Cisco IOS Security Command Reference, Release 12.3 T
Security Commands: radius-server attribute 11 direction default through rsa-pubkey

Table Of Contents

radius-server attribute 11 direction default

radius-server attribute 188 format non-standard

radius-server attribute 32 include-in-access-req

radius-server attribute 4

radius-server attribute 44 extend-with-addr

radius-server attribute 44 include-in-access-req

radius-server attribute 44 sync-with-client

radius-server attribute 55 include-in-acct-req

radius-server attribute 6

radius-server attribute 69 clear

radius-server attribute 77

radius-server attribute 8 include-in-access-req

radius-server attribute list

radius-server attribute nas-port extended

radius-server attribute nas-port format

radius-server authorization missing Service-Type

radius-server challenge-noecho

radius-server configure-nas

radius-server dead-criteria

radius-server deadtime

radius-server directed-request

radius-server domain-stripping

radius-server extended-portnames

radius-server host

radius-server host non-standard

radius-server key

radius-server local

radius-server optional-passwords

radius-server retransmit

radius-server retry method reorder

radius-server source-ports extended

radius-server timeout

radius-server transaction max-tries

radius-server unique-ident

radius-server vsa send

reauthentication time

redirect (identity policy)

redundancy stateful

regenerate

request-method

reverse-route

revocation-check

root

root CEP

root PROXY

root TFTP

rsakeypair

rsa-pubkey


radius-server attribute 11 direction default

To specify the default direction of filters from RADIUS, use the radius-server attribute 11 direction default command in global configuration mode. To remove this functionality from your configuration, use the no form of this command.

radius-server attribute 11 direction default [inbound | outbound]

no radius-server attribute 11 direction default [inbound | outbound]

Syntax Description

inbound

(Optional) Filtering is applied to inbound packets only.

outbound

(Optional) Filtering is applied to outbound packets only.


Defaults

If this command is not enabled, filters are treated as outbound.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)T

This command was introduced.


Usage Guidelines

Use the radius-server attribute 11 direction default command to change the default direction of filters from RADIUS. (RADIUS attribute 11 (Filter-Id) indicates the name of the filter list for the user.) Enabling this command allows you to change the filter direction to inbound, which stops traffic from entering a router and prevents resource consumption, rather than keeping the outbound default direction, which waits until the traffic is about to leave the network before filtering occurs.

Examples

The following example shows how to configure RADIUS attribute 11 to change the default direction of filters. In this example, the filtering is applied to inbound packets only.

radius-server attribute 11 direction default inbound

The following is an example of a RADIUS user profile (Merit Daemon format) that includes RADIUS attribute 11 (Filter-Id):

client Password = "cisco"
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Filter-Id = "myfilter.out"

radius-server attribute 188 format non-standard

To send the number of remaining links in the multilink bundle in the accounting-request packet, use the radius-server attribute 188 format non-standard command in global configuration mode. To disable the sending of the number of links in the multilink bundle in the accounting-request packet, use the no form of this command.

radius-server attribute 188 format non-standard

no radius-server attribute 188 format non-standard

Syntax Description

This command has no arguments or keywords.

Defaults

RADIUS attribute 188 is not sent in accounting "start" and "stop" records.

Command Modes

Global configuration

Command History

Release
Modification

12.1

This command was introduced.


Usage Guidelines

Use this command to send attribute 188 in accounting "start" and "stop" records.

Examples

The following example shows a configuration that sends RADIUS attribute 188 in accounting-request packets:

radius-server attribute 188 format non-standard

radius-server attribute 32 include-in-access-req

To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req command in global configuration mode. To disable sending RADIUS attribute 32, use the no form of this command.

radius-server attribute 32 include-in-access-req [format]

no radius-server attribute 32 include-in-access-req

Syntax Description

format

(Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).


Defaults

RADIUS attribute 32 is not sent in access-request or accounting-request packets.

