radius

Last updated
Save as PDF

system radius—Configure the properties of a RADIUS server to use for AAA authorization and authentication, and IEEE 802.1X LAN and IEEE 802.11i WLAN authentication.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► AAA

Command Hierarchy

system
  radius
    retransmit number    
    server ip-address      
      acct-port port-number
      auth-port port-number      
      priority number
      secret-key password
      source-interface interface-name   
      tag tag
      vpn vpn-id    
    timeout seconds

Options

Accounting Port: acct-port port-number
UDP port to use to send 802.1X and 802.11i accounting information to the RADIUS server. The accounting information is sent in accounting attribute–value (AV) pairs, as defined in RFC 2866, RADIUS Accounting. By default, vEdge routers send accounting information on UDP port 1813. To disable accounting, set the accounting port number to 0.
Range: 0 through 65535
Default: 1813
Address of RADIUS Server: server ip-address
IP address of a RADIUS server host in the local network. You can configure up to eight servers.
AAA authentication can be performed by up to eight servers.
802.1X and 802.11i authentication can be performed by a maximum of two servers.
Authentication Key: secret-key password
Key to use for authentication and encryption between the Viptela device and the RADIUS server. You can type the key as a text string from 1 to 128 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the RADIUS server.
Destination Port for Authentication Requests: auth-port port-number
UDP destination port to use for authentication requests to the RADIUS server. If the server is not used for authentication, configure the port number to be 0. If you do not configure a port number, the default is RADIUS authentication port is 1812.
Range: 1 through 65535
Default: 1812
Interface To Use To Reach Server: source-interface interface-name
Interface on the local device to use to reach the RADIUS server. The source interface must be the same for all RADIUS servers.
Location Attempts: retransmit number
How many times to search through the list of RADIUS servers while attempting to locate an operational server.
Range: 1 through 1000
Default: 3
Server Priority: priority number
Set the priority of a RADIUS server, as a means of choosing or load balancing among multiple RADIUS servers for AAA authentication or between two servers for 802.1X or 802.11i authentication. A server with lower priority number is given priority over one with a higher number.
Range: 0 through 7
Default: 0
Server Tag Identifier: tag tag
Text string that identifies the RADIUS server.
Range: 4 through 16 characters
Time to Wait for Replies from Server: timeout seconds
Configure the interval, in seconds, that the Viptela device waits to receive a reply from the RADIUS server before retransmitting a request.
Range: 1 through 1000
Default: 5 seconds
VPN where Server Is Located: vpn vpn-id; VPN in which the RADIUS server is located or through which the server can be reached. If you configure multiple RADIUS servers, they must all be in the same VPN.
Range: 0 through 65530
Default: VPN 0

Operational Commands

clear dot1x client
dot1x
show dot1x clients
show dot1x interfaces
show dot1x radius
show running-config system radius
show system statistics

Example

Configure two RADIUS servers:

vEdge# show running-config system radius
system
  radius
     server 10.1.15.150
       tag              freerad1
       source-interface ge0/0
       secret-key       $4$L3rwZmsIic8zj4BgLEFXKw==
       priority         1
      exit
    server 10.20.24.150
      auth-port        2000
      acct-port        2001
      tag              freerad2
      source-interface ge0/0
      secret-key       $4$L3rwZmsIic8zj4BgLEFXKw==
      priority         2
    exit
  !
!

Release Information

Command introduced in Viptela Software Release 14.1.
source-interface command added in Release 14.3.
In Release 15.3.8, add secret-key command and deprecate key command.
In Release 16.1, authentication key changed from 32 to 128 characters.
In Release 16.2.2, add priority command.
In Release 16.3, add acct-port and tag commands, and add support for IEEE 802.1X LAN and IEEE 802.11i WLAN authentication.

Additional Information

See the Configuring User Access and Authentication article for your software release.
aaa
admin-auth-order
auth-fallback
auth-order
dot1x
tacacs
wlan