radius
system radius—Configure the properties of a RADIUS server to use for AAA authorization and authentication, and IEEE 802.1X LAN and IEEE 802.11i WLAN authentication.
vManage Feature Template
For all Viptela devices:
Configuration ► Templates ► AAA
Command Hierarchy
system radius retransmit number server ip-address acct-port port-number auth-port port-number priority number secret-key password source-interface interface-name tag tag vpn vpn-id timeout seconds
Options
- Accounting Port
- acct-port port-number
UDP port to use to send 802.1X and 802.11i accounting information to the RADIUS server. The accounting information is sent in accounting attribute–value (AV) pairs, as defined in RFC 2866, RADIUS Accounting. By default, vEdge routers send accounting information on UDP port 1813. To disable accounting, set the accounting port number to 0.
Range: 0 through 65535
Default: 1813 - Address of RADIUS Server
- server ip-address
IP address of a RADIUS server host in the local network. You can configure up to eight servers.
AAA authentication can be performed by up to eight servers.
802.1X and 802.11i authentication can be performed by a maximum of two servers. - Authentication Key
- secret-key password
Key to use for authentication and encryption between the Viptela device and the RADIUS server. You can type the key as a text string from 1 to 128 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the RADIUS server. - Destination Port for Authentication Requests
- auth-port port-number
UDP destination port to use for authentication requests to the RADIUS server. If the server is not used for authentication, configure the port number to be 0. If you do not configure a port number, the default is RADIUS authentication port is 1812.
Range: 1 through 65535
Default: 1812 - Interface To Use To Reach Server
- source-interface interface-name
Interface on the local device to use to reach the RADIUS server. The source interface must be the same for all RADIUS servers. - Location Attempts
- retransmit number
How many times to search through the list of RADIUS servers while attempting to locate an operational server.
Range: 1 through 1000
Default: 3 - Server Priority
- priority number
Set the priority of a RADIUS server, as a means of choosing or load balancing among multiple RADIUS servers for AAA authentication or between two servers for 802.1X or 802.11i authentication. A server with lower priority number is given priority over one with a higher number.
Range: 0 through 7
Default: 0 - Server Tag Identifier
- tag tag
Text string that identifies the RADIUS server.
Range: 4 through 16 characters - Time to Wait for Replies from Server
- timeout seconds
Configure the interval, in seconds, that the Viptela device waits to receive a reply from the RADIUS server before retransmitting a request.
Range: 1 through 1000
Default: 5 seconds - VPN where Server Is Located
- vpn vpn-id
- VPN in which the RADIUS server is located or through which the server can be reached. If you configure multiple RADIUS servers, they must all be in the same VPN.
Range: 0 through 65530
Default: VPN 0
Operational Commands
clear dot1x client
dot1x
show dot1x clients
show dot1x interfaces
show dot1x radius
show running-config system radius
show system statistics
Example
Configure two RADIUS servers:
vEdge# show running-config system radius system radius server 10.1.15.150 tag freerad1 source-interface ge0/0 secret-key $4$L3rwZmsIic8zj4BgLEFXKw== priority 1 exit server 10.20.24.150 auth-port 2000 acct-port 2001 tag freerad2 source-interface ge0/0 secret-key $4$L3rwZmsIic8zj4BgLEFXKw== priority 2 exit ! !
Release Information
Command introduced in Viptela Software Release 14.1.
source-interface command added in Release 14.3.
In Release 15.3.8, add secret-key command and deprecate key command.
In Release 16.1, authentication key changed from 32 to 128 characters.
In Release 16.2.2, add priority command.
In Release 16.3, add acct-port and tag commands, and add support for IEEE 802.1X LAN and IEEE 802.11i WLAN authentication.
Additional Information
See the Configuring User Access and Authentication article for your software release.
aaa
admin-auth-order
auth-fallback
auth-order
dot1x
tacacs
wlan