-
Cisco IOS Security Command Reference, Release 12.2 T
-
Cisco IOS Firewall Intrusion Detection System Commands
-
Kerberos Commands
-
TACACS+ Commands
-
Lock-and-Key Commands
-
Port to Application Mapping Commands
-
Reflexive Access List Commands
-
Authorization Commands
-
Internet Key Exchange Security Protocol Commands
-
Authentication Proxy Commands
-
Authentication Commands
-
Accounting Commands
-
Secure Shell Commands
-
IP Security Options Commands
-
Passwords and Privileges Commands
-
Unicast Reverse Path Forwarding Commands
-
Certification Authority Interoperability Commands
-
IPSec Network Security Commands
-
TCP Intercept Commands
-
Context-Based Access Control Commands
-
RADIUS Commands
-
SR: Index
-
Table Of Contents
aaa authorization cache filterserver
clear aaa cache filterserver acl
deadtime (server-group configuration)
dnis bypass (AAA preauthentication configuration)
ip vrf forwarding (server-group)
radius-server attribute 8 include-in-access-req
radius-server attribute 11 direction default
radius-server attribute 32 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 44 include-in-access-req
radius-server attribute 44 sync-with-client
radius-server attribute 55 include-in-acct-req
radius-server attribute 69 clear
radius-server attribute 188 format non-standard
radius-server attribute nas-port extended
radius-server attribute nas-port format
radius-server authorization missing Service-Type
radius-server challenge-noecho
radius-server directed-request
radius-server domain-stripping
radius-server extended-portnames
radius-server host non-standard
radius-server optional passwords
RADIUS Commands
This chapter describes the commands used to configure RADIUS.
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. Cisco supports RADIUS under its authentication, authorization, and accounting (AAA) security paradigm.
For information on how to configure RADIUS, refer to the chapter "Configuring RADIUS" in the
Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the section "RADIUS Configuration Examples" located at the end of the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide.aaa attribute
To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile, use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command.
aaa attribute {clid | dnis} attribute-value
no aaa attribute {clid | dnis} attribute-value
Syntax Description
clid
Adds CLID attribute values to the user profile.
dnis
Adds DNIS attribute values to the user profile.
attribute-value
Specifies a name for CLID or DNIS attribute values.
Defaults
If this command is not enabled, you will have an empty user profile.
Command Modes
AAA-user configuration
Command History
Usage Guidelines
Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record.
Examples
The following example shows how to add CLID and DNIS attribute values to the user profile "cat":
aaa user profile cataaa attribute clid clidvalaaa attribute dnis dnisvalRelated Commands
aaa user profile
Creates a AAA user profile.
test aaa group
Associates a DNIS or CLID user profile with the record that is sent to the RADIUS server.
aaa authorization cache filterserver
To enable authentication, authorization, and accounting (AAA) authorization caches and the downloading of access control list (ACL) configurations from a RADIUS filter server, use the aaa authorization cache filterserver command in global configuration mode. To disable AAA authorization caches, use the no form of this command.
aaa authorization cache filterserver default methodlist [methodlist2...]
no aaa authorization cache filterserver default
Syntax Description
default
Default authorization list.
methodlist [methodlist2...]
One of the keywords listed in Table 12.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authorization cache filterserver command to enable the RADIUS ACL filter server.
Method keywords are described in Table 12.
This command functions similarly to the aaa authorization command with the following exceptions:
•
Named method-lists cannot be configured.
•
•
Examples
The following example shows how to configure the default RADIUS server group as the desired filter. If the request is rejected or a reply is not returned, local configuration will be consulted. If the local filter does not respond, the call will be accepted but filtering will not occur.
aaa authorization cache filterserver group radius local noneRelated Commands
aaa authorization
Sets parameters that restrict user access to a network.
aaa group server radius
Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa cache filter
To enable filter cache configuration, use the aaa cache filter command in global configuration mode. To disable this functionality, use the no form of this command.
aaa cache filter
no aaa cache filter
Syntax Description
This command has no arguments or keywords.
Defaults
Filter cache configuration is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa cache filter command to begin filter cache configuration and enter AAA filter configuration mode (config-aaa-filter).
After enabling this command, you can specify filter cache parameters with the following commands:
•
•
•
•
•
Note
Examples
The following example shows how to enable filter cache configuration and specify cache parameters.
aaa cache filterpassword myciscono cache refreshcache max 100Related Commands
aaa group server radius
To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers:
aaa group server radius radgroup1server 1.1.1.1 auth-port 1700 acct-port 1701server 2.2.2.2 auth-port 1702 acct-port 1703server 3.3.3.3 auth-port 1705 acct-port 1706
Note
Related Commands
aaa nas port extended
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extended command in global configuration mode. To display no extended field information, use the no form of this command.
aaa nas port extended
no aaa nas port extended
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as
NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute.In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server vsa sendaaa nas port extendedRelated Commands
aaa user profile
To create an authentication, authorization, and accounting (AAA) named user profile, use the aaa user profile command in global configuration mode. To remove a user profile from the configuration, use the no form of this command.
aaa user profile profile-name
no aaa user profile profile-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa user profile command to create a AAA user profile. Used in conjunction with the aaa attribute command, which adds calling line identification (CLID) and dialed number identification service (DNIS) attribute values, the user profile can be associated with the record that is sent to the RADIUS server (via the test aaa group command), which provides the RADIUS server with access to CLID or DNIS attribute information when the server receives a RADIUS record.
