Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

PDF

RADIUS authentication

Updated: April 24, 2026

Want to summarize with AI?

Log in

Details RADIUS authentication workflows, covering conceptual overviews and step-by-step procedures for configuring RADIUS authentication using CLI commands to ensure secure access control.

Radius authentication

The Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system that

  • secures networks against unauthorized access

  • enables RADIUS clients on Cisco devices to send authentication requests to a central RADIUS server, and

  • stores all user authentication and network service access information on the central server.

Configure RADIUS authentication using CLI commands

Authenticate a Cisco IOS XE Catalyst SD-WAN device with up to 8 RADIUS servers by configuring each server's parameters as explained here.

Procedure

1.

For each RADIUS server, configure the IP address and a password, or key at a minimum.

Example:

Device# config-transaction
Device(config)# radius server test address ipv4 10.1.1.55 acct-port 110
Device(config-radius-server)# key 33
Device(config-radius-server)# exit
Device(config)# radius server test address ipv4 10.1.1.55 auth-port 330
Device(config-radius-server)# key 55
Device(config-radius-server)#

Specify the key as a clear text string up to 31 characters, or provide it as an AES 128-bit encrypted key. The local device passes the key to the RADIUS server. The password must match the one used on the server.
2.

To add additional RADIUS servers, include the server and secret-key commands for each server.

3.

Optionally, configure these RADIUS parameters:

  1. Set the priority of a RADIUS server that you want to use.

    Priority is a means of choosing or load balancing among multiple RADIUS servers. The priority value can range from 0 to 7. The server with the lower priority number will be prioritized over those with higher numbers.

  2. To change the default port numbers, use the auth-port and acct-port commands.

    By default, the Cisco IOS XE Catalyst SD-WAN device uses port 1812 for authentication connections to the RADIUS server and port 1813 for accounting connections.

  3. If the RADIUS server is reachable through specific interface, set that interface with the source-interface command.

  4. Define a tag for the RADIUS server and then associate the tag with the radius-servers command.

    A tag can be a string with 4 to 16 characters. You can tag RADIUS servers so that a specific server or servers can be used for AAA, IEEE 802.1X, and IEEE 802.11i authentication and accounting.

    Note
    Tags are used for grouping, describing, or finding devices. You can tag RADIUS and TACAC servers for authentication and accounting. You can add more than one tag to a device. Starting from Cisco vManage Release 20.9.1, following new tags are used in authentication:

    • Viptela-User-Group: for user group definitions instead of Viptela-Group-Name.

    • Viptela-Resource-Group: for resource group definitions.

  5. Configure a VPN number for the server so that the device can locate it.

    This is required if the RADIUS server is located in a different VPN from the Cisco IOS XE Catalyst SD-WAN device. If you configure multiple RADIUS servers, they must all be in the same VPN.

  6. Change the time interval using the timeout command, and set a value from 1 to 1000 seconds.

    When waiting for a reply from the RADIUS server, a Cisco IOS XE Catalyst SD-WAN device by default waits three seconds before retransmitting its request.

    Device# config-transaction
 Device(config)# aaa group server radius server-10.99.144.201 
 Device(config-sg-radius)# server-private 10.99.144.201 auth-port 1812 timeout 5 retransmit 3