Command Modes

Global configuration

Command History

Release
Modification

12.1 T

This command was introduced.


Usage Guidelines

Using the radius-server attribute 32 include-in-access-req command makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default.

Examples

The following example shows a configuration that sends RADIUS attribute 32 in the access-request with the format configured to identify a Cisco NAS:

radius-server attribute 32 include-in-access-req format cisco %h.%d %i
! The following string will be sent in attribute 32 (NAS-Identifier). 
"cisco router.nlab.cisco.com 10.0.1.67"

radius-server attribute 4

To configure an IP address for the RADIUS attribute 4 address, use the radius-server attribute 4 command in global configuration mode. To delete an IP address as the RADIUS attribute 4 address, use the no form of this command.

radius-server attribute 4 ip-address

no radius-server attribute 4 ip-address

Syntax Description

ip-address

IP address to be configured as RADIUS attribute 4 inside RADIUS packets.


Defaults

If this command is not configured, the RADIUS NAS-IP-Address attribute will be the IP address on the interface that connects the network access server (NAS) to the RADIUS server.

Command Modes

Global configuration

Command History

Release
Modification

12.3(3)B

This command was introduced.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T.


Usage Guidelines

Normally, when the ip radius-source interface command is configured, the IP address on the interface that is specified in the command is used as the IP address in the IP headers of the RADIUS packets and as the RADIUS attribute 4 address inside the RADIUS packets.

However, when the radius-server attribute 4 command is configured, the IP address in the command is used as the RADIUS attribute 4 address inside the RADIUS packets. There is no impact on the IP address in the IP headers of the RADIUS packets.

If both commands are configured, the IP address that is specified in the radius-server attribute 4 command is used as the RADIUS attribute 4 address inside the RADIUS packets. The IP address on the interface that is specified in the ip radius-source interface command is used as the IP address in the IP headers of the RADIUS packets.

Some authentication, authorization, and accounting (AAA) clients (such as PPP, virtual private dial-up network [VPDN] or Layer 2 Tunneling Protocol [L2TP], Voice over IP [VoIP], or Service Selection Gateway [SSG]) may try to set the RADIUS attribute 4 address using client-specific values. For example, on an L2TP network server (LNS), the IP address of the L2TP access concentrator (LAC) could be specified as the RADIUS attribute 4 address using a VPDN or L2TP command. When the radius-server attribute 4 command is configured, the IP address specified in the command takes precedence over all IP addresses from AAA clients.

During RADIUS request retransmission and during RADIUS server failover, the specified IP address is always chosen as the value of the RADIUS attribute 4 address.

Examples

The following example shows that the IP address 10.0.0.21 has been configured as the RADIUS NAS-IP-Address attribute:

radius-server attribute 4 10.0.0.21
radius-server host 10.0.0.10 auth-port 1645 acct-port 1646 key cisco

The following debug radius command output shows that 10.0.0.21 has been successfully configured.

Router# debug radius

RADIUS/ENCODE(0000001C): acct_session_id: 29
RADIUS(0000001C): sending
RADIUS(0000001C): Send Access-Request to 10.0.0.10:1645 id 21645/17, len 81
RADIUS:  authenticator D0 27 34 C0 F0 C4 1C 1B - 3C 47 08 A2 7E E1 63 2F
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS:  User-Name           [1]   18  "shashi@pepsi.com"
RADIUS:  CHAP-Password       [3]   19  *
RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  NAS-IP-Address      [4]   6   10.0.0.21
UDP: sent src=11.1.1.1(21645), dst=10.0.0.10(1645), length=109
UDP: rcvd src=10.0.0.10(1645), dst=10.1.1.1(21645), length=40
RADIUS: Received from id 21645/17 10.0.0.10:1645, Access-Accept, len 32
RADIUS:  authenticator C6 99 EC 1A 47 0A 5F F2 - B8 30 4A 4C FF 4B 1D F0
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS(0000001C): Received from id 21645/17

Related Commands

Command
Description

ip radius-source interface

Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.


radius-server attribute 44 extend-with-addr

To add the accounting IP address before the existing session ID, use the radius-server attribute 44 extend-with-addr command in global configuration mode. To remove this command from your configuration, use the no form of this command.

radius-server attribute 44 extend-with-addr

no radius-server attribute 44 extend-with-addr

Syntax Description

This command has no arguments or keywords.

