Configuring RADIUS

Information About RADIUS

AAA Overview

AAA stands for Authentication, Authorization and Accounting.

AAA is actually a management of network security. Here, the network security mainly refers to the access control, including the users who can access the network server; what services are available to users with access rights; and how users are using network resources for billing.

AAA generally adopts the client/server structure: the client runs on the managed resource side, and the server stores the user information centrally. Therefore, the AAA framework has good scalability, and easy to achieve the centralized management of user information.

AAA Realization

There are two ways to realize AAA:

  • via NAS.

  • via RADIUS, TACACS +, etc.

RADIUS Overview

RADIUS creates a unique user database, stores the user name and password of the user to authenticate, and stores the service type and corresponding configuration information that is passed to the user to complete the authorization. After the user is authorized, the RADIUS server performs the function of accounting for user accounts.

RADIUS stands for Remote Authentication Dial in User Service.

  • RADIUS is an AAA protocol for applications such as Network Access or IP Mobility.

  • It works in both situations, Local and Mobile.

  • It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.

  • It looks in text file, LDAP Servers, Database for authentication.

  • After authentication services parameters passed back to NAS.

  • It notifies when a session starts and stop. This data is used for Billing or Statistics purposes.

  • SNMP is used for remote monitoring.

  • It can be used as a proxy.

Here is a list of all the key features of Radius:

  • Client/Server Model

    • NAS works as a client for the Radius server.

    • Radius server is responsible for getting user connection requests, authenticating the user, and then returning all the configuration information necessary for the client to deliver service to the user.

    • A Radius server can act as a proxy client to other Radius servers.

  • Network Security

    • Transactions between a client and a server are authenticated through the use of a shared key. This key is never sent over the network.

    • Password is encrypted before sending it over the network.

  • Flexible Authentication Mechanisms

    • Point-to-Point Protocol (PPP)

    • Password Authentication Protocol (PAP)

    • Challenge Handshake Authentication Protocol (CHAP)

    • Simple UNIX Login

  • Extensible Protocol

    • Radius is extensible; most vendors of Radius hardware and software implement their own dialects.

How to Configure RADIUS

The following sections provide information about configuring RADIUS:

Configuring RADIUS Server

RADIUS server saves valid user’s identity. When authentication, system transfers user’s identity to RADIUS server and transfers the validation to user. User accessing to system can access LAN resources only after authentication of RADIUS server.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa
  4. radius host name
  5. primary-auth-ip ip-address port
  6. second-auth-ip ip-address port
  7. primary-acct-ip ip-address port
  8. second-acct-ip ip-address port
  9. auth-secret-key keystring
  10. acct-secret-key keystring
  11. nas-ipaddress ip-address
  12. username-format {with-domain | without-domain}
  13. realtime-account
  14. realtime-account interval time

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

(Optional) Enters global configuration mode.

Step 3

aaa

Example:

Device(config)# aaa

Enters AAA configuration mode.

Step 4

radius host name

Example:

Device(config-aaa)# radius host mmm

Creates a RADIUS scheme and enters RADIUS scheme mode.

Step 5

primary-auth-ip ip-address port

Example:

Device(config-aaa-radius-mmm)# primary-auth-ip 10.0.0.10 300

Configures primary RADIUS. The authentication port range is 1 to 65535.

Step 6

second-auth-ip ip-address port

Example:

Device(config-aaa-radius-mmm)# primary-auth-ip 10.0.0.11 400

(Optional) Configures second RADIUS. The authentication port range is 1 to 65535.

Step 7

primary-acct-ip ip-address port

Example:

Device(config-aaa-radius-mmm)# primary-acct-ip 10.1.1.10 333

(Optional) Configures primary accounting server. The accounting port range is 1 to 65535.

Step 8

second-acct-ip ip-address port

Example:

Device(config-aaa-radius-mmm)# primary-acct-ip 10.1.1.11 444

(Optional) Configures second accounting server. The accounting port range is 1 to 65535.

Step 9

auth-secret-key keystring

Example:

Device(config-aaa-radius-mmm)# auth-secret-key key1

Configures the shared key of primary RADIUS.

Step 10

acct-secret-key keystring

Example:

Device(config-aaa-radius-mmm)# acct-secret-key key2

(Optional) Configures the shared key of second RADIUS.

Step 11

nas-ipaddress ip-address

Example:

Device(config-aaa-radius-mmm)# nas-ipaddress 10.1.0.10

(Optional) Configures the NAS-RADIUS address.

Step 12

username-format {with-domain | without-domain}

Example:

Device(config-aaa-radius-mmm)# username-format with-domain

(Optional) Specifies whether the user name is to be carried with the domain name when the system passes the packet to the current RADIUS server.

