Configuring RADIUS

This chapter contains the following sections:

Configuring RADIUS

Information About RADIUS

The Remote Access Dial-In User Service (RADIUS) distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco Nexus devices and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information.

RADIUS Network Environments

RADIUS can be implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

You can use RADIUS in the following network environments that require access security:

Networks with multiple-vendor network devices, each supporting RADIUS.

For example, network devices from several vendors can use a single RADIUS server-based security database.
Networks already using RADIUS.

You can add a Cisco Nexus device with RADIUS to the network. This action might be the first step when you make a transition to an AAA server.
Networks that require resource accounting.

You can use RADIUS accounting independent of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session. An Internet service provider (ISP) might use a freeware-based version of the RADIUS access control and accounting software to meet special security and billing needs.
Networks that support authentication profiles.

Using the RADIUS server in your network, you can configure AAA authentication and set up per-user profiles. Per-user profiles enable the Cisco Nexus device to manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements.

Information About RADIUS Operations

When a user attempts to log in and authenticate to a Cisco Nexus device using RADIUS, the following process occurs:

The user is prompted for and enters a username and password.
The username and encrypted password are sent over the network to the RADIUS server.
The user receives one of the following responses from the RADIUS server:
- ACCEPT—The user is authenticated.
- REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.
- CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.
- CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:

Services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections, and Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services.
Connection parameters, including the host or client IPv4 address, access list, and user timeouts.

RADIUS Server Monitoring

An unresponsive RADIUS server can cause delay in processing of AAA requests. You can configure the switch to periodically monitor a RADIUS server to check whether it is responding (or alive) to save time in processing AAA requests. The switch marks unresponsive RADIUS servers as dead and does not send AAA requests to any dead RADIUS servers. The switch periodically monitors the dead RADIUS servers and brings them to the alive state once they respond. This process verifies that a RADIUS server is in a working state before real AAA requests are sent to the server. Whenever a RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the switch displays an error message that a failure is taking place.

The following figure shows the different RADIUS server states:

Note

The monitoring interval for alive servers and dead servers are different and can be configured by the user. The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server.

Vendor-Specific Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is an equal sign (=) for mandatory attributes, and an asterisk (*) indicates optional attributes.

When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results. This authorization information is specified through VSAs.

The following VSA protocol options are supported by the Cisco Nexus device:

Shell— Used in access-accept packets to provide user profile information.
Accounting— Used in accounting-request packets. If a value contains any white spaces, you should enclose the value within double quotation marks.

The Cisco Nexus device supports the following attributes:

roles—Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white spaces.
accountinginfo—Stores accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch. It can be used only with the accounting protocol data units (PDUs).

Prerequisites for RADIUS

RADIUS has the following prerequisites:

You must obtain IPv4 addresses or hostnames for the RADIUS servers.
You must obtain preshared keys from the RADIUS servers.
Ensure that the Cisco Nexus device is configured as a RADIUS client of the AAA servers.

Guidelines and Limitations for RADIUS

RADIUS has the following configuration guidelines and limitations:

You can configure a maximum of 64 RADIUS servers on the Cisco Nexus device.
ASCII (PAP) Authentication is not supported on RADIUS servers.

Guidelines and Limitations for RadSec

RadSec has the following guidelines and limitations:

Beginning with Cisco NX-OS Release 10.3(1)F, the RADIUS Secure (RadSec) support is provided on Cisco Nexus switches to secure the communication between RADIUS/TCP peers at the transport layer.
RadSec must be enabled/disabled at the switch level, as the combination of servers having different transport protocols (i.e. UDP and TCP-with-TLS) is not possible.
radius-server directed-request command is not supported along with the RadSec feature.
test aaa server radius command is not supported for the RadSec servers, only test aaa group command is supported with the RadSec.
Dot1x is not officially supported with RadSec.
RADIUS server monitoring is not supported along with the RadSec servers.
RADIUS server re-transmit and timeout are applicable to UDP based RADIUS mode and not supported for RadSec servers.
Beginning with Cisco NX-OS Release 10.4(3)F, TLS version 1.3 and 1.2 is supported on Cisco Nexus switches. TLS v1.1 is deprecated.