Defaults

This command is not enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)T

This command was introduced.


Usage Guidelines

The radius-server attribute 44 extend-with-addr command adds Acct-Session-Id (attribute 44) before the existing session ID (NAS-IP-Address).

When multiple network access servers (NAS) are being processed by one offload server, enable this command on all NASs and the offload server to ensure a common and unique session ID.


Note This command should be enabled only when offload servers are used.


Examples

The following example shows how to configure unique session IDs among NASs:

aaa new-model
aaa authentication ppp default group radius
radius-server host 10.100.1.34
radius-server attribute 44 extend-with-addr

Related Commands

Command
Description

radius-server attribute 44 include-in-access-req

Sends RADIUS attribute 44 (Acct-Session-Id) in access-request packets before user authentication.

radius-server attribute 44 sync-with-client

Configures the offload server to synchronize accounting session information with the NAS clients.


radius-server attribute 44 include-in-access-req

To send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req command in global configuration mode. To remove this command from the configuration, use the no form of this command.

radius-server attribute 44 include-in-access-req [vrf vrf-name]

no radius-server attribute 44 include-in-access-req [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Per VRF configuration.


Defaults

RADIUS attribute 44 is not sent in access-request packets.

Command Modes

Global configuration

Command History

Release
Modification

12.0(7)T

This command was introduced.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one.

The vrf vrf-name keyword and argument specify Accounting Session IDs per Virtual Private Network (VPN) routing and forwarding (VRF), which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.

Examples

The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:

aaa new-model
aaa authentication ppp default group radius
radius-server host 10.100.1.34
radius-server attribute 44 include-in-access-req

radius-server attribute 44 sync-with-client

To configure the offload server to synchronize accounting session information with the network access server (NAS) clients, use the radius-server attribute 44 sync-with-client command in global configuration mode. To disable this functionality, use the no form of this command.

radius-server attribute 44 sync-with-client

no radius-server attribute 44 sync-with-client

Syntax Description

This command has no arguments or keywords.

Defaults

This command is not enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)T

This command was introduced.


Usage Guidelines

Use the radius-server attribute 44 sync-with-client command to allow the offload server to synchronize accounting session information with the NAS clients. The NAS-IP-Address, the Acct-Session-Id, and the Class attribute are transmitted from the client to the offload server via Layer 2 Forwarding (L2F) options.

Examples

The following example shows how to configure the offload server to synchronize accounting session information with the NAS clients:

radius-server attribute 44 sync-with-client

Related Commands

Command
Description

radius-server attribute 44 extend-with-addr

Adds the accounting IP address before the existing session ID.

radius-server attribute 44 include-in-access-req

Sends RADIUS attribute 44 (Acct-Session-Id) in access-request packets before user authentication.


radius-server attribute 55 include-in-acct-req

To send the RADIUS attribute 55 (Event-Timestamp) in accounting packets, use the radius-server attribute 55 include-in-acct-req command in global configuration mode. To remove this command from your configuration, use the no form of this command.

radius-server attribute 55 include-in-acct-req

no radius-server attribute 55 include-in-acct-req

Syntax Description

This command has no arguments or keywords.

Defaults

RADIUS attribute 55 is not sent in accounting packets.

Command Modes

Global configuration

Command History

Release
Modification

12.1(5)T

This command was introduced.


Usage Guidelines

Use the radius-server attribute 55 include-in-acct-req command to send RADIUS attribute 55 (Event-Timestamp) in accounting packets. The Event-Timestamp attribute records the time that the event occurred on the NAS; the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC.