Examples
The following example shows how to configure a dnis = dnisvalue user profile named "prfl1":
aaa user profile prfl1aaa attribute dnisaaa attribute dnis dnisvalueno aaa attribute clid! Attribute not found.aaa attribute clid clidvalueno aaa attribute clidRelated Commands
Adds DNIS or CLID attribute values to a user profile.
Associates a DNIS or CLID user profile with the record that is sent to the RADIUS server.
accounting (server-group)
To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode.
accounting [accept | reject] listname
Syntax Description
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Server-group configuration
Command History
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data.
Only one filter may be used for RADIUS accounting per server group.
Note
Examples
The following example shows how to specify accept list "usage-only" for RADIUS accounting:
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 1.1.1.1accounting accept usage-only!radius-server host 1.1.1.1 key mykey1radius-server attribute list usage-onlyattribute 1,40,42-43,46Related Commands
attribute (server-group)
To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command.
attribute value1 [value2 [value3]...]
no attribute value1 [value2 [value3]...]
Syntax Description
Defaults
If this command is not enabled, all attributes are sent to the network access server (NAS).
Command Modes
Server-group configuration
Command History
Usage Guidelines
Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the network access server (NAS) from receiving and processing unwanted attributes for authorization or accounting.
The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:
•
–
–
•
–
–
–
–
Note
Examples
The following example shows how to add attributes 12, 217, 6-10, 13, 64-69, and 218 to the list name "standard":
radius-server attribute list standardattribute 12,217,6-10,13attribute 64-69,218Related CommandsA
authorization (server-group)
To specify an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server, use the authorization command in server-group configuration mode.
authorization [accept | reject] listname
Syntax Description
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Server-group configuration
Command History
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes.
Only one filter may be used for RADIUS authorization per server group.
Note
Examples
The following example shows how to configure accept list "min-author" in an Access-Accept packet from the RADIUS server:
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 1.1.1.1authorization accept min-author!radius-server host 1.1.1.1 key mykey1radius-server attribute list min-authorattribute 6-7Related Commands
cache clear age
To specify when, in minutes, cache entries expire and the cache is cleared, use the cache clear age command in AAA filter configuration mode. To return to the default value, use the no form of this command.
cache clear age minutes
no cache clear age
Syntax Description
Defaults
1440 minutes (1 day)
Command Modes
AAA filter configuration
Command History
Usage Guidelines
After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache clear age command to specify when cache entries should expire. If this command is not specified, the default value (1440 minutes) will be enabled.
Examples
The following example shows how to configure the cache entries to expire every 60 minutes:
aaa cache filtercache clear age 60Related Commands
cache disable
To disable the cache, use the cache disable command in AAA filter configuration mode. To return to the default, use the no form of this command.
cache disable
no cache disable
Syntax Description
This command has no arguments or keywords.
Defaults
Caching is enabled.
Command Modes
AAA filter configuration
Command History
Usage Guidelines
After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache disable command to disable filter caching. This command can be used to verify that the access control lists (ACLs) are being downloaded.
Examples
The following example shows how to disable filter caching:
aaa cache filtercache disableRelated Commands
cache max
To limit the absolute number of entries that a cache can maintain for a particular server, use the cache max command in AAA filter configuration mode. To return to the default value, use the no form of this command.
cache max number
no cache max
Syntax Description
number
Maximum number of entries the cache can maintain. Any value from 0 to 4294967295; the default value is 100 entries.
Defaults
100 entries
Command Modes
AAA filter configuration
Command History
Usage Guidelines
After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache max command to specify the maximum number of entries the cache can have at any given time. If this command is not specified, the default value (100 entries) will be enabled.
Examples
The following example shows how to configure the cache to maintain a maximum of 150 entries:
aaa cache filterpassword myciscocache max 150Related Commands
cache refresh
To refresh a cache entry after a new session begins, use the cache refresh command in AAA filter configuration mode. To disable this functionality, use the no form of this command.
cache refresh
no cache refresh
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
AAA filter configuration
Command History
Usage Guidelines
The cache refresh command is used in an attempt to keep cache entries from the filter server, that are being referred to by new sessions, within the cache. This command resets the idle timer for these entries when they are referenced by new calls.
Examples
The following example shows how to disable the cache refresh command:
aaa cache filterpassword myciscono cache refreshcache max 100Related Commands
clear aaa cache filterserver acl
To clear the cache status for a particular filter or all filters, use the clear aaa cache filterserver acl command in EXEC mode.
clear aaa cache filterserver acl [filter-name]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
After you clear the cache status for a particular filter or all filters, it is recommended that you enable the show aaa cache filterserver command to verify that the cache status.
Examples
The following example shows how to clear the cache for all filters:
clear aaa cache filterserver aclRelated Commands
call guard-timer
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer controller configuration command. To remove the call guard-timer command from your configuration file, use the no form of this command.
call guard-timer milliseconds [on-expiry {accept | reject}]
no call guard-timer milliseconds [on-expiry {accept | reject}]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Controller configuration
Command History
Examples
The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
controller T1 0framing esfclock source line primarylinecode b8zsds0-group 0 timeslots 1-24 type e&m-fgb dtmf dniscas-custom 0call guard-timer 20000 on-expiry acceptaaa preauthgroup radiusdnis requiredRelated Commands
clid
To preauthenticate calls on the basis of the Calling Line Identification (CLID) number, use the clid authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the clid command from your configuration, use the no form of this command.
clid [if-avail | required] [accept-stop] [password password]
no clid [if-avail | required] [accept-stop] [password password]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the CLID number:
aaa preauthgroup radiusclid requiredRelated Commands
ctype
To preauthenticate calls on the basis of the call type, use the ctype authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the ctype command from your configuration, use the no form of this command.
ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 13 shows the call types that you may use in the preauthentication profile.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the call type:
aaa preauthgroup radiusctype requiredRelated Commands
deadtime (server-group configuration)
To configure deadtime within the context of RADIUS server groups, use the deadtime server group configuration command. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
Syntax Description
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Deadtime is set to 0.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.
When the RADIUS Server Is Marked As Dead
For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.
For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:
1.
2.
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:
aaa group server radius group1server 1.1.1.1 auth-port 1645 acct-port 1646server 2.2.2.2 auth-port 2000 acct-port 2001deadtime 1Related Commands
dialer aaa
To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command.
dialer aaa suffix string password string
no dialer aaa password suffix string password string
Syntax Description
suffix string
Defines a suffix for authentication.
password string
Defines a nondefault password for authentication.
Defaults
This feature is not enabled by default.
Command Modes
Interface configuration
Command History
12.0(3)T
This command was introduced.
12.1(5)T
The suffix and password keywords were added.
Usage Guidelines
This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dial-out functionality. With this command, you can specify a suffix, a password, or both. If you do not specify a password, the default password will be "cisco."
Note
Examples
This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco."
interface dialer1dialer aaadialer aaa suffix @ciscoDoD password ciscoRelated Commands
dnis (RADIUS)
To preauthenticate calls on the basis of the DNIS (Dialed Number Identification Service) number, use the dnis AAA preauthentication configuration command. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password password]
no dnis [if-avail | required] [accept-stop] [password password]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the authentication, authorization, and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the DNIS number:
aaa preauthgroup radiusdnis requiredRelated Commands
dnis bypass (AAA preauthentication configuration)
To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass AAA preauthentication configuration command. To remove the dnis bypass command from your configuration, use the no form of this command.
dnis bypass {dnis-group-name}
no dnis bypass {dnis-group-name}
Syntax Description
Defaults
No DNIS numbers are bypassed for preauthentication.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
Before using this command, you must first create a DNIS group with the dialer dnis group command.
Examples
The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii:
aaa preauthgroup radiusdnis requireddnis bypass hawaiidialer dnis group hawaiinumber 12345number 12346Related Commands
dialer dnis group
Creates a DNIS group.
Preauthenticates calls on the basis of the DNIS number.
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group AAA preauthentication configuration command. To remove the group command from your configuration, use the no form of this command.
group server-group
no group server-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestroserver 1.1.1.1server 2.2.2.2server 3.3.3.3aaa preauthgroup maestrodnis requiredRelated Commands
ip radius source-interface
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.
ip radius source-interface subinterface-name [vrf vrf-name]
no ip radius source-interface
Syntax Description
subinterface-name
Name of the interface that RADIUS uses for all of its outgoing packets.
vrf vrf-name
(Optional) Per Virtual Route Forwarding (VRF) configuration.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of a subinterface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified subinterface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the subinterface to the up state.
Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.
Examples
The following example shows how to configure RADIUS to use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2The following example shows how to configure RADIUS to use the IP address of subinterface Ethernet0 for VRF definition:
ip radius source-interface Ethernet 0 vrf waterRelated Commands
ip vrf forwarding (server-group)
To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS server group, use the ip vrf forwarding command in server-group configuration mode. To enable server groups to use the global (default) routing table, use the no form of this command.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax Description
Defaults
Server groups use the global routing table.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use the ip vrf forwarding command to specify a VRF for a AAA RADIUS server group. This command enables dial users to utilize AAA servers in different routing domains.
Examples
The following example shows how to configure the VRF user to reference the RADIUS server in a different VRF server group:
aaa group server radius sg_globalserver-private 172.16.0.0 timeout 5 retransmit 3!aaa group server radius sg_waterserver-private 10.10.0.0 timeout 5 retransmit 3 key waterip vrf forwarding waterRelated Commands
password
To specify the optional password that is to be used for filter server authentication requests, use the password command in AAA filter configuration mode. To return to the default value, use the no form of this command.
password {0 | 7} password
no password
Syntax Description
0
An unencrypted password will follow.
7
A hidden password will follow.
password
Unencrypted (clear text) password. The default password is "cisco."
Defaults
cisco
Command Modes
AAA filter configuration
Command History
Usage Guidelines
Before configuring this command, you must enable the aaa cache filter command, which allows you to configure cache filter parameters. If this command is not specified, the default value ("cisco") will be enabled.
Examples
The following example shows how to configure the password "mycisco":
aaa cache filterpassword ciscoRelated Commands
radius-server attribute 6
To provide for the presence of the Service-Type attribute (attribute 6) in RADIUS Access-Accept messages, use the radius-server attribute 6 command in global configuration mode. To make the presence of the Service-Type attribute optional in Access-Accept messages, use the no form of this command.
radius-server attribute 6 {mandatory | on-for-login-auth | support-multiple | voice value}
no radius-server attribute 6 {mandatory | on-for-login-auth | support-multiple | voice value}
Syntax Description
Defaults
If this command is not configured, the absence of the Service-Type attribute is ignored, and the authentication or authorization does not fail. The default for the voice keyword is 12.
Command Modes
Global configuration
Command History
12.2(11)T
This command was introduced.
12.3(13)T
The mandatory keyword was added.
Usage Guidelines
If this command is configured and the Service-Type attribute is absent in the Access-Accept message packets, the authentication or authorization fails.