Configuring RADIUS Servers

This section describes how to configure RADIUS servers.

SUMMARY STEPS

Establish the RADIUS server connections to the Cisco Nexus device.
Configure the preshared secret keys for the RADIUS servers.
If needed, configure RADIUS server groups with subsets of the RADIUS servers for AAA authentication methods.
If needed, configure any of the following optional parameters:
If needed, configure periodic RADIUS server monitoring.

DETAILED STEPS

Step 1	Establish the RADIUS server connections to the Cisco Nexus device.
Step 2	Configure the preshared secret keys for the RADIUS servers.
Step 3	If needed, configure RADIUS server groups with subsets of the RADIUS servers for AAA authentication methods.
Step 4	If needed, configure any of the following optional parameters: Dead-time interval. Allow specification of a RADIUS server at login. Transmission retry count and timeout interval. Accounting and authentication attributes.
Step 5	If needed, configure periodic RADIUS server monitoring.

Configuring RADIUS Server Hosts

You must configure the IPv4 address or the hostname for each RADIUS server that you want to use for authentication. All RADIUS server hosts are added to the default RADIUS server group. You can configure up to 64 RADIUS servers.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server host {ipv4-address | host-name}
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# radius-server host {`ipv4-address` \| `host-name`}	Specifies the IPv4 address or hostname for a RADIUS server.
Step 3	switch(config)# exit	Exits configuration mode.
Step 4	(Optional) switch# show radius-server	(Optional) Displays the RADIUS server configuration.
Step 5	(Optional) switch# copy running-config startup-config	(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

The following example shows how to configure host 10.10.1.1 as a RADIUS server:


switch# configure terminal
switch(config)# radius-server host 10.10.1.1
switch(config)# exit
switch# copy running-config startup-config

Configuring RADIUS Global Preshared Keys

You can configure preshared keys at the global level for all servers used by the Cisco Nexus device. A preshared key is a shared secret text string between the switch and the RADIUS server hosts.

Before you begin

Obtain the preshared key values for the remote RADIUS servers

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server key [0 | 7] key-value
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# radius-server key [0 | 7] key-value

Specifies a preshared key for all RADIUS servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text.

The maximum length is 63 characters.

By default, no preshared key is configured.

Step 3

switch(config)# exit

Exits configuration mode.

Step 4

(Optional) switch# show radius-server

(Optional)

Displays the RADIUS server configuration.

Note

The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure preshared keys at the global level for all servers used by the device:


switch# configure terminal
switch(config)# radius-server key 0 QsEfThUkO
switch(config)# exit
switch# copy running-config startup-config

Configuring RADIUS Server Preshared Keys

A preshared key is a shared secret text string between the Cisco Nexus device and the RADIUS server host.

Before you begin

Obtain the preshared key values for the remote RADIUS servers.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server host {ipv4-address | host-name} key [0 | 7] key-value
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# radius-server host {ipv4-address | host-name} key [0 | 7] key-value

Specifies a preshared key for a specific RADIUS server. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text.

The maximum length is 63 characters.

This preshared key is used instead of the global preshared key.

Step 3

switch(config)# exit

Exits configuration mode.

Step 4

(Optional) switch# show radius-server

(Optional)

Displays the RADIUS server configuration.

Note

The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure RADIUS preshared keys:


switch# configure terminal
switch(config)# radius-server host 10.10.1.1 key 0 PlIjUhYg
switch(config)# exit
switch# show radius-server
switch# copy running-config startup-config

Configuring RADIUS Server Groups

You can specify one or more remote AAA servers for authentication using server groups. All members of a group must belong to the RADIUS protocol. The servers are tried in the same order in which you configure them.

SUMMARY STEPS

switch# configure terminal
switch (config)# aaa group server radius group-name
switch (config-radius)# server {ipv4-address |server-name}
(Optional) switch (config-radius)# deadtime minutes
(Optional) switch(config-radius)# source-interface interface
switch(config-radius)# exit
(Optional) switch(config)# show radius-server group [group-name]
(Optional) switch(config)# copy running-config startup-config

DETAILED STEPS

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch (config)# aaa group server radius group-name

Creates a RADIUS server group and enters the RADIUS server group configuration submode for that group.

