Configuring RADIUS

• Finding Feature Information, on page 1

• Prerequisites for Configuring RADIUS, on page 1
• Restrictions for Configuring RADIUS, on page 2
• Information about RADIUS, on page 3
• How to Configure RADIUS, on page 25
• Monitoring CoA Functionality, on page 43
• Configuration Examples for Controlling Switch Access with RADIUS, on page 44

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring RADIUS

This section lists the prerequisites for controlling SwitchDevice access with RADIUS.
General:
• RADIUS and Authentication, Authorization, and Accounting (AAA) must be enabled to use any of the
configuration commands in this chapter.
• RADIUS is facilitated through AAA and can be enabled only through AAA commands.
• Use the aaa new-model global configuration command to enable AAA.
• Use the aaa authentication global configuration command to define method lists for RADIUS
authentication.
• Use line and interface commands to enable the defined method lists to be used.

Configuring RADIUS
1
 Configuring RADIUS
Restrictions for Configuring RADIUS

• At a minimum, you must identify the host or hosts that run the RADIUS server software and define the
method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization
and accounting.
• You should have access to and should configure a RADIUS server before configuring RADIUS features
on your SwitchDevice.
• The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco
Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider.
For more information, see the RADIUS server documentation.
• To use the Change-of-Authorization (CoA) interface, a session must already exist on the switch. CoA
can be used to identify a session and enforce a disconnect request. The update affects only the specified
session.

For RADIUS operation:

• Users must first successfully complete RADIUS authentication before proceeding to RADIUS
authorization, if it is enabled.

Related Topics
RADIUS and Switch Access, on page 3
RADIUS Operation, on page 4

Restrictions for Configuring RADIUS

This topic covers restrictions for controlling SwitchDevice access with RADIUS.
General:
• To prevent a lapse in security, you cannot configure RADIUS through a network management application.

RADIUS is not suitable in the following network security situations:

• Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),
NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25
PAD connections.
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device
requires authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.

Related Topics
RADIUS Overview, on page 3

Configuring RADIUS
2
 Configuring RADIUS
Information about RADIUS

Information about RADIUS

RADIUS and Switch Access
This section describes how to enable and configure RADIUS. RADIUS provides detailed accounting information
and flexible administrative control over the authentication and authorization processes.
Related Topics
Prerequisites for Configuring RADIUS, on page 1
Configuring the Switch for Local Authentication and Authorization
SSH Servers, Integrated Clients, and Supported Versions

RADIUS Overview
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS
clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS
server, which contains all user authentication and network service access information.
Use RADIUS in these network environments that require access security:
• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers
from several vendors use a single RADIUS server-based security database. In an IP-based network with
multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that has been
customized to work with the Kerberos security system.
• Turnkey network security environments in which applications support the RADIUS protocol, such as in
an access environment that uses a smart card access control system. In one case, RADIUS has been used
with Enigma’s security cards to validates users and to grant access to network resources.
• Networks already using RADIUS. You can add a Cisco SwitchDevice containing a RADIUS client to
the network. This might be the first step when you make a transition to a TACACS+ server. See Figure
2: Transitioning from RADIUS to TACACS+ Services below.
• Network in which the user must only access a single service. Using RADIUS, you can control user access
to a single host, to a single utility such as Telnet, or to the network through a protocol such as IEEE
802.1x. For more information about this protocol, see Chapter 11, “Configuring IEEE 802.1x Port-Based
Authentication.”
• Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS
authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and
end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during
the session. An Internet service provider might use a freeware-based version of RADIUS access control
and accounting software to meet special security and billing needs.

Configuring RADIUS
3
 Configuring RADIUS
RADIUS Operation

Figure 1: Transitioning from RADIUS to TACACS+ Services

Related Topics
Restrictions for Configuring RADIUS, on page 2

RADIUS Operation
When a user attempts to log in and authenticate to a SwitchDevice that is access controlled by a RADIUS
server, these events occur:
1. The user is prompted to enter a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
• ACCEPT—The user is authenticated.
• REJECT—The user is either not authenticated and is prompted to re-enter the username and password,
or access is denied.
• CHALLENGE—A challenge requires additional data from the user.
• CHALLENGE PASSWORD—A response requests the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. The additional data included with the ACCEPT or REJECT packets includes these
items:

• Telnet, SSH, rlogin, or privileged EXEC services

• Connection parameters, including the host or client IP address, access list, and user timeouts

