- Cisco IOS Security Command Reference, Release 12.1
Table Of Contents
radius-server attribute nas-port extended
radius-server attribute nas-port format
radius-server challenge-noecho
radius-server directed-request
radius-server extended-portnames
radius-server host non-standard
radius-server optional passwords
RADIUS Commands
This chapter describes the commands used to configure RADIUS.
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. Cisco supports RADIUS under its authentication, authorization, and accounting (AAA) security paradigm.
For information on how to configure RADIUS, refer to the "Configuring RADIUS" chapter in the
Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "RADIUS Configuration Examples" section located at the end of the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide.aaa group server radius
To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers:
aaa group server radius radgroup1server 1.1.1.1server 2.2.2.2server 3.3.3.3Related Commands
aaa nas port extended
To replace the NAS-Port attribute with RADIUS IETF Attribute 26 and to display extended field information, use the aaa nas port extended command in global configuration mode. Use the no form of this command to not display extended field information.
aaa nas port extended
no aaa nas port extended
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as
NAS-Port = 20101.This is because of the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF Attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port format command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server vsa sendaaa nas port extendedRelated Commands
Displays expanded interface information in the NAS-Port attribute.
Configures the network access server to recognize and use vendor-specific attributes.
ip radius source-interface
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. Use the no form of this command to not force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
ip radius source-interface subinterface-name
no ip radius source-interface
Syntax Description
Defaults
This command has no factory-assigned default.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2Related Commands
radius-server attribute nas-port extended
The radius-server attribute nas-port extended command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command in this chapter for more information.
radius-server attribute nas-port format
To select the NAS-Port format used for RADIUS accounting features, and to restore the default NAS-Port format, use the radius-server attribute nas-port format global configuration command. If the no form of this command is used, attribute 5 (NAS-Port) will no longer be sent to the RADIUS server.
radius-server attribute nas-port format format
no radius-server attribute nas-port format format
Syntax Description
format
NAS-Port format. Possible values for the format argument are as follows:
a—Standard NAS-Port format
b—Extended NAS-Port format
c—Shelf-slot NAS-Port format
d—PPP extended NAS-Port format
Defaults
Standard NAS-Port format
Command Modes
Global configuration
Command History
11.3(7)T
This command was introduced.
11.3(9)DB
The PPP extended NAS-Port format was added.
Usage Guidelines
The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5).
The following NAS-Port formats are supported:
•
Standard NAS-Port format—This 16-bit NAS-Port format indicates the type, port, and channel of the controlling interface. This is the default format used by Cisco IOS software.
•
•
•
Note
Examples
In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format:
radius-server host 172.31.5.96 auth-port 1645 acct-port 1646radius-server attribute nas-port format dRelated Commands
vpdn aaa attribute
Enables reporting of NAS AAA attributes related to a VPDN to the AAA server.
radius-server challenge-noecho
To prevent user responses to Access-Challenge packets from being displayed on the screen, use the radius-server challenge-noecho global configuration command. To return to the default condition, use the no form of this command.
radius-server challenge-noecho
no radius-server challenge-noecho
Syntax Description
This command has no arguments or keywords.
Defaults
All user responses to Access-Challenge packets are echoed to the screen.
Command Modes
Global configuration
Command History
Usage Guidelines
This command applies to all users. When the radius-server challenge-noecho command is configured, user responses to Access-Challenge packets are not displayed unless the Prompt attribute in the user profile is set to echo on the RADIUS server. The Prompt attribute in a user profile overrides the radius-server challenge-noecho command for the individual user. For more information, see the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2.
Examples
The following example stops all user responses from displaying on the screen:
radius-server challenge-noechoradius-server configure-nas
To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode.
radius-server configure-nas
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.
Note
Examples
The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:
radius-server configure-nasRelated Commands
Identifies that the security server is using a vendor-proprietary implementation of RADIUS.
radius-server deadtime
To improve RADIUS response times when some servers might be unavailable, use the radius-server deadtime command in global configuration mode to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.
radius-server deadtime minutes
no radius-server deadtime
Syntax Description
minutes
Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Dead time is set to 0.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."
Examples
The following example specifies five minutes dead-time for RADIUS servers that fail to respond to authentication requests:
radius-server deadtime 5Related Commands
radius-server directed-request
To allow users logging into a Cisco netword access server (NAS) to select a RADIUS server for authentication, use the radius-server directed-request command in global configuration mode. To disable the directed-request feature, use the no form of this command.
radius-server directed-request [restricted]
no radius-server directed-request [restricted]
Syntax Description
restricted
(Optional) Prevents the user from being sent to a secondary server if the specified server is not available.
Defaults
User cannot log into a Cisco NAS to select a RADIUS server for authentication.
Command Modes
Global configuration mode
Command History
Usage Guidelines
The radius-server directed-request command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with this command enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling the radius-server directed-request command causes the whole string, both before and after the "@" symbol, to be sent to the default RADIUS server. The router queries the list of servers, starting with the first one in the list. It sends the whole string, and accepts the first response that it gets from the server.
Use the radius-server directed-request restricted command to limit the user to the RADIUS server identified as part of the username.
The no radius-server directed-request command causes the entire username string to be passed to the default RADIUS server.