Examples
The following example shows that the presence of the Service-Type attribute is mandatory in RADIUS Access-Accept messages:
Router (config)# radius-server attribute 6 mandatoryThe following example shows that attribute 6 is to be sent in authentication packets:
Router (config)# radius-server attribute 6 on-for-login-authThe following example shows that multiple Service-Type values are to be supported for each RADIUS profile:
Router (config)# radius-server attribute support-multipleThe following example shows that Service-Type values are to be sent in voice calls:
Router (config)# radius-server attribute voice 1radius-server attribute 8 include-in-access-req
To send the IP address of a user to the RADIUS server in the access request, use the radius-server attribute 8 include-in-access-req global configuration command. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command.
radius-server attribute 8 include-in-access-req
no radius-server attribute 8 include-in-access-req
Syntax Description
This command has no arguments or keywords.
Defaults
This feature is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Using the radius-server attribute 8 include-in-access-req command makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.
When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
•
•
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and "stop" packets will also include the same IP address as in attribute 8.
Note
Examples
The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.
aaa new-modelaaa authentication login default group radiusaaa authentication ppp default group radiusaaa authorization network default group radiusaaa accounting network default start-stop group radius!ip address-pool local!interface Async1peer default ip address pool async1-pool!ip local pool async1-pool 209.165.200.225 209.165.200.229!radius-server host 172.31.71.146 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server attribute 8 include-in-access-reqradius-server key radhostradius-server attribute 11 direction default
To specify the default direction of filters from RADIUS, use the radius-server attribute 11 direction default command in global configuration mode. To remove this functionality from your configuration, use the no form of this command.
radius-server attribute 11 direction default [inbound | outbound]
no radius-server attribute 11 direction default [inbound | outbound]
Syntax Description
inbound
(Optional) Filtering is applied to inbound packets only.
outbound
(Optional) Filtering is applied to outbound packets only.
Defaults
If this command is not enabled, filters are treated as outbound.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server attribute 11 direction default command to change the default direction of filters from RADIUS. (RADIUS attribute 11 (Filter-Id) indicates the name of the filter list for the user.) Enabling this command allows you to change the filter direction to inbound, which stops traffic from entering a router and prevents resource consumption, rather than keeping the outbound default direction, which waits until the traffic is about to leave the network before filtering occurs.
Examples
The following example shows how to configure RADIUS attribute 11 to change the default direction of filters. In this example, the filtering is applied to inbound packets only.
radius-server attribute 11 direction default inboundThe following is an example of a RADIUS user profile (Merit Daemon format) that includes RADIUS attribute 11 (Filter-Id):
client Password = "cisco"Service-Type = Framed,Framed-Protocol = PPP,Filter-Id = "myfilter.out"radius-server attribute 32 include-in-access-req
To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req global configuration command. To disable sending RADIUS attribute 32, use the no form of this command.
radius-server attribute 32 include-in-access-req [format]
no radius-server attribute 32 include-in-access-req
Syntax Description
format
(Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).
Defaults
RADIUS attribute 32 is not sent in access-request or accounting-request packets.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Using the radius-server attribute 32 include-in-access-req makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default.
Examples
The following example shows a configuration that sends RADIUS attribute 32 in the access-request with the format configured to identify a Cisco NAS:
radius-server attribute 32 include-in-access-req format cisco %h.%d %i! The following string will be sent in attribute 32 (NAS-Identifier)."cisco router.nlab.cisco.com 10.0.1.67"radius-server attribute 44 extend-with-addr
To add the accounting IP address before the existing session ID, use the radius-server attribute 44 extend-with-addr command in global configuration mode. To remove this command from your configuration, use the no form of this command.
radius-server attribute 44 extend-with-addr
no radius-server attribute 44 extend-with-addr
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The radius-server attribute 44 extend-with-addr command adds Acct-Session-Id (attribute 44) before the existing session ID (NAS-IP-Address).
When multiple network access servers (NAS) are being processed by one offload server, enable this command on all NASs and the offload server to ensure a common and unique session ID.
Note
Examples
The following example shows how to configure unique session IDs among NASs:
aaa new-modelaaa authentication ppp default group radiusradius-server host 10.100.1.34radius-server attribute 44 extend-with-addrRelated Commands
radius-server attribute 44 include-in-access-req
To send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req command in global configuration mode. To remove this command from the configuration, use the no form of this command.
radius-server attribute 44 include-in-access-req [vrf vrf-name]
no radius-server attribute 44 include-in-access-req [vrf vrf-name]
Syntax Description
Defaults
RADIUS attribute 44 is not sent in access-request packets.
Command Modes
Global configuration
Command History
Usage Guidelines
There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one.
The vrf vrf-name keyword and argument specify Accounting Session IDs per Virtual Private Network (VPN) routing and forwarding (VRF), which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.
Examples
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:
aaa new-modelaaa authentication ppp default group radiusradius-server host 10.100.1.34radius-server attribute 44 include-in-access-reqradius-server attribute 44 sync-with-client
To configure the offload server to synchronize accounting session information with the network access server (NAS) clients, use the radius-server attribute 44 sync-with-client command in global configuration mode. To disable this functionality, use the no form of this command.
radius-server attribute 44 sync-with-client
no radius-server attribute 44 sync-with-client
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server attribute 44 sync-with-client command to allow the offload server to synchronize accounting session information with the NAS clients. The NAS-IP-Address, the Acct-Session-Id, and the Class attribute are transmitted from the client to the offload server via Layer 2 Forwarding (L2F) options.
Examples
The following example shows how to configure the offload server to synchronize accounting session information with the NAS clients:
radius-server attribute 44 sync-with-clientRelated Commands
Adds the accounting IP address before the existing session ID.