Related Topics
Prerequisites for Configuring RADIUS, on page 1

Configuring RADIUS
4
 Configuring RADIUS
RADIUS Change of Authorization

RADIUS Change of Authorization

The RADIUS Change of Authorization (CoA) provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes
for a user or user group in AAA, administrators can send RADIUS CoA packets from the AAA server such
as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy. This
section provides an overview of the RADIUS interface including available primitives and how they are used
during a CoA.
• Change-of-Authorization Requests
• CoA Request Response Code
• CoA Request Commands
• Session Reauthentication
• Stacking Guidelines for Session Termination

A standard RADIUS interface is typically used in a pulled model where the request originates from a network
attached device and the response come from the queried servers. Catalyst switches support the RADIUS CoA
extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic
reconfiguring of sessions from external AAA or policy servers.
The switch supports these per-session CoA requests:
• Session reauthentication
• Session termination
• Session termination with port shutdown
• Session termination with port bounce

This feature is integrated with Cisco Secure Access Control Server (ACS) 5.1.
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is
required for the following attributes:
• Security and Password—refer to the “Preventing Unauthorized Access to Your Switch” section in this
guide.
• Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based
Authentication chapter in this guide.

Cisco IOS software supports the RADIUS CoA extensions defined in RFC 5176 that are typically used in a
push model to allow the dynamic reconfiguring of sessions from external AAA or policy servers. Per-session
CoA requests are supported for session identification, session termination, host reauthentication, port shutdown,
and port bounce. This model comprises one request (CoA-Request) and two possible response codes:
• CoA acknowledgement (ACK) [CoA-ACK]
• CoA nonacknowledgement (NAK) [CoA-NAK]

The request is initiated from a CoA client (typically a AAA or policy server) and directed to the device that
acts as a listener.

Configuring RADIUS
5
 Configuring RADIUS
Change-of-Authorization Requests

The table below shows the RADIUS CoA commands and vendor-specific attributes (VSAs) supported by
Identity-Based Networking Services. All CoA commands must include the session identifier between the
device and the CoA client.

Table 1: RADIUS CoA Commands Supported by Identity-Based Networking Services

CoA Command Cisco VSA

Activate service Cisco:Avpair=“subscriber:command=activate-service”

Cisco:Avpair=“subscriber:service-name=<service-name>”
Cisco:Avpair=“subscriber:precedence=<precedence-number>”
Cisco:Avpair=“subscriber:activation-mode=replace-all”

Deactivate service Cisco:Avpair=“subscriber:command=deactivate-service”

Cisco:Avpair=“subscriber:service-name=<service-name>”

Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”

Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”

Session query Cisco:Avpair=“subscriber:command=session-query”

Session reauthenticate Cisco:Avpair=“subscriber:command=reauthenticate”

Cisco:Avpair=“subscriber:reauthenticate-type=last” or
Cisco:Avpair=“subscriber:reauthenticate-type=rerun”

Session terminate This is a standard disconnect request and does not require a VSA.

Interface template Cisco:AVpair="interface-template-name=<interfacetemplate>"

Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow for
session identification, host reauthentication, and session termination. The model is comprised of one request
(CoA-Request) and two possible response codes:
• CoA acknowledgment (ACK) [CoA-ACK]
• CoA non-acknowledgment (NAK) [CoA-NAK]

The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the switch
that acts as a listener.

RFC 5176 Compliance

The Disconnect Request message, which is also referred to as Packet of Disconnect (POD), is supported by
the switch for session termination.

Configuring RADIUS
6
Configuring RADIUS
RFC 5176 Compliance

This table shows the IETF attributes are supported for this feature.

Table 2: Supported IETF Attributes

Attribute Attribute Name

Number

24 State

31 Calling-Station-ID

44 Acct-Session-ID

80 Message-Authenticator

101 Error-Cause

This table shows the possible values for the Error-Cause attribute.