Note Before the Event-Timestamp attribute can be sent in accounting packets, you must configure the clock on the router. (For information on setting the clock on your router, refer to section "Performing Basic System Management" in the chapter "System Management" of the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide.)

To avoid configuring the clock on the router every time the router is reloaded, you can enable the clock calendar-valid command. (For information on this command, refer to the Cisco IOS Configuration Fundamentals and Network Management Command Reference.)


Examples

The following example shows how to enable your router to send the Event-Timestamp attribute in accounting packets. (To see whether the Event-Timestamp was successfully enabled, use the debug radius command.)

radius-server attribute 55 include-in-acct-req

Related Commands

Command
Description

clock calendar-valid

Configures a system as an authoritative time source for a network based on its hardware clock (calendar).

clock set

Manually sets the system software clock.


radius-server attribute 6

To provide for the presence of the Service-Type attribute (attribute 6) in RADIUS Access-Accept messages, use the radius-server attribute 6 command in global configuration mode. To make the presence of the Service-Type attribute optional in Access-Accept messages, use the no form of this command.

radius-server attribute 6 {mandatory | on-for-login-auth | support-multiple | voice value}

no radius-server attribute 6 {mandatory | on-for-login-auth | support-multiple | voice value}

Syntax Description

mandatory

Makes the presence of the Service-Type attribute mandatory in RADIUS Access-Accept messages.

on-for-login-auth

Sends the Service-Type attribute in the authentication packets.

Note The Service-Type attribute is sent by default in RADIUS Accept-Request messages. Therefore, RADIUS tunnel profiles should include "Service-Type=Outbound" as a check item, not just as a reply item. Failure to include Service-Type=Outbound as a check item can result in a security hole.

support-multiple

Supports multiple Service-Type values for each RADIUS profile.

voice value

Selects the Service-Type value for voice calls. The only value that can be entered is 1. The default is 12.


Defaults

If this command is not configured, the absence of the Service-Type attribute is ignored, and the authentication or authorization does not fail. The default for the voice keyword is 12.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)T

This command was introduced.

12.2(13)T

The mandatory keyword was added.


Usage Guidelines

If this command is configured and the Service-Type attribute is absent in the Access-Accept message packets, the authentication or authorization fails.

The support-multiple keyword allows for multiple instances of the Service-Type attribute to be present in an Access-Accept packet. The default behavior is to disallow multiple instances, which results in an Access-Accept packet containing multiple instances being treated as though an Access-Reject was received.

Examples

The following example shows that the presence of the Service-Type attribute is mandatory in RADIUS Access-Accept messages:

Router (config)# radius-server attribute 6 mandatory

The following example shows that attribute 6 is to be sent in authentication packets:

Router (config)# radius-server attribute 6 on-for-login-auth

The following example shows that multiple Service-Type values are to be supported for each RADIUS profile:

Router (config)# radius-server attribute support-multiple

The following example shows that Service-Type values are to be sent in voice calls:

Router (config)# radius-server attribute voice 1

radius-server attribute 69 clear

To receive nonencrypted tunnel passwords in attribute 69 (Tunnel-Password), use the radius-server attribute 69 clear command in global configuration mode. To disable this feature and receive encrypted tunnel passwords, use the no form of this command.

radius-server attribute 69 clear

no radius-server attribute 69 clear

Syntax Description

This command has no arguments or keywords.

Defaults

RADIUS attribute 69 is not sent and encrypted tunnel passwords are sent.

Command Modes

Global configuration

Command History

Release
Modification

12.1(5)T

This command was introduced.


Usage Guidelines

Use the radius-server attribute 69 clear command to receive nonencrypted tunnel passwords, which are sent in RADIUS attribute 69 (Tunnel-Password). This command allows tunnel passwords to be sent in a "string" encapsulated format, rather than the standard tag/salt/string format, which enables the encrypted tunnel password.