The group-name argument is a case-sensitive, alphanumeric string with a maximum of 127 characters.

Step 3

switch (config-radius)# server {ipv4-address |server-name}

Configures the RADIUS server as a member of the RADIUS server group.

If the specified RADIUS server is not found, configure it using the radius-server host command and retry this command.

Step 4

(Optional) switch (config-radius)# deadtime minutes

(Optional)

Configures the monitoring dead time. The default is 0 minutes. The range is from 1 through 1440.

Note

If the dead-time interval for a RADIUS server group is greater than zero (0), that value takes precedence over the global dead-time value.

Step 5

(Optional) switch(config-radius)# source-interface interface

(Optional)

Assigns a source interface for a specific RADIUS server group.

The supported interface types are management and VLAN.

Note

Use the source-interface command to override the global source interface assigned by the ip radius source-interface command.

Step 6

switch(config-radius)# exit

Exits configuration mode.

Step 7

(Optional) switch(config)# show radius-server group [group-name]

(Optional)

Displays the RADIUS server group configuration.

Step 8

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

The following example shows how to configure a RADIUS server group:

switch# configure terminal
switch (config)# aaa group server radius RadServer
switch (config-radius)# server 10.10.1.1
switch (config-radius)# deadtime 30
switch (config-radius)# use-vrf management
switch (config-radius)# exit
switch (config)# show radius-server group
switch (config)# copy running-config startup-config

What to do next

Apply the RADIUS server groups to an AAA service.

Configuring the Global Source Interface for RADIUS Server Groups

You can configure a global source interface for RADIUS server groups to use when accessing RADIUS servers. You can also configure a different source interface for a specific RADIUS server group.

SUMMARY STEPS

switch# configure terminal
switch(config)# ip radius source-interface interface
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# ip radius source-interface `interface`	Configures the global source interface for all RADIUS server groups configured on the device. The source interface can be the management or the VLAN interface.
Step 3	switch(config)# exit	Exits configuration mode.
Step 4	(Optional) switch# show radius-server	(Optional) Displays the RADIUS server configuration information.
Step 5	(Optional) switch# copy running-config startup config	(Optional) Copies the running configuration to the startup configuration.

Example

This example shows how to configure the mgmt 0 interface as the global source interface for RADIUS server groups:


switch# configure terminal
switch(config)# ip radius source-interface mgmt 0
switch(config)# exit
switch# copy running-config startup-config

Allowing Users to Specify a RADIUS Server at Login

You can allow users to specify a RADIUS server at login.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server directed-request
switch(config)# exit
(Optional) switch# show radius-server directed-request
(Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# radius-server directed-request	Allows users to specify a RADIUS server to send the authentication request when logging in. The default is disabled.
Step 3	switch(config)# exit	Exits configuration mode.
Step 4	(Optional) switch# show radius-server directed-request	(Optional) Displays the directed request configuration.
Step 5	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Example

This example shows how to allow users to select a RADIUS server when logging in to a network:


switch# configure terminal
switch(config)# radius-server directed-request
switch# exit
switch# copy running-config startup-config

Configuring RadSec

RadSec is a protocol for transporting RADIUS datagrams over TLS.

This procedure describes how to enable/disable the RadSec on a switch.

Before you begin

Ensure that the client identity certificate and CA certificate of the server are installed on the switch.
Ensure that the subject name in the server certificate is matching with the server host name/IP address that is configured on the switch.
Before configuring AAA authentication and accounting to use RadSec servers, use test aaa group command and ensure RadSec authentication is success.
Configure TLS idle-timeout to maximum value on RadSec server to avoid frequent TLS sessions retries from switch.

SUMMARY STEPS

configure terminal
radius-server secure tls
radius-server host t {ipv4-address | ipv6-address| hostname} key {key} auth-port 2083 acct-port 2083 authentication accounting
radius-server host {ipv4-address | ipv6-address | hostname} tls client-trustpoint trustpoint
radius-server host {ipv4-address | ipv6-address | hostname} tls idle-timeout value

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters configuration mode.

