Configure and verify RADIUS server groups

Updated: June 17, 2026

Want to summarize with AI?

Use this procedure to configure and verify RADIUS server groups. Server groups let AAA method lists use selected external RADIUS hosts for authentication, authorization, or accounting.

Use this task to complete the configuration and verification workflow for configure RADIUS server groups.

You can enter one or more server commands. The server command specifies the hostname or IP address of an external RADIUS server along with port numbers. When configured, this server group can be referenced from the AAA method lists (used while configuring authentication, authorization, or accounting).

You can configure a maximum of 30 servers and private servers each per RADIUS server group. To configure RADIUS server groups, perform these tasks:

Before you begin

Ensure that the external server is accessible at the time of configuration.

Follow these steps to configure RADIUS server groups.

Procedure

	1.	Configure the required server group settings. For details, see Configure RADIUS server groups.
	2.	Verify the server group configuration. For details, see Verify RADIUS server group configuration.

The configure RADIUS server groups workflow is complete after the configuration and verification subtasks are complete.

Configure RADIUS server group commands

Configure the settings required by Configure RADIUS server groups.

This subtask contains the configuration command sequence from Configure RADIUS server groups.

Before you begin

Follow these steps to configure RADIUS server groups.

Procedure

	1.	Run the configure command to enter global configuration mode. Example: `RP/0/RP0/CPU0:ios# configure` Enters mode.
	2.	Run the aaa group server radius group-name command to group different server hosts into distinct lists and enter server group configuration mode. Example: `RP/0/RP0/CPU0:ios(config)# aaa group server radius radgroup1` Groups different server hosts into distinct lists and enters the server group configuration mode.
	3.	Run the radius-server {ip-address} command to specify the hostname or IP address of the RADIUS server host. Example: `RP/0/RP0/CPU0:ios(config)# radius-server host 192.168.20.0` Specifies the hostname or IP address of the RADIUS server host.
	4.	Run the auth-port port-number command to specify the User Datagram Protocol (UDP) destination port for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645. Example: `RP/0/RP0/CPU0:ios(config)#auth-port 1812` Specifies the User Datagram Protocol (UDP) destination port for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645.
	5.	Run the acct-port port-number command to specify the UDP destination port for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646. Example: `RP/0/RP0/CPU0:ios(config)# acct-port 1813` Specifies the UDP destep_3_1204918stination port for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.
	6.	Run the key string command to specify the authentication and encryption key used between NCS 1010 and the RADIUS server. Example: `RP/0/RP0/CPU0:ios(config-radius-host)#key 7 08984B1A4D0C19157A5F57` Specifies the authentication and encryption key used between NCS 1010 and the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
	7.	Repeat steps 4 to 6 for every external radius server to be added to the server group. —
	8.	Run the aaa authentication { login } { default } group group-name local command to specify the default method list for authentication and enable authentication for console in global configuration mode. Example: `RP/0/RP0/CPU0:ios(config-radius-host)#aaa authentication login default group radius local` Specifies the default method list for authentication, and also enables authentication for console in global configuration mode.
	9.	Run the commit or end command to commit the changes or exit configuration mode.

The configuration commands for Configure RADIUS server groups are applied.

Verify RADIUS server group configuration

Verify the configuration created by Configure RADIUS server groups.

This subtask contains the verification command from Configure RADIUS server groups.

Before you begin

Follow these steps to verify RADIUS server group configuration.

Procedure

Run the show radius server-groups command to display information about each configured RADIUS server group.

Example:

RP/0/RP0/CPU0:ios# show radius server-groups

(Optional) Displays information about each RADIUS server group that is configured in the system.

The command output displays the configured server group details.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.