Table 3: Error-Cause Values

Value Explanation

201 Residual Session Context Removed

202 Invalid EAP Packet (Ignored)

401 Unsupported Attribute

402 Missing Attribute

403 NAS Identification Mismatch

404 Invalid Request

405 Unsupported Service

406 Unsupported Extension

407 Invalid Attribute Value

501 Administratively Prohibited

502 Request Not Routable (Proxy)

503 Session Context Not Found

504 Session Context Not Removable

505 Other Proxy Processing Error

506 Resources Unavailable

507 Request Initiated

508 Multiple Session Selection Unsupported

Configuring RADIUS
7
 Configuring RADIUS
CoA Request Response Code

CoA Request Response Code

The CoA Request response code can be used to convey a command to the switch.
The packet format for a CoA Request Response code as defined in RFC 5176 consists of the following fields:
Code, Identifier, Length, Authenticator, and Attributes in the Type:Length:Value (TLV) format. The Attributes
field is used to carry Cisco vendor-specific attributes (VSAs).
Related Topics
CoA Request Commands, on page 9

Session Identification
For disconnect and CoA requests targeted at a particular session, the switch locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31 which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
• Plain IP Address (IETF attribute #8)

Unless all session identification attributes included in the CoA message match the session, the switch returns
a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.
If more than one session identification attribute is included in the message, all the attributes must match the
session or the switch returns a Disconnect- negative acknowledgment (NAK) or CoA-NAK with the error
code “Invalid Attribute Value.”
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code, Identifier,
Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

The attributes field is used to carry Cisco vendor-specific attributes (VSAs).

For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.

Configuring RADIUS
8
 Configuring RADIUS
CoA ACK Response Code

Related Topics
CoA Disconnect-Request, on page 10
CoA Request: Disable Host Port, on page 10
CoA Request: Bounce-Port, on page 11

CoA ACK Response Code

If the authorization state is changed successfully, a positive acknowledgment (ACK) is sent. The attributes
returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.

CoA NAK Response Code

A negative acknowledgment (NAK) indicates a failure to change the authorization state and can include
attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.

CoA Request Commands

Table 4: CoA Commands Supported on the switch

Command Cisco VSA

1

Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”

Terminate session This is a standard disconnect request that does not require a VSA.

Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”

Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”

1
All CoA commands must include the session identifier between the switch and the CoA client.
Related Topics
CoA Request Response Code, on page 8

Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown identity
or posture joins the network and is associated with a restricted access authorization profile (such as a guest
VLAN). A reauthentication request allows the host to be placed in the appropriate authorization group when
its credentials are known.
To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a
Cisco VSA in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session
identification attributes.
The current session state determines the switch response to the message. If the session is currently authenticated
by IEEE 802.1x, the switch responds by sending an EAPoL (Extensible Authentication Protocol over Lan)
-RequestId message to the server.
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-request to the server, passing the same identity attributes used for the initial successful authentication.
If session authentication is in progress when the switch receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted first.

Configuring RADIUS
9
 Configuring RADIUS
Session Termination

If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar policies,
the reauthentication message restarts the access control methods, beginning with the method configured to
be attempted first. The current authorization of the session is maintained until the reauthentication leads to a
different authorization result.

Session Termination
There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request
terminates the session, without disabling the host port. This command causes re-initialization of the authenticator
state machine for the specified host, but does not restrict that host access to the network.
To restrict a host’s access to the network, use a CoA Request with the
Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known
to be causing problems on the network, and you need to immediately block network access for the host. When
you want to restore network access on the port, re-enable it using a non-RADIUS mechanism.
When a device with no supplicant, such as a printer, needs to acquire a new IP address (for example, after a
VLAN change), terminate the session on the host port with port-bounce (temporarily disable and then re-enable
the port).

CoA Disconnect-Request
This command is a standard Disconnect-Request. If the session cannot be located, the switch returns a
Disconnect-NAK message with the “Session Context Not Found” error-code attribute. If the session is located,
the switch terminates the session. After the session has been completely removed, the switch returns a
Disconnect-ACK.
If the switch fails-over to a standby switch before returning a Disconnect-ACK to the client, the process is
repeated on the new active switch when the request is re-sent from the client. If the session is not found
following re-sending, a Disconnect-ACK is sent with the “Session Context Not Found” error-code attribute.
Related Topics
Session Identification, on page 8

CoA Request: Disable Host Port

The RADIUS server CoA disable port command administratively shuts down the authentication port that is
hosting a session, resulting in session termination. This command is useful when a host is known to cause
problems on the network and network access needs to be immediately blocked for the host. To restore network
access on the port, reenable it using a non-RADIUS mechanism. This command is carried in a standard
CoA-Request message that has this new vendor-specific attribute (VSA):
Cisco:Avpair="subscriber:command=disable-host-port"
Because this command is session-oriented, it must be accompanied by one or more of the session identification
attributes described in the “Session Identification” section. If the session cannot be located, the switch returns
a CoA-NAK message with the “Session Context Not Found” error-code attribute. If the session is located,
the switch disables the hosting port and returns a CoA-ACK message.
If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch
when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client
but before the operation has completed, the operation is restarted on the new active switch.

