radius-server

Required Command-Line Mode = Configure

Required User Level = Admin

Use the radius-server command to specify the RADIUS servers to be used for authentication. You can specify multiple RADIUS servers. Servers are used as fallbacks in the same order they are specified—if the first server is unreachable, the second is tried, and so on, until all named servers have been used. If a server is reachable and authentication fails, the authentication process terminates.

Refer to Add a RADIUS Server for examples of adding and configuring a RADIUS server.

The radius-server command has the following syntax:

radius-server
   extra-user-params roles enable
   host <IPv4/IPv6 address or hostname> [auth-port <port-number>] [enable] [shared-secret <string>] [prompt-secret <string>] ]       [retransmit <retries>] | [timeout <seconds>]
   shared-secret <string>
   retransmit <retries>
   timeout <seconds>

The following table describes the arguments for the radius-server command. The shared-secret, retransmit, and timeout values can be specified both globally and on a per-host basis. Per-host values override any configured global values.

Argument

Description

extra-user-params roles enable

Enables the GigaVUE H Series node to accept user roles assigned in the RADIUS server. Note that the role name must match a role configured on the local node or cluster. Refer to the Configure AAA for details.

For example:

(config) # radius-server extra-user-params roles enable

host <IPv4/IPv6 address or hostname>

Specifies the IP address (IPv4 or IPv6) or hostname of the RADIUS server.

The same IP address can be used for more than one RADIUS server so long as they use different auth-port values.

Examples:

(config) # radius-server host 1.1.1.1 (config) # radius-server host 2001:db8:a0b:12f0::11 key gigamon enableconfig) # radius-server host www.MyCo.com

 

auth-port <port-number>

Specifies the UDP port number on which the RADIUS server is running. If included, the auth-port must be specified immediately after the host IP address. If you do not specify a port, the default RADIUS authentication port number of 1812 is used. For example:

(config) # radius-server host 1.1.1.1 auth-port 123

 

enable

Administratively enables this RADIUS server. For example:

(config) # radius-server host 1.1.1.1 auth-port 123 enable

 

shared-secret <string>

Specifies the shared secret key to be used for encryption of authentication packets sent between the GigaVUE H Series node and this specific RADIUS server. Any value specified here will override the shared secret key specified in the radius-server host command. For example:

(config) # radius-server host 1.1.1.1 auth-port 123 enable shared-secret admin12

 

prompt-secret

Requires the user to enter the shared secret string during login. This option is mutually exclusive with the key option. For example:

(config) # radius-server host 1.1.1.1 auth-port 123 enable shared-secret admin12 prompt-secret

 

retransmit <retries>

Specifies the number of times the GigaVUE H Series node will attempt to authenticate with this specific RADIUS server. Any value specified here will override the global value specified in the radius-server retransmit command.

The valid range is from 0 to 5. The default is 1. To disable retransmissions, use 0.

For example:

(config) # radius-server host 1.1.1.1 auth-port 123 enable retransmit 4

 

timeout <seconds>

Specifies how long the GigaVUE H Series node should wait for a response from this specific RADIUS server to an authentication request before declaring a timeout failure. Any value specified here will override the global value specified in the radius-server timeout command.

The valid range is from 0 to 60 seconds. The default is 5 seconds.

For example:

(config) # radius-server host 1.1.1.1 auth-port 123 enable timeout 20

shared-secret <string>

Specifies a global shared secret string to be used for encryption of authentication packets sent between the GigaVUE H Series node and all RADIUS servers. The global value can be overridden with the shared secret specified in the radius-server host command. For example:

(config) # radius-server shared-secret admin12

retransmit <retries>

Specifies a global value for the number of times the GigaVUE H Series node will attempt to authenticate with a RADIUS server. The global value can be overridden with the retransmit value specified in the radius-server host command.

The valid range is from 0 to 5. The default is 2. To disable retransmissions, use 0.

For example:

(config) # radius-server retransmit 3

timeout

Specifies a global value for how long the GigaVUE H Series node should wait for a response from the RADIUS server to an authentication request before declaring a timeout failure. The global value can be overridden with the timeout value specified in the radius-server host command.

The valid range is from 0 to 60 seconds. The default is 5 seconds.

For example:

(config) # radius-server timeout 20

Related Commands

The following table summarizes other commands related to the radius-server command:

Task

Command

Displays the list of configured RADIUS servers and related RADIUS settings.

# show radius

Does not allow the RADIUS server to include additional roles for a remotely authenticated user in the response.

(config) # no radius-server extra-user-params roles enable

Deletes a RADIUS host with the specified IPv4 or IPv6 address, or hostname.

(config) # no radius-server host 1.1.1.1

(config) # no radius-server host www.MyCo.com

Deletes a RADIUS host on a specified port.

(config) # no radius-server host 1.1.1.1 auth-port 234

Administratively disables the specified RADIUS server on the specified port.

(config) # no radius-server host 1.1.1.1 auth-port 234 enable

Administratively disables the specified RADIUS server on the default port.

(config) # no radius-server host 1.1.1.1 enable

Deletes the global RADIUS server shared secret key.

(config) # no radius-server shared-secret

Resets the global RADIUS server retransmit count to the default.

(config) # no radius-server retransmit

Resets the global RADIUS server timeout settings to the default.

(config) # no radius-server timeout