Sends RADIUS attribute 44 (Acct-Session-Id) in access-request packets before user authentication.
radius-server attribute 55 include-in-acct-req
To send the RADIUS attribute 55 (Event-Timestamp) in accounting packets, use the radius-server attribute 55 include-in-acct-req command in global configuration mode. To remove this command from your configuration, use the no form of this command.
radius-server attribute 55 include-in-acct-req
no radius-server attribute 55 include-in-acct-req
Syntax Description
This command has no arguments or keywords.
Defaults
RADIUS attribute 55 is not sent in accounting packets.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server attribute 55 include-in-acct-req command to send RADIUS attribute 55 (Event-Timestamp) in accounting packets. The Event-Timestamp attribute records the time that the event occurred on the NAS; the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC.
Note
To avoid configuring the clock on the router every time the router is reloaded, you can enable the clock calendar-valid command. (For information on this command, refer to the chapter "Basic System Management Commands" in the Cisco IOS Configuration Fundamentals Command Reference.Examples
The following example shows how to enable your router to send the Event-Timestamp attribute in accounting packets. (To see whether the Event-Timestamp was successfully enabled, use the debug radius command.)
radius-server attribute 55 include-in-acct-reqRelated Commands
clock calendar-valid
Configures a system as an authoritative time source for a network based on its hardware clock (calendar).
clock set
Manually sets the system software clock.
radius-server attribute 69 clear
To receive nonencrypted tunnel passwords in attribute 69 (Tunnel-Password), use the radius-server attribute 69 clear global configuration command. To disable this feature and receive encrypted tunnel passwords, use the no form of this command.
radius-server attribute 69 clear
no radius-server attribute 69 clear
Syntax Description
This command has no arguments or keywords.
Defaults
RADIUS attribute 69 is not sent and encrypted tunnel passwords are sent.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Use the radius-server attribute 69 clear command to receive nonencrypted tunnel passwords, which are sent in RADIUS attribute 69 (Tunnel-Password). This command allows tunnel passwords to be sent in a "string" encapsulated format, rather than the standard tag/salt/string format, which enables the encrypted tunnel password.
Some RADIUS servers do not encrypt Tunnel-Password; however the current NAS (network access server) implementation will decrypt a non-encrypted password that causes authorization failures. Because nonencrypted tunnel passwords can be sent in attribute 69, the NAS will no longer decrypt tunnel passwords.
Note
Examples
The following example shows how to enable attribute 69 to receive nonencrypted tunnel passwords.
(To see whether the Tunnel-Password process is successful, use the debug radius command.)radius-server attribute 69 clearradius-server attribute 77
To send connection speed information to the RADIUS server in the access request, use the radius-server attribute 77 command in global configuration mode. To prevent connection speed information from being included in the access request, use the no form of this command.
radius-server attribute 77 {include-in-access-req | include-in-acct-req}
no radius-server attribute 77 {include-in-access-req | include-in-acct-req}
Syntax Description
include-in-access-req
Specifies that attribute 77 will be included in access requests.
include-in-acct-req
Specifies that attribute 77 will be included in accounting requests.
Defaults
RADIUS attribute 77 is sent to the RADIUS server in the access request.
Command Modes
Global configuration
Command History
12.2(2)BX
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
RADIUS attribute 77 is sent to the RADIUS server in the access request by default.
RADIUS attribute 77 allows RADIUS authentication based on connection speed. Sessions can be accepted or denied based on the allowed connection speed configured for a particular user on the RADIUS server.
RADIUS attribute 77 includes the following information:
•
•
•
•
The VC class name may include letters, numbers, and the characters ":" (colon), ";" (semicolon), "-" (hyphen) and "," (comma).
Examples
The following example disables the inclusion of RADIUS attribute 77 in the access request:
no radius-server attribute 77 include-in-access-reqRelated Commands
radius-server attribute 188 format non-standard
To send the number of remaining links in the multilink bundle in the accounting-request packet, use the radius-server attribute 188 format non-standard global configuration command. To disable the sending of the number of links in the multilink bundle in the accounting-request packet, use the no form of this command.
radius-server attribute 188 format non-standard
no radius-server attribute 188 format non-standard
Syntax Description
This command has no arguments or keywords.
Defaults
RADIUS attribute 188 is not sent in accounting "start" and "stop" records.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Use this command to send attribute 188 in accounting "start" and "stop" records.
Examples
The following example shows a configuration that sends RADIUS attribute 188 in accounting-request packets:
radius-server attribute 188 format non-standardradius-server attribute list
To define an accept or reject list name, use the radius-server attribute list command in global configuration mode.
radius-server attribute list listname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
A user may configure an accept or reject list with a selection of attributes on the network access server (NAS) for authorization or accounting so unwanted attributes are not accepted and processed. The radius-server attribute list command allows users to specify a name for an accept or reject list. This command is used in conjunction with the attribute (server-group configuration) command, which adds attributes to an accept or reject list.
Note
Examples
The following example shows how to configure the reject list "bad-author" for RADIUS authorization and accept list "usage-only" for RADIUS accounting:
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 1.1.1.1authorization reject bad-authoraccounting accept usage-only!radius-server host 1.1.1.1 key mykey1radius-server attribute list usage-onlyattribute 1,40,42-43,46!radius-server attribute list bad-authorattribute 22,27-28,56-59
Note
Related Commands
radius-server attribute nas-port extended
The radius-server attribute nas-port extended command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command in this chapter for more information.
radius-server attribute nas-port format
To select the NAS-Port format used for RADIUS accounting features, and to restore the default NAS-Port format, use the radius-server attribute nas-port format global configuration command. If the no form of this command is used, attribute 5 (NAS-Port) will no longer be sent to the RADIUS server.
radius-server attribute nas-port format format
no radius-server attribute nas-port format format
Syntax Description
format
NAS-Port format. Possible values for the format argument are as follows:
a—Standard NAS-Port format
b—Extended NAS-Port format
c—Shelf-slot NAS-Port format
d—PPP extended NAS-Port format
Defaults
Standard NAS-Port format
Command Modes
Global configuration
Command History
Usage Guidelines
The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5).