Configuring RADIUS
10
 Configuring RADIUS
CoA Request: Bounce-Port

Note A Disconnect-Request failure following command re-sending could be the result of either a successful session
termination before change-over (if the Disconnect-ACK was not sent) or a session termination by other means
(for example, a link failure) that occurred after the original command was issued and before the standby switch
became active.

Related Topics
Session Identification, on page 8

CoA Request: Bounce-Port

A RADIUS server CoA bounce port sent from a RADIUS server can cause a link flap on an authentication
port, which triggers DHCP renegotiation from one or more hosts connected to this port. This incident can
occur when there is a VLAN change and the endpoint is a device (such as a printer) that does not have a
mechanism to detect a change on this authentication port. The CoA bounce port is carried in a standard
CoA-Request message that contains the following VSA:
Cisco:Avpair="subscriber:command=bounce-host-port"
Because this command is session-oriented, it must be accompanied by one or more of the session identification
attributes. If the session cannot be located, the switch returns a CoA-NAK message with the “Session Context
Not Found” error-code attribute. If the session is located, the switch disables the hosting port for a period of
10 seconds, re-enables it (port-bounce), and returns a CoA-ACK.
If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch
when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client
but before the operation has completed, the operation is re-started on the new active switch.
Related Topics
Session Identification, on page 8

Default RADIUS Configuration

RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management application.
When enabled, RADIUS can authenticate users accessing the switch through the CLI.

RADIUS Server Host

Switch-to-RADIUS-server communication involves several components:
• Hostname or IP address
• Authentication destination port
• Accounting destination port
• Key string
• Timeout period
• Retransmission value

Configuring RADIUS
11
 Configuring RADIUS
RADIUS Login Authentication

You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port
numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP
port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts
providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple
UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example,
if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD message appears,
and then the switch tries the second host entry configured on the same device for accounting services. (The
RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS
server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers,
on a per-server basis, or in some combination of global and per-server settings.
Related Topics
Identifying the RADIUS Server Host, on page 25
Defining AAA Server Groups, on page 30
Configuring Settings for All RADIUS Servers, on page 36
Configuring RADIUS Login Authentication, on page 28

RADIUS Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that list
to various ports. The method list defines the types of authentication to be performed and the sequence in which
they are performed; it must be applied to a specific port before any of the defined authentication methods are
performed. The only exception is the default method list. The default method list is automatically applied to
all ports except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You
can designate one or more security protocols to be used for authentication, thus ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate users;
if that method fails to respond, the software selects the next authentication method in the method list. This
process continues until there is successful communication with a listed authentication method or until all
defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security
server or local username database responds by denying the user access—the authentication process stops, and
no other authentication methods are attempted.
Related Topics
Configuring RADIUS Login Authentication, on page 28

AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication. You
select a subset of the configured server hosts and use them for a particular service. The server group is used
with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier
(the combination of the IP address and UDP port number), allowing different ports to be individually defined

Configuring RADIUS
12
 Configuring RADIUS
AAA Authorization

as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be
sent to different UDP ports on a server at the same IP address. If you configure two different host entries on
the same RADIUS server for the same service, (for example, accounting), the second configured host entry
acts as a fail-over backup to the first one. If the first host entry fails to provide accounting services, the network
access server tries the second host entry configured on the same device for accounting services. (The RADIUS
host entries are tried in the order in which they are configured.)
Related Topics
Defining AAA Server Groups, on page 30

AAA Authorization
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch
uses information retrieved from the user’s profile, which is in the local user database or on the security server,
to configure the user’s session. The user is granted access to a requested service only if the information in the
user profile allows it.
Related Topics
Configuring RADIUS Authorization for User Privileged Access and Network Services, on page 33

RADIUS Accounting
The AAA accounting feature tracks the services that users are using and the amount of network resources that
they are consuming. When you enable AAA accounting, the switch reports user activity to the RADIUS
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. You can then analyze the data for network management, client
billing, or auditing.
Related Topics
Starting RADIUS Accounting, on page 34

Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the switch and the RADIUS server by using the vendor-specific attribute
(attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not
suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using
the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type
1, which is named cisco-avpair. The value is a string with this format:

protocol : attribute sep value *

Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value
are an appropriate attributevalue (AV) pair defined in the Cisco TACACS+ specification, and sep is = for
mandatory attributes and is * for optional attributes. The full set of features available for TACACS+
authorization can then be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named IP address pools” feature to be activated
during IP authorization (during PPP’s Internet Protocol Control Protocol (IPCP) address assignment):

