RADIUS Configuration Mode Commands
RADIUS configuration mode commands allow you to configure multiple Remote Access Dial-In User Service (RADIUS) servers as a named AAA server group. You specify the IP address of one or more previously configured RADIUS servers that you want added to or removed from a AAA server group, along with a dead-time interval for the RADIUS server group.
For details about creating a RADIUS server group, see the Security Guide, Cisco ACE Application Control Engine.
To create a RADIUS server group and access RADIUS server configuration mode, enter the aaa group server radius command. The CLI prompt changes to (config-radius). Use the no form of this command to remove a RADIUS server group.
aaa group server radius group_name
no aaa group server radius group_name
Syntax Description
group_name |
Group of RADIUS servers. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. |
Command Modes
Configuration mode
Admin and user contexts
Command History
|
|
3.0(0)A1(2) |
This command was introduced. |
|
|
A1(7) |
This command was introduced. |
Usage Guidelines
The commands in this mode require the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A server group is a list of server hosts. The ACE allows you to configure multiple AAA servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 10 server groups for each context in the ACE.
You can configure server groups at any time, but you must enter the aaa authentication login or the aaa accounting default command to apply them to the AAA service.
Examples
To create a RADIUS server group, enter:
host1/Admin(config) aaa group server radius RADIUS_Server_Group1
host1/Admin(config-radius)# server 172.16.56.76
host1/Admin(config-radius)# server 172.16.56.79
host1/Admin(config-radius)# server 172.16.56.82
Related Commands
(config) aaa accounting default
(config) aaa authentication login
(config-radius) deadtime
To specify a dead-time interval for the Remote Authentication Dial-In User Service (RADIUS) server group, use the deadtime command. Use the no form of this command to reset the RADIUS server group dead-time request to its default of 0.
deadtime minutes
no deadtime minutes
Syntax Description
minutes |
Length of time that the ACE skips a nonresponsive RADIUS server for transaction requests. Valid entries are from 0 to 1440 (24 hours). The default is 0. |
Command Modes
RADIUS configuration mode
Admin and user contexts
Command History
|
|
3.0(0)A1(2) |
This command was introduced. |
|
|
A1(7) |
This command was introduced. |
Usage Guidelines
Use of the deadtime command causes the ACE to mark as dead any RADIUS servers that fail to respond to authentication requests. Entering this command prevents the wait for the request to time out before trying the next configured server. The ACE skips a RADIUS server that is marked as dead by additional requests for the duration of minutes.
During the dead-time interval, the ACE sends probe access-request packets to verify that the RADIUS server is available and can receive authentication requests. The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the ACE retransmits the authentication request to the server.
Examples
To globally configure a 15-minute dead-time interval for RADIUS servers that fail to respond to authentication requests, enter:
host1/Admin(config) aaa group server radius RADIUS_Server_Group1
host1/Admin(config-radius)# deadtime 15
To reset the RADIUS server dead-time request to the default of 0, enter:
host1/Admin(config-radius)# no deadtime 15
Related Commands
(config) aaa group server
(config-radius) server
To specify the IP address of one or more previously configured Remote Authentication Dial-In User Service (RADIUS) servers that you want added to or removed from a server group, use the server command. Use the no form of this command to remove the RADIUS server from the AAA server group.
server ip_address
no server ip_address
Syntax Description
ip_address |
IP address of the RADIUS server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1). |
Command Modes
RADIUS configuration mode
Admin and user contexts
Command History
|
|
3.0(0)A1(2) |
This command was introduced. |
|
|
A1(7) |
This command was introduced. |
Usage Guidelines
You can add multiple RADIUS servers to the AAA server group by entering multiple server commands in this mode. The same server can belong to multiple server groups.
Examples
To add servers to a RADIUS server group, enter:
host1/Admin(config-radius)# server 172.16.56.76
host1/Admin(config-radius)# server 172.16.56.79
host1/Admin(config-radius)# server 172.16.56.82
To remove a server from a RADIUS server group, enter:
host1/Admin(config) aaa group server radius RADIUS_Server_Group1
host1/Admin(config-radius)# no server 172.16.56.76
Related Commands
(config) aaa group server