The following NAS-Port formats are supported:
•
•
•
•
Note
Examples
In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format:
radius-server host 172.31.5.96 auth-port 1645 acct-port 1646radius-server attribute nas-port format dRelated Commands
vpdn aaa attribute
Enables reporting of NAS AAA attributes related to a VPDN to the AAA server.
radius-server authorization missing Service-Type
To allow an access server to fully process or deny Access-Accept responses from RADIUS servers that do not send the Service-Type attribute in the Access-Accept packets, use the radius-server authorization missing Service-Type command in global configuration mode. To disable the "allow" or "deny" status, use the no form of this command.
radius-server authorization [permit | deny] missing Service-Type
no radius-server authorization [permit | deny] missing Service-Type
Syntax Description
Defaults
If this command is not entered, authorization fails if a Service-Type attribute is not present in the RADIUS Access-Accept packet that is received.
Command Modes
Global configuration
Command History
Examples
The following example shows that the access server has been configured to fully process Access-Accept responses from RADIUS servers that do not send the Service-Type attribute:
Router (config)# radius-server authorization permit missing Service-TypeThe following example shows that the access server has been configured to deny authorization if the Service-Type attribute is not present in the Access-Accept packet:
Router (config)# radius-server authorization deny missing Service-Typeradius-server challenge-noecho
To prevent user responses to Access-Challenge packets from being displayed on the screen, use the radius-server challenge-noecho global configuration command. To return to the default condition, use the no form of this command.
radius-server challenge-noecho
no radius-server challenge-noecho
Syntax Description
This command has no arguments or keywords.
Defaults
All user responses to Access-Challenge packets are echoed to the screen.
Command Modes
Global configuration
Command History
Usage Guidelines
This command applies to all users. When the radius-server challenge-noecho command is configured, user responses to Access-Challenge packets are not displayed unless the Prompt attribute in the user profile is set to echo on the RADIUS server. The Prompt attribute in a user profile overrides the radius-server challenge-noecho command for the individual user. For more information, see the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2.
Examples
The following example stops all user responses from displaying on the screen:
radius-server challenge-noechoradius-server configure-nas
To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode. To discontinue the query of the RADIUS server, use the no form of this command.
radius-server configure-nas
no radius-server configure-nas
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.
Note
Examples
The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:
radius-server configure-nasRelated Commands
Identifies that the security server is using a vendor-proprietary implementation of RADIUS.
radius-server deadtime
To improve RADIUS response times when some servers might be unavailable, use the radius-server deadtime command in global configuration mode to cause the unavailable servers to be skipped immediately. To set dead-time to 0, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime
Syntax Description
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Dead time is set to 0.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."
When the RADIUS Server Is Marked As Dead
For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.
For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:
1.
2.
Examples
The following example specifies five minutes deadtime for RADIUS servers that fail to respond to authentication requests:
radius-server deadtime 5Related Commands
radius-server dead-criteria
To force one or both of the criteria—used to mark a RADIUS server as dead—to be the indicated constant, use the radius-server dead-criteria command in global configuration mode. To disable the criteria that were set, use the no form of this command.
radius-server dead-criteria [time seconds] [tries number-of-tries]
no radius-server dead-criteria [time seconds] [tries number-of-tries]
Syntax Description
Defaults
If the seconds argument is not configured, the number of seconds will range from 10 to 60 seconds, depending on the transaction rate of the server.
If the number-of-tries argument is not configured, the number of consecutive timeouts will range from 10 to 100, depending on the transaction rate of the server and the number of configured retransmissions.
Command Modes
Global configuration
Command History
Usage Guidelines
Note
The no form of this command has the following cases:
•
•
•
Examples
The following example shows that the router will be considered dead after 5 seconds and four tries:
Router (config)# radius-server dead-criteria time 5 tries 4radius-server directed-request
To allow users logging into a Cisco netword access server (NAS) to select a RADIUS server for authentication, use the radius-server directed-request global configuration command. To disable the directed-request feature, use the no form of this command.
radius-server directed-request [restricted]
no radius-server directed-request [restricted]
Syntax Description
restricted
(Optional) Prevents the user from being sent to a secondary server if the specified server is not available.
Defaults
User cannot log into a Cisco NAS to select a RADIUS server for authentication.
Command Modes
Global configuration mode
Command History
Usage Guidelines
The radius-server directed-request command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with this command enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling the radius-server directed-request command causes the whole string, both before and after the "@" symbol, to be sent to the default RADIUS server. The router queries the list of servers, starting with the first one in the list. It sends the whole string, and accepts the first response that it gets from the server.
Use the radius-server directed-request restricted command to limit the user to the RADIUS server identified as part of the username.
The no radius-server directed-request command causes the entire username string to be passed to the default RADIUS server.
Examples
The following example verifies that the RADIUS server is selected based on the directed request:
aaa new-modelaaa authentication login default radiusradius-server host 192.168.1.1radius-server host 172.16.56.103radius-server host 172.31.40.1radius-server directed-requestradius-server domain-stripping
To enable Virtual Route Forwarding (VRF)-aware domain-stripping, use the radius-server domain-stripping command in global configuration mode. To remove VRF-aware domain-stripping, use the no form of this command.
radius-server domain-stripping [vrf vrf-name]
no radius-server domain-stripping [vrf vrf-name]
Syntax Description
Defaults
This functionality is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server domain-stripping command to strip or truncate the domain from a username. For example, if the username is user1@cisco.com and the radius-server domain-stripping command is configured, only "user1" is sent out as the username.