Step 2

radius-server secure tls

Example:

switch# radius-server secure tls

Enables the RadSec at global level.

Note

This CLI will not change or affect the port numbers that is used for RadSec.

Step 3

radius-server host t {ipv4-address | ipv6-address| hostname} key {key} auth-port 2083 acct-port 2083 authentication accounting

Example:

switch# radius-server host 10.105.222.161 key radsec auth-port 2083 acct-port 2083 authentication accounting

Configures the RadSec server with shared secret key along with the authentication and accounting ports.

Note

For server, the default RadSec port for authentication and accounting is "2083" and the key is “radsec”. For switch, there is no default configuration for RadSec port and key, please add this configuration explicitly as defined on server.

Step 4

radius-server host {ipv4-address | ipv6-address | hostname} tls client-trustpoint trustpoint

Example:

switch# radius-server host 10.105.222.161 tls client-trustpoint rad1

Configures the TLS client trustpoint where the client identity certificate is installed.

Step 5

radius-server host {ipv4-address | ipv6-address | hostname} tls idle-timeout value

Example:

switch# radius-server host 10.105.222.161 tls idle-timeout 80

Configures the TLS idle-timeout. The default value is 600 seconds.

Note

If there are no transactions from the RadSec client, server can close the connection based on its timeout value. The TLS idle-timeout on the client is not supported in this release. Client does not close connections on its own.

Note

When remote user logs-in, you can notice delay in login for approximately 20 seconds i.e when TLS session establishment is happening for the first time between switch and RadSec server, Once TLS sessions are up no delay will be seen for consecutive remote log-ins.

Note

When a RadSec client is facing certificate related issues such as no certificate or invalid certificates are being exchanged with the server, you may experience delay in show run commands.

About RADIUS with DTLS

From Cisco NX-OS Release 10.4(1)F, RADIUS with DTLS protocol is introduced. This protocol is for transporting RADIUS datagrams over a secure channel using UDP.

RADIUS with DTLS provides secure communication between RADIUS peers at the transport layer. This protocol helps secure RADIUS packets transfer through different administrative domains and suspicious, and unsafe networks.

Configuring RADIUS with DTLS

Before you begin

Ensure that you create client identity certificate with subject and alternative name same as the IP address/DNS hostname of the switch. Install the client identity certificate on the switch using a trustpoint.
Ensure that the server certificate of ISE server used for DTLS/RADIUS is installed on the switch.
Make sure that the CA certificate used to sign client identity certificate is installed in trusted certificate store of ISE server.
Ensure that the subject name in the server certificate is same as the server hostname/IP address that is configured on the switch.
Before configuring AAA authentication and accounting groups to use RADIUS servers, check with test aaa group command and ensure that the RADIUS authentication is successful.
You must enable RADIUS with DTLS protocol at the switch level.
Configuring combination of RADIUS servers to use different transports protocols such as DTLS and TLS is not supported. You can configure one protocol at an instant.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

radius-server secure dtls

Example:

switch(config)# radius-server secure dtls

Enables the RADIUS with DTLS protocol on the switch.

Step 3

radius-server host {ipv4-address | ipv6-address| hostname} key {radius/dtls} auth-port 2083 acct-port 2083 authentication accounting

Example:

switch(config)# radius-server host 10.105.222.161 key radius/dtls auth-port 2083 acct-port 2083 authentication accounting

Configures the RADIUS server with shared secret key along with the authentication and accounting ports.

Note

The default destination DTLS port for authentication and accounting is UDP/2083. There is no default server key for DTLS as per RFC. Ensure that you add this configuration explicitly as defined on server. The ISE server must be pre-set with the "radius/dtls" key at that instant. Check and add the key on the Nexus switch while configuring DTLS with an ISE server.

Step 4

radius-server host {ipv4-address | ipv6-address | hostname} dtls client-trustpoint trustpoint

Example:

switch(config)# radius-server host 10.105.222.161 dtls client-trustpoint rad1

Configures the DTLS client-trustpoint parameter with a trustpoint where the switch identity certificate is installed. The rad1 is a trustpoint on the switch which must have the client identity certificate.