Step 13

realtime-account

Example:

Device(config-aaa-radius-mmm)# realtime-account

(Optional) Configures the realtime accounting.

Step 14

realtime-account interval time

Example:

Device(config-aaa-radius-mmm)# realtime-account interval 20

(Optional) Configures the realtime accounting time interval in minutes. The range is 1 to 255.

Configuring Radius Master Server and Radius Slave Server Shift

RADIUS offers master/slave server redundancy function, that is, if both the master server and slave server can be able to perform the regular work, it can only perform the authentication via master server; if there is something wrong with the master server, the slave server will be enabled; if the master server recovers normal again, the slave server will be disabled, and then the master server will be enabled.

Realization Mechanisms: When in radius authentication, if the master server cannot perform the regular work, just configure the master server as down, then the slave server will begin to work; if the master server is found had recovered the regular work, preemption timer will be enabled (time is configured as preemption-time). When the timer timeout, the master server will be configured as up, that is to say, you can perform the authentication operations via master server.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa
  4. radius host name
  5. preemption-time preemption-time
  6. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

(Optional) Enters global configuration mode.

Step 3

aaa

Example:

Device(config)# aaa

Enters AAA configuration mode.

Step 4

radius host name

Example:

Device(config-aaa)# radius host mmm

Creates a RADIUS scheme and enters RADIUS scheme configuration mode.

Step 5

preemption-time preemption-time

Example:

Device(config-aaa-radius-mmm)# primary-auth-ip 10.0.0.10 300

Configures the preemption timer in minutes.

The range is 0 to 1440, and the default value is 0.

Step 6

end

Example:

Device(config-aaa-radius-mmm)# end

Exits RADIUS scheme configuration mode and enters privileged EXEC mode.

Configuring Local User

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa
  4. local-user username name password pwd [vlan vlan-id]
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

(Optional) Enters global configuration mode.

Step 3

aaa

Example:

Device(config)# aaa

Enters AAA configuration mode.

Step 4

local-user username name password pwd [vlan vlan-id]

Example:

Device(config-aaa)# local-user username name1 password pass1 vlan 220

Configures a local user. The VLAN ID range is 1 to 4094.

Step 5

end

Example:

Device(config-aaa)# end

Exits AAA configuration mode and enters privileged EXEC mode.

Configuring Domain

A username and password must be provided during authentication. Username usually contains the corresponding user ISP information, domain and ISP. The most important information of the domain is the RADIUS server authentication and accounting for the users in the domain.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa
  4. default domain-name enable domain-name
  5. domain name
  6. scheme radius
  7. scheme local
  8. scheme radius local
  9. radius host binding name
  10. access-limit enable number
  11. state active
  12. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

(Optional) Enters global configuration mode.

Step 3

aaa

Example:

Device(config)# aaa

Enters AAA configuration mode.

Step 4

default domain-name enable domain-name

Example:

Device(config-aaa)# default domain-name enable domain1

(Optional) Configures the default domain name.

Step 5

domain name

Example:

Device(config-aaa)# domain eee

Creates and enters a domain scenario.

Step 6

scheme radius

Example:

Device(config-aaa-eee)# scheme radius

(Optional) Configures to use radius server authentication.

Step 7

scheme local

Example:

Device(config-aaa-eee)# scheme local

Configures to use local user authentication.

Step 8

scheme radius local

Example:

Device(config-aaa-eee)# scheme radius local

Configures to use local authentication if the radius authentication fails.

Step 9

radius host binding name

Example:

Device(config-aaa-eee)# radius host binding radius1

(Optional) Selects the RADIUS server for the current domain.

Step 10

access-limit enable number

Example:

Device(config-aaa-eee)# access-limit enable 30

(Optional) Enables the number limit of authentication users in the domain and sets the number limit of allowed users. The range is from 1 to 640.

Step 11

state active

Example:

Device(config-aaa-eee)# state active

Activates the current domain.

Step 12

end

Example:

Device(config-aaa-eee)# end

Exits domain scenario mode and enters privileged EXEC mode.

Configuring RADIUS Features

  • accounting-on: After the device reboots, it sends an Accounting-On packet to the RADIUS server to notify the RADIUS server to force the user of the device to go offline.

  • RADIUS distributes port priority: After this function is enabled, if the user authenticates, the priority of the port where the user is located is modified. This function is carried out through the 77 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute.

  • RADIUS distributes port PVID: After this function is enabled, if the user passes the authentication, the PVID of the port where the user is located will be modified. This function is carried out by using the tunnel-Pvt-Group-ID. The value of this attribute is a string. Use this string to find the VLAN name descriptor that matches the VLAN value.