To configure domain-stripping only to a specified VRF, use the vrf vrf-name option.
Examples
The following example shows a configuration that strips the domain name from the VRF "abc":
radius-server domain-stripping vrf abcradius-server extended-portnames
The radius-server extended-portnames command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command in this chapter for more information.
radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias{hostname | ip-address}]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.
Examples
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.example.com auth-port 0radius-server host host2.example.com acct-port 0The following example specifies four aliases on the RADIUS server with IP address 172.1.1.1:
radius-server host 172.1.1.1 acct-port 1645 auth-port 1646radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1
Related Commands
radius-server host non-standard
To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command in global configuration mode. This command tells the Cisco IOS software to support nonstandard RADIUS attributes. To delete the specified vendor-proprietary RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} non-standard
no radius-server host {hostname | ip-address} non-standard
Syntax Description
Defaults
No RADIUS host is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
For a list of supported vendor-specific RADIUS attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide.
Examples
The following example specifies a vendor-proprietary RADIUS server host named alcatraz:
radius-server host alcatraz non-standardRelated Commands
radius-server key
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command.
radius-server key {0 string | 7 string | string}
no radius-server key
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
11.1
This command was introduced.
12.1(3)T
The string argument was modified as follows:
•
•
•
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
Note
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
radius-server key dare to goThe following example sets the authentication and encryption key to "anykey." The 7 specifies that a hidden key will follow.
service password-encryptionradius-server key 7 anykeyAfter you save your configuration and use the show-running config command, an encrypted key will be displayed as follows:
show running-config!!radius-server key 7 19283103834782sda!The leading 7 indicates that the following text is encrypted.Related Commands
radius-server optional passwords
To specify that the first RADIUS request to a RADIUS server be made without password verification, use the radius-server optional-passwords command in global configuration mode. To restore the default, use the no form of this command.
radius-server optional-passwords
no radius-server optional-passwords
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When the user enters the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the RADIUS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The RADIUS server must support authentication for users without passwords to make use of this feature.
Examples
The following example configures the first login to not require RADIUS verification:
radius-server optional-passwordsradius-server retransmit
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command.
radius-server retransmit retries
no radius-server retransmit
Syntax Description
Defaults
3 attempts
Command Modes
Global configuration
Command History
Usage Guidelines
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
Examples
The following example specifies a retransmit counter value of five times:
radius-server retransmit 5radius-server timeout
To set the interval for which a router waits for a server host to reply, use the radius-server timeout command in global configuration mode. To restore the default, use the no form of this command.
radius-server timeout seconds
no radius-server timeout
Syntax Description
Defaults
5 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the number of seconds a router waits for a server host to reply before timing out.
Examples
The following example changes the interval timer to 10 seconds:
radius-server timeout 10Related Commands
Specifies a RADIUS server host.
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
radius-server vsa send
To configure the network access server to recognize and use vendor-specific attributes, use the radius-server vsa send command in global configuration mode. To restore the default, use the no form of this command.
radius-server vsa send [accounting | authentication]
no radius-server vsa send [accounting | authentication]
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string with the following format:
protocol : attribute sep value *"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, Remote Authentication Dial-In User Service (RADIUS).
Examples
The following example configures the network access server to recognize and use vendor-specific accounting attributes:
radius-server vsa send accountingRelated Commands
Replaces the NAS-Port attribute with RADIUS IETF attribute 26 and displays extended field information.
server (RADIUS)
To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
no server ip-address [auth-port port-number] [acct-port port-number]
Syntax Description
Defaults
If no port attributes are defined, the defaults are as follows:
•
•
Command Modes
Server-group configuration
Command History
12.0(5)T
This command was introduced.
12.0(7)T
The following new keywords/arguments were added:
•
•
Usage Guidelines
Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
Examples
Configuring Multiple Entries for the Same Server IP Address
The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order in which they are configured.)
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default radius! The next set of commands configures multiple host entries for the same IP address.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 2000 acct-port 2000Configuring Multiple Entries Using AAA Group Servers
In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as failover backup to the first one.
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default group group1! The following commands define the group1 RADIUS group server and associates servers ! with it. aaa group server radius group1server 172.20.0.1 auth-port 1000 acct-port 1001! The following commands define the group2 RADIUS group server and associates servers ! with it. aaa group server radius group2server 172.20.0.1 auth-port 2000 acct-port 2001! The following set of commands configures the RADIUS attributes for each host entry ! associated with one of the defined group servers.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.10.0.1 auth-port 1645 acct-port 1646Related Commands
aaa group server
Groups different server hosts into distinct lists and distinct methods.
aaa new-model
Enables the AAA access control model.
Specifies a RADIUS server host.
server-private (RADIUS)
To configure the IP address of the private RADIUS server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
Syntax Description
Defaults
If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between Virtual Route Forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.
Examples
The following example shows how to define the sg_water RADIUS group server and associate private servers with it:
aaa group server radius sg_waterserver-private 10.1.1.1 timeout 5 retransmit 3 key cokeserver-private 10.2.2.2 timeout 5 retransmit 3 key cokeRelated Commands
show aaa attributes
To display the mapping between an authentication, authorization, and accounting (AAA) attribute number and the corresponding AAA attribute name, use the show aaa attributes command in EXEC configuration mode.
show aaa sttributes [protocol radius]
Syntax Description
protocol radius
(Optional) Displays the mapping between a RADIUS attribute and a AAA attribute name and number.
