radius-server
Required Command-Line Mode = Configure
Required User Level = Admin
Use the radius-server command to specify the RADIUS servers to be used for authentication. You can specify multiple RADIUS servers. Servers are used as fallbacks in the same order they are specified—if the first server is unreachable, the second is tried, and so on, until all named servers have been used. If a server is reachable and authentication fails, the authentication process terminates.
Refer to Add a RADIUS Server for examples of adding and configuring a RADIUS server.
The radius-server command has the following syntax:
radius-server
extra-user-params roles enable
host <IPv4/IPv6 address or hostname> [auth-port <port-number>] [enable] [shared-secret <string>] [prompt-secret <string>] ] [retransmit <retries>] | [timeout <seconds>]
shared-secret <string>
retransmit <retries>
timeout <seconds>
The following table describes the arguments for the radius-server command. The shared-secret, retransmit, and timeout values can be specified both globally and on a per-host basis. Per-host values override any configured global values.
Argument |
Description |
extra-user-params roles enable |
Enables the GigaVUE H Series node to accept user roles assigned in the RADIUS server. Note that the role name must match a role configured on the local node or cluster. Refer to the Configure AAA for details. For example: (config) # radius-server extra-user-params roles enable |
host <IPv4/IPv6 address or hostname> |
Specifies the IP address (IPv4 or IPv6) or hostname of the RADIUS server. The same IP address can be used for more than one RADIUS server so long as they use different auth-port values. Examples: (config) # radius-server host 1.1.1.1 (config) # radius-server host 2001:db8:a0b:12f0::11 key gigamon enableconfig) # radius-server host www.MyCo.com |
auth-port <port-number> |
Specifies the UDP port number on which the RADIUS server is running. If included, the auth-port must be specified immediately after the host IP address. If you do not specify a port, the default RADIUS authentication port number of 1812 is used. For example: (config) # radius-server host 1.1.1.1 auth-port 123 |
enable |
Administratively enables this RADIUS server. For example: (config) # radius-server host 1.1.1.1 auth-port 123 enable |
shared-secret <string> |
Specifies the shared secret key to be used for encryption of authentication packets sent between the GigaVUE H Series node and this specific RADIUS server. Any value specified here will override the shared secret key specified in the radius-server host command. For example: (config) # radius-server host 1.1.1.1 auth-port 123 enable shared-secret admin12 |
prompt-secret |
Requires the user to enter the shared secret string during login. This option is mutually exclusive with the key option. For example: (config) # radius-server host 1.1.1.1 auth-port 123 enable shared-secret admin12 prompt-secret |
retransmit <retries> |
Specifies the number of times the GigaVUE H Series node will attempt to authenticate with this specific RADIUS server. Any value specified here will override the global value specified in the radius-server retransmit command. The valid range is from 0 to 5. The default is 1. To disable retransmissions, use 0. For example: (config) # radius-server host 1.1.1.1 auth-port 123 enable retransmit 4 |
timeout <seconds> |
Specifies how long the GigaVUE H Series node should wait for a response from this specific RADIUS server to an authentication request before declaring a timeout failure. Any value specified here will override the global value specified in the radius-server timeout command. The valid range is from 0 to 60 seconds. The default is 5 seconds. For example: (config) # radius-server host 1.1.1.1 auth-port 123 enable timeout 20 |
shared-secret <string> |
Specifies a global shared secret string to be used for encryption of authentication packets sent between the GigaVUE H Series node and all RADIUS servers. The global value can be overridden with the shared secret specified in the radius-server host command. For example: (config) # radius-server shared-secret admin12 |
retransmit <retries> |
Specifies a global value for the number of times the GigaVUE H Series node will attempt to authenticate with a RADIUS server. The global value can be overridden with the retransmit value specified in the radius-server host command. The valid range is from 0 to 5. The default is 2. To disable retransmissions, use 0. For example: (config) # radius-server retransmit 3 |
timeout |
Specifies a global value for how long the GigaVUE H Series node should wait for a response from the RADIUS server to an authentication request before declaring a timeout failure. The global value can be overridden with the timeout value specified in the radius-server host command. The valid range is from 0 to 60 seconds. The default is 5 seconds. For example: (config) # radius-server timeout 20 |
Related Commands
The following table summarizes other commands related to the radius-server command:
Task |
Command |
Displays the list of configured RADIUS servers and related RADIUS settings. |
# show radius |
Does not allow the RADIUS server to include additional roles for a remotely authenticated user in the response. |
(config) # no radius-server extra-user-params roles enable |
Deletes a RADIUS host with the specified IPv4 or IPv6 address, or hostname. |
(config) # no radius-server host 1.1.1.1 (config) # no radius-server host www.MyCo.com |
Deletes a RADIUS host on a specified port. |
(config) # no radius-server host 1.1.1.1 auth-port 234 |
Administratively disables the specified RADIUS server on the specified port. |
(config) # no radius-server host 1.1.1.1 auth-port 234 enable |
Administratively disables the specified RADIUS server on the default port. |
(config) # no radius-server host 1.1.1.1 enable |
Deletes the global RADIUS server shared secret key. |
(config) # no radius-server shared-secret |
Resets the global RADIUS server retransmit count to the default. |
(config) # no radius-server retransmit |
Resets the global RADIUS server timeout settings to the default. |
(config) # no radius-server timeout |