Note
Examples
The following example verifies that the RADIUS server is selected based on the directed request:
aaa new-modelaaa authentication login default radiusradius-server host 192.168.1.1radius-server host 172.16.56.103radius-server host 172.31.40.1radius-server directed-requestradius-server extended-portnames
The radius-server extended-portnames command is replaced by the radius-server attribute nas-port extended command. See the description of the radius-server attribute nas-port extended command in this chapter for more information.
radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. Use the no form of this command to delete the specified RADIUS host.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
11.1
This command was introduced.
12.0(5)T
This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server.
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.
If no host specific timeout, retransmit, or key values are specified, the global values apply to that host
Examples
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.example.com auth-port 0radius-server host host2.example.com acct-port 0Related Commands
radius-server host non-standard
To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command in global configuration mode. This command tells the Cisco IOS software to support nonstandard RADIUS attributes. Use the no form of this command to delete the specified vendor-proprietary RADIUS host.
radius-server host {hostname | ip-address} non-standard
no radius-server host {hostname | ip-address} non-standard
Syntax Description
Defaults
No RADIUS host is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
For a list of supported vendor-specific RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide.
Examples
The following example specifies a vendor-proprietary RADIUS server host named alcatraz:
radius-server host alcatraz non-standardRelated Commands
radius-server key
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. Use the no form of this command to disable the key.
radius-server key {string}
no radius-server key
Syntax Description
string
The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
Note
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
radius-server key dare to goRelated Commands
radius-server optional passwords
To specify that the first RADIUS request to a RADIUS server be made without password verification, use the radius-server optional-passwords command in global configuration mode. Use the no form of this command to restore the default.
radius-server optional-passwords
no radius-server optional-passwords
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When the user enters the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the RADIUS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The RADIUS server must support authentication for users without passwords to make use of this feature.
Examples
The following example configures the first login to not require RADIUS verification:
radius-server optional-passwordsradius-server retransmit
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. Use the no form of this command to disable retransmission.
radius-server retransmit retries
no radius-server retransmit
Syntax Description
Defaults
Three retries.
Command Modes
Global configuration
Command History
Usage Guidelines
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
Examples
The following example specifies a retransmit counter value of five times:
radius-server retransmit 5radius-server timeout
To set the interval a router waits for a server host to reply, use the radius-server timeout command in global configuration mode. Use the no form of this command to restore the default.
radius-server timeout seconds
no radius-server timeout
Syntax Description
Defaults
5 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the number of seconds a router waits for a server host to reply before timing out.
Examples
The following example changes the interval timer to 10 seconds:
radius-server timeout 10Related Commands
Specifies a RADIUS server host.
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
radius-server vsa send
To configure the network access server to recognize and use vendor-specific attributes, use the radius-server vsa send command in global configuration mode. Use the no form of this command to restore the default.
radius-server vsa send [accounting | authentication]
no radius-server vsa send [accounting | authentication]
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string with the following format:
protocol : attribute sep value *"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
Examples
The following example configures the network access server to recognize and use vendor-specific accounting attributes:
radius-server vsa send accountingRelated Commands
Replaces the NAS-Port attribute with RADIUS IETF Attribute 26 and displays extended field information.
server (RADIUS)
To configure the IP address of the RADIUS server for the group server, use the server (RADIUS) command in group server configuration mode. To remove the associated server from the AAA group server, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
no server ip-address [auth-port port-number] [acct-port port-number]
Syntax Description
Defaults
If no port attributes are defined, the defaults are as follows:
•
•
Command Modes
RADIUS group server configuration
Command History
12.0(5)T
This command was introduced.
12.0(7)T
Two new keywords/arguments were added
•
•
Usage Guidelines
Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers/host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
Examples
Configuring Multiple Entries for the Same Server IP Address
The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order they are configured.)
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default radius! The next set of commands configures multiple host entries for the same IP address.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 2000 acct-port 2000Configuring Multiple Entries Using AAA Group Servers
In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as fail-over backup to the first one.
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default group group1! The following commands define the group1 RADIUS group server and associates servers ! with it. aaa group server radius group1server 172.20.0.1 auth-port 1000 acct-port 1001! The following commands define the group2 RADIUS group server and associates servers ! with it. aaa group server radius group2server 172.20.0.1 auth-port 2000 acct-port 2001! The following set of commands configures the RADIUS attributes for each host entry ! associated with one of the defined group servers.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.10.0.1 auth-port 1645 acct-port 1646Related Commands
vpdn aaa attribute
To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute command in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.
vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port vpdn-nas}
no vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port}
Syntax Description
nas-ip-address vpdn-nas
Enable reporting of the VPDN NAS IP address to the AAA server.
nas-port vpdn-nas
Enable reporting of the VPDN NAS port to the AAA server.
Command Default
AAA attributes are not reported to the AAA server.
Command Modes
Global configuration
Command History
11.3 NA
This command was introduced.
11.3(8.1)T
This command was integrated into Cisco IOS Release 11.3(8.1)T.
Usage Guidelines
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.
Examples
The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:
vpdn enablevpdn-group 1accept-dialinprotocol anyvirtual-template 1!terminate-from hostname nas1local name ts1!vpdn aaa attribute nas-ip-address vpdn-nasvpdn aaa attribute nas-port vpdn-nas