  • RADIUS distributes number limit of MAC address: After this function is enabled, if the user passes the authentication, the MAC address learning limit of the port where the user resides is modified. This function is carried out through the 50 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute.

  • RADIUS distributes bandwidth control: After this function is enabled, if the user passes the authentication, the bandwidth control of the port where the user is located will be modified. The uplink bandwidth control is carried out through the 75 attribute number in the Vendor Specific by default, which can be modified by using theradius config-attribute; the downlink bandwidth control is carried out through the 76 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. The unit value defaults to kbps and can be modified through the radius config-attribute access-bandwidth unit.

  • RADIUS distributes ACL: This function has no control commands. It is enabled by default. Configure via 11 attributes of Filter-Id.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa
  4. accounting-on {enable sen-num | disable}
  5. radius accounting
  6. radius server-disconnect drop 1x
  7. radius 8021p enable
  8. radius vlan enable
  9. radius mac-address-number enable
  10. radius bandwidth-limit enable
  11. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

(Optional) Enters global configuration mode.

Step 3

aaa

Example:

Device(config)# aaa

Enters AAA configuration mode.

Step 4

accounting-on {enable sen-num | disable}

Example:

Device(config-aaa)# accounting-on enable 40

(Optional) Configures accounting-on function.

Step 5

radius accounting

Example:

Device(config-aaa)# radius accounting

(Optional) Enables accounting function .

Step 6

radius server-disconnect drop 1x

Example:

Device(config-aaa)# radius server-disconnect drop 1x

(Optional) If the accounting packet does not respond, the user is shut down.

Step 7

radius 8021p enable

Example:

Device(config-aaa)# radius 8021p enable

(Optional) Configures RADIUS to distribute port priority.

Step 8

radius vlan enable

Example:

Device(config-aaa)# radius vlan enable

(Optional) Configures RADIUS to distribute port PVID.

Step 9

radius mac-address-number enable

Example:

Device(config-aaa)# radius mac-address-number enable

(Optional) Configures RADIUS to distribute number limit of MAC address.

Step 10

radius bandwidth-limit enable

Example:

Device(config-aaa)# radius bandwidth-limit enable

(Optional) Configures RADIUS to distribute bandwidth control.

Step 11

end

Example:

Device(config-aaa)# end

Exits AAA configuration mode and enters privileged EXEC mode.

Monitoring RADIUS

Command Purpose

show radius attribute

Displays the radius attribute.

show radius config-attribute

Displays the radius attribute.

show radius host

Displays the radius service configuration information.

debug radius

Enables the radius debugging function.

Example: Configuring RADIUS

This example shows how to configure the related services of RADIUS, and configure ACLs.

Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# radius host ngn
Device(config-aaa-radius-ngn)# primary-auth-ip 10.1.1.1 1812
Device(config-aaa-radius-ngn)# primary-acct-ip 10.1.1.2 1813
Device(config-aaa-radius-ngn)# auth-secret-key 123456
Device(config-aaa-radius-ngn)# acct-secret-key 123456
Device(config-aaa-radius-ngn)# exit
Device(config-aaa)# domain ngn.com
Device(config-aaa)# domain ngn.com
Device(config-aaa-domain-ngn.com)# radius host binding ngn
Device(config-aaa-domain-ngn.com)# state active
Device(config-aaa-domain-ngn.com)# exit
Device(config-aaa)# default domain-name enable ngn.com
Device(config-aaa)# exit
Device(config)# access-list 100 deny any 10.0.0.10 0.0.0.255
Device(config)# access-list 100 permit any any

After authentication succeeds, the user can access the external network normally. The information of the online users can be found on the device. The command of show dot1x radius-acl displays the status of the acl100 as enable, and the bandwidth of the ingress direction of the 0/ 0/1 port is limited to 2048 while the egress direction is limited to 1024.

The following is a sample output of the show dot1x session command. 

Device(config)# show dot1x session

port    vid   mac                 username       login time
e1/1    1     c8:3a:35:d3:e3:99   test@ngn.com   2000/12/11 15:07:00 
Total [1] item(s).

The following is a sample output of the show dot1x radius-acl command. 

Device(config)# show dot1x radius-acl

The format of radius acl is string.
The prefix of radius acl is assignacl-.
Port    acl  Status
e1/1  100  enable
Total entries: 1.

The following is a sample output of the show bandwidth-control interface ethernet command. 

Device(config)# show bandwidth-control interface ethernet 1/1

port    Ingress bandwidth control  Egress bandwidth control    
e1/1    2048 kbps                  1024 kbps                    
Total entries: 1.