Configuring RADIUS
13
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

cisco-avpair= ”ip:addr-pool=first“

If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made
optional:
cisco-avpair= ”ip:addr-pool*first“

The following example shows how to cause a user logging in from a network access server to have immediate
access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about
vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”
Attribute 26 contains the following three elements:
• Type
• Length
• String (also known as data)
• Vendor-Id
• Vendor-Type
• Vendor-Length
• Vendor-Data

The figure below shows the packet format for a VSA encapsulated “behind” attribute 26.
Figure 2: VSA Encapsulated Behind Attribute 26

Note It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as
Vendor-Data) is dependent on the vendor's definition of that attribute.

The table below describes significant fields listed in the Vendor-Specific RADIUS IETF Attributes table
(second table below), which lists supported vendor-specific RADIUS attributes (IETF attribute 26).

Table 5: Vendor-Specific Attributes Table Field Descriptions

Field Description

Number All attributes listed in the following table are extensions of IETF attribute 26.

Configuring RADIUS
14
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

Field Description

Vendor-Specific Command Codes A defined code used to identify a particular vendor. Code 9 defines Cisco VSAs, 311 defines
Microsoft VSAs, and 529 defines Ascend VSAs.

Sub-Type Number The attribute ID number. This number is much like the ID numbers of IETF attributes, except
it is a “second layer” ID number encapsulated behind attribute 26.

Attribute The ASCII string name of the attribute.

Description Description of the attribute.

Table 6: Vendor-Specific RADIUS IETF Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

MS-CHAP Attributes

26 311 1 MSCHAP-Response Contains the response

value provided by a PPP
MS-CHAP user in
response to the challenge.
It is only used in
Access-Request packets.
This attribute is identical
to the PPP CHAP
Identifier. ( RFC 2548

26 311 11 MSCHAP-Challenge Contains the challenge sent

by a network access server
to an MS-CHAP user. It
can be used in both
Access-Request and
Access-Challenge packets.
( RFC 2548 )

VPDN Attributes

26 9 1 l2tp-cm-local-window-size Specifies the maximum

receive window size for
L2TP control messages.
This value is advertised to
the peer during tunnel
establishment.

Configuring RADIUS
15
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 l2tp-drop-out-of-order Respects sequence

numbers on data packets
by dropping those that are
received out of order. This
does not ensure that
sequence numbers will be
sent on data packets, just
how to handle them if they
are received.

26 9 1 l2tp-hello-interval Specifies the number of

seconds for the hello
keepalive interval. Hello
packets are sent when no
data has been sent on a
tunnel for the number of
seconds configured here.

26 9 1 l2tp-hidden-avp When enabled, sensitive

AVPs in L2TP control
messages are scrambled or
hidden.

26 9 1 l2tp-nosession-timeout Specifies the number of

seconds that a tunnel will
stay active with no sessions
before timing out and
shutting down.

26 9 1 tunnel-tos-reflect Copies the IP ToS field

from the IP header of each
payload packet to the IP
header of the tunnel packet
for packets entering the
tunnel at the LNS.

26 9 1 l2tp-tunnel-authen If this attribute is set, it

performs L2TP tunnel
authentication.

26 9 1 l2tp-tunnel-password Shared secret used for

L2TP tunnel authentication
and AVP hiding.

Configuring RADIUS
16
Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 l2tp-udp-checksum This is an authorization

attribute and defines
whether L2TP should
perform UDP checksums
for data packets. Valid
values are “yes” and “no.”
The default is no.

Store and Forward Fax Attributes

26 9 3 Fax-Account-Id-Origin Indicates the account ID

origin as defined by system
administrator for the
mmoip aaa receive-id or
the mmoip aaa send-id
commands.

26 9 4 Fax-Msg-Id= Indicates a unique fax

message identification
number assigned by Store
and Forward Fax.

26 9 5 Fax-Pages Indicates the number of

pages transmitted or
received during this fax
session. This page count
includes cover pages.

26 9 6 Fax-Coverpage-Flag Indicates whether or not a

cover page was generated
by the off-ramp gateway
for this fax session. True
indicates that a cover page
was generated; false means
that a cover page was not
generated.

26 9 7 Fax-Modem-Time Indicates the amount of

time in seconds the modem
sent fax data (x) and the
amount of time in seconds
of the total fax session (y),
which includes both
fax-mail and PSTN time,
in the form x/y. For
example, 10/15 means that
the transfer time took 10
seconds, and the total fax
session took 15 seconds.