Some RADIUS servers do not encrypt Tunnel-Password; however the current NAS (network access server) implementation will decrypt a non-encrypted password that causes authorization failures. Because nonencrypted tunnel passwords can be sent in attribute 69, the NAS will no longer decrypt tunnel passwords.


Note Once this command is enabled, all tunnel passwords received will be nonencrypted until the command is manually disabled.


Examples

The following example shows how to enable attribute 69 to receive nonencrypted tunnel passwords.
(To see whether the Tunnel-Password process is successful, use the debug radius command.)

radius-server attribute 69 clear 

radius-server attribute 77

To send connection speed information to the RADIUS server in the access request, use the radius-server attribute 77 command in global configuration mode. To prevent connection speed information from being included in the access request, use the no form of this command.

radius-server attribute 77 {include-in-access-req | include-in-acct-req}

no radius-server attribute 77 {include-in-access-req | include-in-acct-req}

Syntax Description

include-in-access-req

Specifies that attribute 77 will be included in access requests.

include-in-acct-req

Specifies that attribute 77 will be included in accounting requests.


Defaults

RADIUS attribute 77 is sent to the RADIUS server in the access request.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)BX

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

RADIUS attribute 77 is sent to the RADIUS server in the access request by default.

RADIUS attribute 77 allows RADIUS authentication based on connection speed. Sessions can be accepted or denied based on the allowed connection speed configured for a particular user on the RADIUS server.

RADIUS attribute 77 includes the following information:

The accounting start/stop request

The VC class name defined with the class-int command

The VC class name defined with the class-vc command

The VC class name defined with the class-range command

The VC class name may include letters, numbers, and the characters ":" (colon), ";" (semicolon), "-" (hyphen) and "," (comma).

Examples

The following example disables the inclusion of RADIUS attribute 77 in the access request:

no radius-server attribute 77 include-in-access-req

Related Commands

Command
Description

class-int

Assigns a VC class to an ATM main interface or subinterface.

class-range

Assigns a VC class to an ATM PVC range.

class-vc

Assigns a VC class to an ATM PVC, SVC, or VC bundle member.


radius-server attribute 8 include-in-access-req

To send the IP address of a user to the RADIUS server in the access request, use the radius-server attribute 8 include-in-access-req command in global configuration mode. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command.

radius-server attribute 8 include-in-access-req

no radius-server attribute 8 include-in-access-req

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)T

This command was introduced.


Usage Guidelines

Using the radius-server attribute 8 include-in-access-req command makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.

When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.

As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server.

After the RADIUS server receives the user information from the NAS, it has two options:

If the user profile on the RADIUS server already includes attribute 8, the RADIUS server can override the IP address sent by the NAS with the IP address defined as attribute 8 in the user profile. The address defined in the user profile is returned to the NAS.

If the user profile does not include attribute 8, the RADIUS server can accept attribute 8 from the NAS, and the same address is returned to the NAS.

The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and "stop" packets will also include the same IP address as in attribute 8.


Note Configuring the NAS to send the host IP address in the RADIUS access request assumes that the login host is configured to request an IP address from the NAS server. It also assumes that the login host is configured to accept an IP address from the NAS. In addition, the NAS must be configured with a pool of network addresses at the interface supporting the login hosts.


Examples

The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.

aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authorization network default group radius 
aaa accounting network default start-stop group radius
!
ip address-pool local
!
interface Async1
 peer default ip address pool async1-pool
!
ip local pool async1-pool 209.165.200.225 209.165.200.229
!
radius-server host 172.31.71.146 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server attribute 8 include-in-access-req
radius-server key radhost

radius-server attribute list

To define an accept or reject list name, use the radius-server attribute list command in global configuration mode. To remove an accept or reject list name from your configuration, use the no form of this command.

radius-server attribute list list-name

no radius-server attribute list list-name

Syntax Description

list-name

Name for an accept or reject list.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.2(1)DX

This command was introduced.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(4)T

This command was integrated into Cisco IOS Release 12.2(4)T.