Command Modes
EXEC
Command History
12.2(4)T
This command was introduced.
12.2(11)T
The protocol radius keyword was added.
Examples
The following example is sample output for the show aaa attributes command. In this example, all RADIUS attributes that have been enabled are displayed.
Router# show aaa attributes protocol radiusAAA ATTRIBUTE LIST:Type=1 Name=disc-cause-ext Format=EnumProtocol:RADIUSNon-Standard Type=195 Name=Ascend-Disconnect-Cau Format=EnumCisco VSA Type=1 Name=Cisco AVpair Format=StringType=2 Name=Acct-Status-Type Format=EnumProtocol:RADIUSIETF Type=40 Name=Acct-Status-Type Format=EnumType=3 Name=acl Format=UlongProtocol:RADIUSIETF Type=11 Name=Filter-Id Format=BinaryType=4 Name=addr Format=IPv4 AddressProtocol:RADIUSIETF Type=8 Name=Framed-IP-Address Format=IPv4 AddreType=5 Name=addr-pool Format=StringProtocol:RADIUSNon-Standard Type=218 Name=Ascend-IP-Pool Format=UlongType=6 Name=asyncmap Format=UlongProtocol:RADIUSNon-Standard Type=212 Name=Ascend-Asyncmap Format=UlongType=7 Name=Authentic Format=EnumProtocol:RADIUSIETF Type=45 Name=Authentic Format=EnumType=8 Name=autocmd Format=Stringshow aaa cache filterserver
To display the cache status, use the show aaa cache filterserver command in EXEC mode.
show aaa cache filterserver
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
The show aaa cache filterserver command shows how many times a particular filter has been referenced or refreshed. This function may be used in administration to determine which filters are actually being used.
Examples
The following is sample output for the show aaa cache filterserver command:
Router# show aaa cache filterserverFilter Server Age Expires Refresh Access-Control-Lists--------------------------------------------------------------------------------aol 1.2.3.4 0 1440 100 ip in icmp dropip out icmp dropip out forward tcp dstip 1.2.3...msn 1.2.3.4 N/A Never 2 ip in tcp dropmsn2 1.2.3.4 N/A Never 2 ip in tcp dropvone 1.2.3.4 N/A Never 0 ip in tcp dropTable 14 describes the significant fields shown in the display.
Related Commands
aaa authorization cache filterserver
Enables AAA authorization caches and the downloading of ACL configurations from a RADIUS filter server.
show radius statistics
To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics EXEC command.
show radius statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Examples
The following example is sample output for the show radius statistics command:
Router# show radius statisticsAuth. Acct. BothMaximum inQ length: NA NA 1Maximum waitQ length: NA NA 1Maximum doneQ length: NA NA 1Total responses seen: 3 0 3Packets with responses: 3 0 3Packets without responses: 0 0 0Average response delay(ms): 5006 0 5006Maximum response delay(ms): 15008 0 15008Number of Radius timeouts: 3 0 3Duplicate ID detects: 0 0 0Table 15 describes significant fields shown in the display.
.
Related Commands
test aaa group
To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server, use the test aaa group command in privileged EXEC mode.
test aaa group {group-name | radius} username password new-code [profile profile-name]
Syntax Description
Defaults
If this command is not enabled, DNIS or CLID attribute values will not be sent to the RADIUS server.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the test aaa group command to associate a DNIS or CLID named user profile with the record that is sent to the RADIUS server, which can then access DNIS or CLID information when the server receives a RADIUS record.
Note
Examples
The following example shows how to configure a dnis = dnisvalue user profile named "prfl1" and associate it with a test aaa group command:
aaa user profile prfl1aaa attribute dnisaaa attribute dnis dnisvalueno aaa attribute clid! Attribute not found.aaa attribute clid clidvalueno aaa attribute clidexit!! Associate the dnis user profile with the test aaa group command.test aaa group radius user1 pass new-code profile prfl1Related Commands
Adds DNIS or CLID attribute values to a user profile.
Creates an AAA user profile.
vpdn aaa attribute
To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute command in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.
vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port {vpdn-nas | physical-channel-id}}
no vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port}
Syntax Description
Command Default
AAA attributes are not reported to the AAA server.
Command Modes
Global configuration
Command History
Usage Guidelines
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.
The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to a RADIUS server when one of the following protocols is configured:
•
•
•
Before PPP extended NAS-Port format attributes can be reported to the RADIUS server, the radius-server attribute nas-port format command with the d keyword must be configured on both the tunnel server and the NAS, and the tunnel server and the NAS must both be Cisco routers.
Examples
The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:
vpdn enablevpdn-group 1accept-dialinprotocol anyvirtual-template 1!terminate-from hostname nas1local name ts1!vpdn aaa attribute nas-ip-address vpdn-nasvpdn aaa attribute nas-port vpdn-nasvpdn aaa attribute nas-port physical-channel-idThe following example configures the tunnel server for VPDN, enables AAA, configures a RADIUS AAA server, and enables reporting of PPP extended NAS-Port format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the NAS for this configuration to be effective.
vpdn enablevpdn-group L2TP-tunnelaccept-dialinprotocol l2tpvirtual-template 1!terminate-from hostname nas1local name ts1!aaa new-modelaaa authentication ppp default local group radiusaaa authorization network default local group radiusaaa accounting network default start-stop group radius!radius-server host 171.79.79.76 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server attribute nas-port format dradius-server key ts123!vpdn aaa attribute nas-port vpdn-nasRelated Commands
radius-server attribute nas-port format
Selects the NAS-Port format used for RADIUS accounting features.