Configuring RADIUS
17
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 8 Fax-Connect-Speed Indicates the modem speed

at which this fax-mail was
initially transmitted or
received. Possible values
are 1200, 4800, 9600, and
14400.

26 9 9 Fax-Recipient-Count Indicates the number of

recipients for this fax
transmission. Until e-mail
servers support Session
mode, the number should
be 1.

26 9 10 Fax-Process-Abort-Flag Indicates that the fax

session was aborted or
successful. True means that
the session was aborted;
false means that the session
was successful.

26 9 11 Fax-Dsn-Address Indicates the address to

which DSNs will be sent.

26 9 12 Fax-Dsn-Flag Indicates whether or not

DSN has been enabled.
True indicates that DSN
has been enabled; false
means that DSN has not
been enabled.

26 9 13 Fax-Mdn-Address Indicates the address to

which MDNs will be sent.

26 9 14 Fax-Mdn-Flag Indicates whether or not

message delivery
notification (MDN) has
been enabled. True
indicates that MDN had
been enabled; false means
that MDN had not been
enabled.

26 9 15 Fax-Auth-Status Indicates whether or not

authentication for this fax
session was successful.
Possible values for this
field are success, failed,
bypassed, or unknown.

Configuring RADIUS
18
Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 16 Email-Server-Address Indicates the IP address of

the e-mail server handling
the on-ramp fax-mail
message.

26 9 17 Email-Server-Ack-Flag Indicates that the on-ramp

gateway has received a
positive acknowledgment
from the e-mail server
accepting the fax-mail
message.

26 9 18 Gateway-Id Indicates the name of the

gateway that processed the
fax session. The name
appears in the following
format:
hostname.domain-name.

26 9 19 Call-Type Describes the type of fax

activity: fax receive or fax
send.

26 9 20 Port-Used Indicates the slot/port

number of the Cisco
AS5300 used to either
transmit or receive this
fax-mail.

26 9 21 Abort-Cause If the fax session aborts,

indicates the system
component that signaled
the abort. Examples of
system components that
could trigger an abort are
FAP (Fax Application
Process), TIFF (the TIFF
reader or the TIFF writer),
fax-mail client, fax-mail
server, ESMTP client, or
ESMTP server.

H323 Attributes

26 9 23 Remote-Gateway-ID Indicates the IP address of

(h323-remote-address) the remote gateway.

26 9 24 Connection-ID Identifies the conference

ID.
(h323-conf-id)

Configuring RADIUS
19
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 25 Setup-Time Indicates the setup time for

this connection in
(h323-setup-time)
Coordinated Universal
Time (UTC) formerly
known as Greenwich Mean
Time (GMT) and Zulu
time.

26 9 26 Call-Origin Indicates the origin of the

call relative to the gateway.
(h323-call-origin)
Possible values are
originating and terminating
(answer).

26 9 27 Call-Type Indicates call leg type.

Possible values are
(h323-call-type)
telephony and VoIP.

26 9 28 Connect-Time Indicates the connection

time for this call leg in
(h323-connect-time)
UTC.

26 9 29 Disconnect-Time Indicates the time this call

leg was disconnected in
(h323-disconnect-time)
UTC.

26 9 30 Disconnect-Cause Specifies the reason a

connection was taken
(h323-disconnect-cause)
offline per Q.931
specification.

26 9 31 Voice-Quality Specifies the impairment

factor (ICPIF) affecting
(h323-voice-quality)
voice quality for a call.

26 9 33 Gateway-ID Indicates the name of the

underlying gateway.
(h323-gw-id)

Large Scale Dialout Attributes

26 9 1 callback-dialstring Defines a dialing string to

be used for callback.

26 9 1 data-service No description available.

26 9 1 dial-number Defines the number to dial.

Configuring RADIUS
20
Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 force-56 Determines whether the

network access server uses
only the 56 K portion of a
channel, even when all 64
K appear to be available.

26 9 1 map-class Allows the user profile to

reference information
configured in a map class
of the same name on the
network access server that
dials out.

26 9 1 send-auth Defines the protocol to use

(PAP or CHAP) for
username-password
authentication following
CLID authentication.

Configuring RADIUS
21
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 send-name PPP name authentication.