Step 5

radius-server host {ipv4-address | ipv6-address | hostname} dtls idle-timeout value

Example:

switch# radius-server host 10.105.222.161 dtls idle-timeout 80

Configures the DTLS idle-timeout. The default value is 600 seconds.

Note

If there are no transactions from the RADIUS client, server can close the connection as per defined timeout value. The DTLS idle-timeout on the client is not supported in this release. Client does not close connections on its own.

Note

When a remote user logs in, you may notice a delay of approximately 20 seconds, which occurs when the TLS session is being established for the first time between the switch and the RADIUS server. Once the TLS sessions are up, no delay will be seen for consecutive remote logins.
When a RADIUS client is facing certificate related issues such as no certificate or invalid certificates are being exchanged with the server, you may experience delay in the show run commands.

Configuring the Global RADIUS Transmission Retry Count and Timeout Interval

You can configure a global retransmission retry count and timeout interval for all RADIUS servers. By default, a switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. The timeout interval determines how long the Cisco Nexus device waits for responses from RADIUS servers before declaring a timeout failure.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server retransmit count
switch(config)# radius-server timeout seconds
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# radius-server retransmit `count`	Specifies the retransmission count for all RADIUS servers. The default retransmission count is 1 and the range is from 0 to 5.
Step 3	switch(config)# radius-server timeout `seconds`	Specifies the transmission timeout interval for RADIUS servers. The default timeout interval is 5 seconds and the range is from 1 to 60 seconds.
Step 4	switch(config)# exit	Exits global configuration mode.
Step 5	(Optional) switch# show radius-server	(Optional) Displays the RADIUS server configuration.
Step 6	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Example

This example shows how to set the retry count to 3 and the transmission timeout interval to 5 seconds for RADIUS servers:


switch# configure terminal
switch(config)# radius-server retransmit 3
switch(config)# radius-server timeout 5
switch(config)# exit
switch# copy running-config startup-config

Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server

By default, a Cisco Nexus switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. You can also set a timeout interval that the switch waits for responses from RADIUS servers before declaring a timeout failure.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server host {ipv4-address | host-name} retransmit count
switch(config)#radius-server host {ipv4-address | host-name} timeout seconds
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# radius-server host {ipv4-address | host-name} retransmit count

Specifies the retransmission count for a specific server. The default is the global value.

Note

The retransmission count value specified for a RADIUS server overrides the count specified for all RADIUS servers.

Step 3

switch(config)#radius-server host {ipv4-address | host-name} timeout seconds

Specifies the transmission timeout interval for a specific server. The default is the global value.

Note

The timeout interval value specified for a RADIUS server overrides the interval value specified for all RADIUS servers.

Step 4

switch(config)# exit

Exits global configuration mode.

Step 5

(Optional) switch# show radius-server

(Optional)

Displays the RADIUS server configuration.

Step 6

(Optional) switch# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to set the RADIUS transmission retry count to 3 and the timeout interval to 10 seconds on RADIUS host server server1:


switch# configure terminal
switch(config)# radius-server host server1 retransmit 3
switch(config)# radius-server host server1 timeout 10
switch(config)# exit
switch# copy running-config startup-config

Configuring Accounting and Authentication Attributes for RADIUS Servers

You can specify that a RADIUS server is to be used only for accounting purposes or only for authentication purposes. By default, RADIUS servers are used for both accounting and authentication. You can also specify the destination UDP port numbers where RADIUS accounting and authentication messages should be sent.