12.2(13)T

Platform support was added for the Cisco 7401 ASR.


Usage Guidelines

A user may configure an accept or reject list with a selection of attributes on the network access server (NAS) for authorization or accounting so unwanted attributes are not accepted and processed. The radius-server attribute list command allows users to specify a name for an accept or reject list. This command is used in conjunction with the attribute (server-group configuration) command, which adds attributes to an accept or reject list.


Note The listname must be the same as the listname defined in the accounting or authorization configuration command.


Examples

The following example shows how to configure the reject list "bad-author" for RADIUS authorization and accept list "usage-only" for RADIUS accounting:

Router(config)# aaa new-model
Router(config)# aaa authentication ppp default group radius-sg
Router(config)# aaa authorization network default group radius-sg
Router(config)# aaa group server radius radius-sg
Router(config-sg-radius)# server 1.1.1.1
Router(config-sg-radius)# authorization reject bad-author
Router(config-sg-radius)# accounting accept usage-only
Router(config-sg-radius)# exit
Router(config)# radius-server host 1.1.1.1 key mykey1
Router(config)# radius-server attribute list usage-only
Router(config-radius-attrl)# attribute 1,40,42-43,46
Router(config-radius-attrl)# exit
Router(config)# radius-server attribute list bad-author
Router(config-radius-attrl)# attribute 22,27-28,56-59


Note Although you cannot configure more than one access or reject list per server group for authorization or accounting, you can configure one list for authorization and one list for accounting per server group.


Related Commands

Command
Description

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

accounting (server-group configuration)

Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.

attribute (server-group configuration)

Adds attributes to an accept or reject list.

authorization (server-group configuration)

Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.

radius-server host

Specifies a RADIUS server host.


radius-server attribute nas-port extended

The radius-server attribute nas-port extended command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command for more information.

radius-server attribute nas-port format

To select the NAS-Port format used for RADIUS accounting features, and to restore the default NAS-Port format, use the radius-server attribute nas-port format command in global configuration mode. To stop sending attribute 5 (NAS-Port) to the RADIUS server, use the no form of this command.

radius-server attribute nas-port format format

no radius-server attribute nas-port format format

Syntax Description

format

NAS-Port format. Possible values for the format argument are as follows:

a—Standard NAS-Port format

b—Extended NAS-Port format

c—Carrier-based format

d—PPPoX (PPP over Ethernet or PPP over ATM) extended NAS-Port format

e—Configurable NAS-Port format


Defaults

Standard NAS-Port format

Command Modes

Global configuration

Command History

Release
Modification

11.3(7)T

This command was introduced.

11.3(9)DB

The PPP extended NAS-Port format was added.

12.1(5)T

The PPP extended NAS-Port format was expanded to support PPPoE over ATM and PPPoE over IEEE 802.1Q virtual LANS (VLANs).

12.2(4)T

Format e was introduced.

12.2(11)T

Format e was extended to support PPPoX information.

12.3(3)

Format e was extended to support Session ID U.


Usage Guidelines

The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5).

The following NAS-Port formats are supported:

Standard NAS-Port format—This 16-bit NAS-Port format indicates the type, port, and channel of the controlling interface. This is the default format used by Cisco IOS software.

Extended NAS-Port format—The standard NAS-Port attribute field is expanded to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface that is undergoing authentication.

Shelf-slot NAS-Port format—This 16-bit NAS-Port format supports expanded hardware models requiring shelf and slot entries.

PPP extended NAS-Port format—This NAS-Port format uses 32 bits to indicate the interface, virtual path identifier (VPI), and virtual channel indicator (VCI) for PPP over ATM and PPPoE over ATM, and the interface and VLAN ID for PPPoE over Institute of IEEE standard 802.1Q VLANs.