To apply for PAP, do not
configure the ppp pap
sent-name password
command on the interface.
For PAP,
“preauth:send-name” and
“preauth:send-secret” will
be used as the PAP
username and PAP
password for outbound
authentication. For CHAP,
“preauth:send-name” will
be used not only for
outbound authentication,
but also for inbound
authentication. For a
CHAP inbound case, the
NAS will use the name
defined in
“preauth:send-name” in the
challenge packet to the
caller box.
Note The send-name
attribute has
changed over
time: Initially, it
performed the
functions now
provided by
both the
send-name and
remote-name
attributes.
Because the
remote-name
attribute has
been added, the
send-name
attribute is
restricted to its
current
behavior.

Configuring RADIUS
22
Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 send-secret PPP password

authentication. The
vendor-specific attributes
(VSAs)
“preauth:send-name” and
“preauth:send-secret” will
be used as the PAP
username and PAP
password for outbound
authentication. For a
CHAP outbound case, both
“preauth:send-name” and
“preauth:send-secret” will
be used in the response
packet.

26 9 1 remote-name Provides the name of the

remote host for use in
large-scale dial-out. Dialer
checks that the large-scale
dial-out remote name
matches the authenticated
name, to protect against
accidental user RADIUS
misconfiguration. (For
example, dialing a valid
phone number but
connecting to the wrong
device.)

Miscellaneous Attributes

Configuring RADIUS
23
 Configuring RADIUS
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 2 Cisco-NAS-Port Specifies additional vendor

specific attribute (VSA)
information for NAS-Port
accounting. To specify
additional NAS-Port
information in the form an
Attribute-Value Pair
(AVPair) string, use the
radius-server vsa send
global configuration
command.
Note This VSA is
typically used in
Accounting, but
may also be used
in Authentication
(Access-Request)
packets.

26 9 1 min-links Sets the minimum number

of links for MLP.

26 9 1 proxyacl#<n> Allows users to configure

the downloadable user
profiles (dynamic ACLs)
by using the authentication
proxy feature so that users
can have the configured
authorization to permit
traffic going through the
configured interfaces.

Configuring RADIUS
24
 Configuring RADIUS
Vendor-Proprietary RADIUS Server Communication

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 spi Carries the authentication

information needed by the
home agent to authenticate
a mobile node during
registration. The
information is in the same
syntax as the ip mobile
secure host <addr>
configuration command.
Basically it contains the
rest of the configuration
command that follows that
string, verbatim. It
provides the Security
Parameter Index (SPI),
key, authentication
algorithm, authentication
mode, and replay
protection timestamp
range.

Related Topics
Configuring the Switch to Use Vendor-Specific RADIUS Attributes, on page 38

Vendor-Proprietary RADIUS Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute
set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must
specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You
specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Related Topics
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, on page 39

How to Configure RADIUS

Identifying the RADIUS Server Host
To apply these settings globally to all RADIUS servers communicating with the SwitchDevice, use the three
unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server
key. To apply these values on a specific RADIUS server, use the radius-server host global configuration
command.

Configuring RADIUS
25
 Configuring RADIUS
Identifying the RADIUS Server Host

You can configure the SwitchDevice to use AAA server groups to group existing server hosts for authentication.
For more information, see Related Topics below.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the
SwitchDevice and the key string to be shared by both the server and the SwitchDevice. For more information,
see the RADIUS server documentation.
Follow these steps to configure per-server RADIUS server communication.

Before you begin

If you configure both global and per-server functions (timeout, retransmission, and key commands) on the
switch, the per-server timer, retransmission, and key value commands override global timer, retransmission,
and key value commands. For information on configuring these settings on all RADIUS servers, see Related
Topics below.

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout
seconds] [retransmit retries] [key string]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server host {hostname | ip-address} [auth-port Specifies the IP address or hostname of the remote RADIUS
port-number] [acct-port port-number] [timeout seconds] server host.
[retransmit retries] [key string]
• (Optional) For auth-port port-number, specify the
Example: UDP destination port for authentication requests.

SwitchDevice(config)# radius-server host

• (Optional) For acct-port port-number, specify the
172.29.36.49 auth-port 1612 key rad1 UDP destination port for accounting requests.
• (Optional) For timeout seconds, specify the time
interval that the SwitchDevice waits for the RADIUS
server to reply before resending. The range is 1 to

Configuring RADIUS
26
 Configuring RADIUS
Identifying the RADIUS Server Host

Command or Action Purpose

1000. This setting overrides the radius-server timeout
global configuration command setting. If no timeout
is set with the radius-server host command, the
setting of the radius-server timeout command is used.
• (Optional) For retransmit retries, specify the number
of times a RADIUS request is resent to a server if that
server is not responding or responding slowly. The
range is 1 to 1000. If no retransmit value is set with
the radius-server host command, the setting of the
radius-server retransmit global configuration
command is used.
• (Optional) For key string, specify the authentication
and encryption key used between the SwitchDevice
and the RADIUS daemon running on the RADIUS
server.