SUMMARY STEPS

switch# configure terminal
(Optional) switch(config)# radius-server host {ipv4-address | host-name} acct-port udp-port
(Optional) switch(config)# radius-server host {ipv4-address| host-name} accounting
(Optional) switch(config)# radius-server host {ipv4-address | host-name} auth-port udp-port
(Optional) switch(config)# radius-server host {ipv4-address|host-name} authentication
switch(config)# exit
(Optional) switch(config)# show radius-server
switch(config)# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	(Optional) switch(config)# radius-server host {`ipv4-address` \| `host-name`} acct-port `udp-port`	(Optional) Specifies a UDP port to use for RADIUS accounting messages. The default UDP port is 1812. The range is from 0 to 65535.
Step 3	(Optional) switch(config)# radius-server host {`ipv4-address`\| `host-name`} accounting	(Optional) Specifies that the specified RADIUS server is to be used only for accounting purposes. The default is both accounting and authentication.
Step 4	(Optional) switch(config)# radius-server host {`ipv4-address` \| `host-name`} auth-port `udp-port`	(Optional) Specifies a UDP port to use for RADIUS authentication messages. The default UDP port is 1812. The range is from 0 to 65535.
Step 5	(Optional) switch(config)# radius-server host {`ipv4-address`\|`host-name`} authentication	(Optional) Specifies that the specified RADIUS server only be used for authentication purposes. The default is both accounting and authentication.
Step 6	switch(config)# exit	Exits configuration mode.
Step 7	(Optional) switch(config)# show radius-server	(Optional) Displays the RADIUS server configuration.
Step 8	switch(config)# copy running-config startup-config	Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure accounting and authentication attributes for a RADIUS server:

switch# configure terminal
switch(config)# radius-server host 10.10.1.1 acct-port 2004
switch(config)# radius-server host 10.10.1.1 accounting
switch(config)# radius-server host 10.10.2.2 auth-port 2005
switch(config)# radius-server host 10.10.2.2 authentication
switch # exit
switch # copy running-config startup-config
switch #

Configuring Periodic RADIUS Server Monitoring

You can monitor the availability of RADIUS servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet. You can configure this option to test servers periodically.

Note

For security reasons, we recommend that you do not configure a test username that is the same as an existing user in the RADIUS database.

The test idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet.

The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the switch does not perform periodic RADIUS server monitoring.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server host {ipv4-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}
switch(config)# radius-server deadtime minutes
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# radius-server host {ipv4-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}

Specifies parameters for server monitoring. The default username is test and the default password is test.

The default value for the idle timer is 0 minutes.

The valid range is from 0 to 1440 minutes.

Note

For periodic RADIUS server monitoring, you must set the idle timer to a value greater than 0.

Step 3

switch(config)# radius-server deadtime minutes

Specifies the number of minutes before the switch checks a RADIUS server that was previously unresponsive.

The default value is 0 minutes.

The valid range is 1 to 1440 minutes.

Step 4

switch(config)# exit

Exits configuration mode.

Step 5

(Optional) switch# show radius-server

(Optional)

Displays the RADIUS server configuration.

Step 6

(Optional) switch# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure RADIUS server host 10.10.1.1 with a username (user1) and password (Ur2Gd2BH) and with an idle timer of 3 minutes and a deadtime of 5 minutes:


switch# configure terminal
switch(config)# radius-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time 3
switch(config)# radius-server deadtime 5
switch(config)# exit
switch# copy running-config startup-config

Configuring the Dead-Time Interval

You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco Nexus device waits after declaring a RADIUS server is dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.

Note

When the dead-time interval is 0 minutes, RADIUS servers are not marked as dead even if they are not responding. You can configure the dead-time interval for a RADIUS server group.

SUMMARY STEPS

switch# configure terminal
switch(config)# radius-server deadtime
switch(config)# exit
(Optional) switch# show radius-server
(Optional) switch# copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# radius-server deadtime	Configures the dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes.
Step 3	switch(config)# exit	Exits configuration mode.
Step 4	(Optional) switch# show radius-server	(Optional) Displays the RADIUS server configuration.
Step 5	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Example

This example shows how to configure a deadtime of 5 minutes for a radius server:


switch# configure terminal
switch(config)# radius-server deadtime 5
switch(config# exit
switch# copy running-config startup-config

Manually Monitoring RADIUS Servers or Groups

SUMMARY STEPS

switch# test aaa server radius {ipv4-address | server-name} [vrf vrf-name] username password test aaa server radius {ipv4-address | server-name} [vrf vrf-name] username password
switch# test aaa group group-name username password

DETAILED STEPS

	Command or Action	Purpose
Step 1	switch# test aaa server radius {`ipv4-address` \| `server-name`} [vrf `vrf-name`] `username password` test aaa server radius {`ipv4-address` \| `server-name`} [vrf `vrf-name`] `username password`	Sends a test message to a RADIUS server to confirm availability.
Step 2	switch# test aaa group `group-name username password`	Sends a test message to a RADIUS server group to confirm availability.