Format e

The currently supported formats a through c do not work with new Cisco platforms, such as the AS5400. For this reason, a configurable format e was developed. Format e requires you to explicitly define the usage of the 32 bits of attribute 25 (Nas-Port). The usage is defined with a given parser character for each Nas-Port field of interest for a given bit field. By configuring a single character in a row, such as x, only one bit is assigned to store that given value. Additional characters of the same type, such as x, will provide a larger available range of values to be stored. Thus, the ranges may be expanded as follows:

x

0 - 1

xx

0 - 3

xxx

0 - 7

xxxx

0 - F

xxxxx

0 - 1F


and so on.

It is imperative that one know what the valid range is for a given parameter on a platform that one wishes to support. The IOS RADIUS client will bitmask the determined value to the maximum permissible value on the basis of configuration. Thus, if one has a parameter that turns out to have a value of 8, but only 3 bits (xxx) are configures, 8 and 0x7 will give a result of 0. Therefore, one must always configure enough bits to correctly capture the value required. Care must be taken to ensure that format e is configured to properly work for all NAS port types within your network environment.

Zero

0 (always sets a 0 to that bit)

One

1 (always sets a 1 to that bit)

DS0 shelf

f

DS0 slot

s

DS0 adapter

a

DS0 port

p (physical port)

DS0 subinterface

i

DS0 channel

c

Async shelf

F

Async slot

S

Async port

P

Async line

L (modem line number, that is, physical terminal [TTY] number)

PPPoX slot

S

PPPoX adapter

A

PPPoX port 

P

PPPoX VLAN ID

V

PPPoX VPI

I

PPPoX VCI

C

Session ID

U


Currently supported parameters and their representative characters are shown below.

All 32 bits that represent the NAS-Port must be set to one of the above characters because this format makes no assumptions for empty fields.

Access Router

The DS0 port on a T1-based card and on a T3-based card will give different results. On T1-based cards, the physical port is equal to the virtual port (as these are the same). So, p and d will give the same information for a T1 card. However, on a T3 system, the port will give you the physical port number (as there can be more than one T3 card for a given platform). As such, d will give you the virtual T1 line (as per configuration on a T3 controller). On a T3 system, p and d will be different, and one should capture both to properly identify the physical device. As a working example for the Cisco AS5400, the following configuration is recommended:

Router (config)# radius-server attribute nas-port format e 
SSSSPPPPPPPPPsssspppppdddddccccc

This will give one an asynchronous slot (0 - 16), asynchronous port (0 - 512), DS0 slot (0 - 16), DS0 physical port (0 - 32), DS0 virtual port (0 - 32), and channel (0 - 32). The parser has been implemented to explicitly require 32-bit support, or it will fail.

Finally, format e is supported for channel-associated signaling (CAS), Primary Rate Interface (PRI), and basic rate interface- (BRI-) based interfaces.


Note This command replaces the radius-server attribute nas-port extended command.


Examples

In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format:

radius-server host 172.31.5.96 auth-port 1645 acct-port 1646
radius-server attribute nas-port format d

Related Commands

Command
Description

vpdn aaa attribute nas-port vpdn-nas

Enables the LNS to send PPP extended NAS-Port format values to the RADIUS server for accounting.


radius-server authorization missing Service-Type

The radius-server authorization missing Service-Type command is replaced by the radius-server attribute 6 command. See the radius-server attribute 6 command for more information.

radius-server challenge-noecho

To prevent user responses to Access-Challenge packets from being displayed on the screen, use the radius-server challenge-noecho command in global configuration mode. To return to the default condition, use the no form of this command.

radius-server challenge-noecho

no radius-server challenge-noecho

Syntax Description

This command has no arguments or keywords.

Defaults

All user responses to Access-Challenge packets are echoed to the screen.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

This command applies to all users. When the radius-server challenge-noecho command is configured, user responses to Access-Challenge packets are not displayed unless the Prompt attribute in the user profile is set to echo on the RADIUS server. The Prompt attribute in a user profile overrides the radius-server challenge-noecho command for the individual user. For more information, see the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide.

