router or access server acting as a network access server to forward AAA requests to different UDP ports on RADIUS servers:
•
•
Configuring Multiple Entries for the Same Server IP Address
In this example, the network access server is configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authenticaiton and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are configured.)
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default radius! The next set of commands configures multiple host entries for the same IP address.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 2000 acct-port 2000Configuring Multiple Entries Using AAA Server Groups
In this example, the network access server is configured to recognize two different RADIUS server groups. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default group group1! The following commands define the group1 RADIUS server group and associates servers ! with it. aaa group server radius group1server 172.20.0.1 auth-port 1000 acct-port 1001! The following commands define the group2 RADIUS server group and associates servers ! with it. aaa group server radius group2server 172.20.0.1 auth-port 2000 acct-port 2001! The following set of commands configures the RADIUS attributes for each host entry ! associated with one of the defined server groups.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.10.0.1 auth-port 1645 acct-port 1646Command Reference
This section documents the modified server command. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications and Cisco IOS Release 12.0T feature modules.
server
To define a server to be associated with a defined authentication, authorization, and accounting (AAA) server group, use the server AAA server-group configuration command. To remove the associated server from the AAA server group, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
no server ip-address [auth-port port-number] [acct-port port-number]
Syntax Description
Defaults
If no port attributes are defined, the defaults are as follows:
•
•
Command Modes
AAA server-group configuration
Command History
12.0(5)T
This command was introduced.
12.0(7)T
Two new keywords/arguments were added
•
•
Usage Guidelines
Use the server command to associate a particular server with a defined server group. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers/host instances associated with a server group on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
Examples
Configuring Multiple Entries for the Same Server IP Address
In this example, the network access server is configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authenticaiton and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are configured.)
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default radius! The next set of commands configures multiple host entries for the same IP address.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 2000 acct-port 2000Configuring Multiple Entries Using AAA Server Groups
In this example, the network access server is configured to recognize two different RADIUS server groups. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default group group1! The following commands define the group1 RADIUS server group and associates servers ! with it. aaa group server radius group1server 172.20.0.1 auth-port 1000 acct-port 1001! The following commands define the group2 RADIUS server group and associates servers ! with it. aaa group server radius group2server 172.20.0.1 auth-port 2000 acct-port 2001! The following set of commands configures the RADIUS attributes for each host entry ! associated with one of the defined server groups.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.10.0.1 auth-port 1645 acct-port 1646Related Commands
Guest