Example

This example shows how to send a test message to the RADIUS server and server group to confirm availability:


switch# test aaa server radius 10.10.1.1 user 1 Ur2Gd2BH
switch# test aaa group RadGroup user2 As3He3CI

Displaying RADIUS Server Statistics

SUMMARY STEPS

switch# show radius-server statistics {hostname | ipv4-address}

DETAILED STEPS

Command or Action	Purpose
switch# show radius-server statistics {`hostname` \| `ipv4-address`}	Displays the RADIUS statistics.

Clearing RADIUS Server Statistics

You can display the statistics that the Cisco NX-OS device maintains for RADIUS server activity.

Before you begin

Configure RADIUS servers on the Cisco NX-OS device.

SUMMARY STEPS

(Optional) switch# show radius-server statistics {hostname | ipv4-address}
switch# clear radius-server statistics {hostname | ipv4-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	(Optional) switch# show radius-server statistics {`hostname` \| `ipv4-address`}	(Optional) Displays the RADIUS server statistics on the Cisco NX-OS device.
Step 2	switch# clear radius-server statistics {`hostname` \| `ipv4-address`}	Clears the RADIUS server statistics.

Configuration Examples for RADIUS

The following example shows how to configure RADIUS:

switch# configure terminal

switch(config)# radius-server key 7 "ToIkLhPpG"

switch(config)# radius-server host 10.10.1.1 key 7 "ShMoMhTl" authentication accounting

switch(config)# aaa group server radius RadServer

switch(config-radius)# server 10.10.1.1

switch(config-radius)# exit

switch(config-radius)# use-vrf management

Default Settings for RADIUS

The following table lists the default settings for RADIUS parameters.

Table 1. Default RADIUS Parameters
Parameters	Default
Server roles	Authentication and accounting
Dead timer interval	0 minutes
Retransmission count	1
Retransmission timer interval	5 seconds
Idle timer interval	0 minutes
Periodic server monitoring username	test
Periodic server monitoring password	test

Cisco Nexus 3548 Switch NX-OS Security Configuration Guide, Release 10.5(x)

Bias-Free Language

Results

Chapter: Configuring RADIUS

Configuring RADIUS

Information About RADIUS

RADIUS Network Environments

Information About RADIUS Operations

RADIUS Server Monitoring

Vendor-Specific Attributes

Prerequisites for RADIUS

Guidelines and Limitations for RADIUS

Guidelines and Limitations for RadSec

Configuring RADIUS Servers

SUMMARY STEPS

DETAILED STEPS

Configuring RADIUS Server Hosts

SUMMARY STEPS

DETAILED STEPS

Example

Configuring RADIUS Global Preshared Keys

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example

Configuring RADIUS Server Preshared Keys

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example

Configuring RADIUS Server Groups

SUMMARY STEPS

DETAILED STEPS

Example

What to do next

Configuring the Global Source Interface for RADIUS Server Groups

SUMMARY STEPS

DETAILED STEPS

Example

Allowing Users to Specify a RADIUS Server at Login

SUMMARY STEPS

DETAILED STEPS

Example

Configuring RadSec

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

About RADIUS with DTLS

Configuring RADIUS with DTLS

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Configuring the Global RADIUS Transmission Retry Count and Timeout Interval

SUMMARY STEPS

DETAILED STEPS

Example

Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server

SUMMARY STEPS

DETAILED STEPS

Example

Configuring Accounting and Authentication Attributes for RADIUS Servers

SUMMARY STEPS

DETAILED STEPS

Example

Configuring Periodic RADIUS Server Monitoring

SUMMARY STEPS

DETAILED STEPS

Example

Configuring the Dead-Time Interval

SUMMARY STEPS

DETAILED STEPS