Examples

The following example stops all user responses from displaying on the screen:

radius-server challenge-noecho

radius-server configure-nas

To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode. To discontinue the query of the RADIUS server, use the no form of this command.

radius-server configure-nas

no radius-server configure-nas

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.


Usage Guidelines

Use the radius-server configure-nas command to have the Cisco router query the vendor-proprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server.


Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you issue a copy system:running-config nvram:startup-config command.


Examples

The following example shows how to tell the Cisco router or access server to query the vendor-proprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up:

radius-server configure-nas

Related Commands

Command
Description

radius-server host non-standard

Identifies that the security server is using a vendor-proprietary implementation of RADIUS.


radius-server dead-criteria

To force one or both of the criteria—used to mark a RADIUS server as dead—to be the indicated constant, use the radius-server dead-criteria command in global configuration mode. To disable the criteria that were set, use the no form of this command.

radius-server dead-criteria [time seconds] [tries number-of-tries]

no radius-server dead-criteria [time seconds] [tries number-of-tries]

Syntax Description

time seconds

(Optional) Minimum amount of time, in seconds, that must elapse from the time that the router last received a valid packet from the RADIUS server to the time the server is marked as dead. If a packet has not been received since the router booted, and there is a timeout, the time criterion will be treated as though it has been met. You can configure the time to be from 1 through 120 seconds.

If the seconds argument is not configured, the number of seconds will range from 10 to 60 seconds, depending on the transaction rate of the server.

Note Both the time criterion and the tries criterion must be met for the server to be marked as dead.

tries number-of-tries

(Optional) Number of consecutive timeouts that must occur on the router before the RADIUS server is marked as dead. If the server performs both authentication and accounting, both types of packet will be included in the number. Improperly constructed packets will be counted as though they were timeouts. All transmissions, including the initial transmit and all retransmits, will be counted. You can configure the number of timeouts to be from 1 through 100.

If the number-of-tries argument is not configured, the number of consecutive timeouts will range from 10 to 100, depending on the transaction rate of the server and the number of configured retransmissions.

Note Both the time criterion and the tries criterion must be met for the server to be marked as dead.


Defaults

If the seconds argument is not configured, the number of seconds will range from 10 to 60 seconds, depending on the transaction rate of the server.

If the number-of-tries argument is not configured, the number of consecutive timeouts will range from 10 to 100, depending on the transaction rate of the server and the number of configured retransmissions.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines


Note Both the time criterion and the tries criterion must be met for the server to be marked as dead.


The no form of this command has the following cases:

If neither the seconds nor the number-of-tries argument is indicated, both time and tries will be set to their defaults.

If either the seconds or the number-of-tries arguments is indicated, the one indicated (time or tries) will be set to its default. The other will be unchanged.

If both the seconds and the number-of-tries arguments are indicated, both time and tries will be set to their defaults.

Examples

The following example shows that the router will be considered dead after 5 seconds and four tries:

Router (config)# radius-server dead-criteria time 5 tries 4

Related Commands

Command
Description

debug aaa dead-criteria transactions

Displays AAA dead-criteria transaction values.

show aaa dead-criteria

Displays dead-criteria information for a AAA server.

show aaa server-private

Displays the status of all private RADIUS servers.

show aaa servers

Displays information about the number of packets sent to and received from AAA servers.


radius-server deadtime

To improve RADIUS response times when some servers might be unavailable and cause the unavailable servers to be skipped immediately, use the radius-server deadtime command in global configuration mode. To set dead-time to 0, use the no form of this command.

radius-server deadtime minutes

no radius-server deadtime

Syntax Description

minutes

Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).


Defaults

Dead time is set to 0.

Command Modes

Global configuration

Command History

Release
Modification

11.1

This command was introduced.


Usage Guidelines

Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."

When the RADIUS Server Is Marked As Dead

For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.

For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server