Note The key is a text string that must match the

encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius-server host command. Leading spaces
are ignored, but spaces within and at the end of
the key are used. If you use spaces in your key,
do not enclose the key in quotation marks unless
the quotation marks are part of the key.

To configure the SwitchDevice to recognize more than one

host entry associated with a single IP address, enter this
command as many times as necessary, making sure that
each UDP port number is different. The SwitchDevice
software searches for hosts in the order in which you specify
them. Set the timeout, retransmit, and encryption key values
to use with the specific RADIUS host.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Configuring RADIUS
27
 Configuring RADIUS
Configuring RADIUS Login Authentication

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
RADIUS Server Host, on page 11
Defining AAA Server Groups, on page 30
Configuring Settings for All RADIUS Servers, on page 36

Configuring RADIUS Login Authentication

Follow these steps to configure RADIUS login authentication:

Before you begin

To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip
http authentication aaa global configuration command. Configuring AAA authentication does not secure
the switch for HTTP access by using AAA methods.

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login {default | list-name} method1 [method2...]
5. line [console | tty | vty] line-number [ending-line-number]
6. login authentication {default | list-name}
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Configuring RADIUS
28
 Configuring RADIUS
Configuring RADIUS Login Authentication

Command or Action Purpose

Step 3 aaa new-model Enables AAA.
Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa authentication login {default | list-name} method1 Creates a login authentication method list.
[method2...]
• To create a default list that is used when a named list
Example: is not specified in the login authentication command,
use the default keyword followed by the methods that
SwitchDevice(config)# aaa authentication login are to be used in default situations. The default method
default local list is automatically applied to all ports.
• For list-name, specify a character string to name the
list you are creating.
• For method1..., specify the actual method the
authentication algorithm tries. The additional methods
of authentication are used only if the previous method
returns an error, not if it fails.
Select one of these methods:
• enable—Use the enable password for
authentication. Before you can use this
authentication method, you must define an enable
password by using the enable password global
configuration command.
• group radius—Use RADIUS authentication.
Before you can use this authentication method,
you must configure the RADIUS server.
• line—Use the line password for authentication.
Before you can use this authentication method,
you must define a line password. Use the
password password line configuration command.
• local—Use the local username database for
authentication. You must enter username
information in the database. Use the username
name password global configuration command.
• local-case—Use a case-sensitive local username
database for authentication. You must enter
username information in the database by using
the username password global configuration
command.
• none—Do not use any authentication for login.

Configuring RADIUS
29
 Configuring RADIUS
Defining AAA Server Groups

Command or Action Purpose

Step 5 line [console | tty | vty] line-number [ending-line-number] Enters line configuration mode, and configure the lines to
which you want to apply the authentication list.
Example:

SwitchDevice(config)# line 1 4

Step 6 login authentication {default | list-name} Applies the authentication list to a line or set of lines.
Example: • If you specify default, use the default list created with
the aaa authentication login command.
SwitchDevice(config)# login authentication default
• For list-name, specify the list created with the aaa
authentication login command.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
RADIUS Login Authentication, on page 12
RADIUS Server Host, on page 11

Defining AAA Server Groups

You use the server group server configuration command to associate a particular server with a defined group
server. You can either identify the server by its IP address or identify multiple host instances or entries by
using the optional auth-port and acct-port keywords.
Follow these steps to define AAA server groups:

SUMMARY STEPS
1. enable
2. configure terminal

Configuring RADIUS
30
 Configuring RADIUS
Defining AAA Server Groups

3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout

seconds] [retransmit retries] [key string]
4. aaa new-model
5. aaa group server radius group-name
6. server ip-address
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server host {hostname | ip-address} [auth-port Specifies the IP address or hostname of the remote RADIUS
port-number] [acct-port port-number] [timeout seconds] server host.
[retransmit retries] [key string]
• (Optional) For auth-port port-number, specify the
Example: UDP destination port for authentication requests.

SwitchDevice(config)# radius-server host

• (Optional) For acct-port port-number, specify the
172.29.36.49 auth-port 1612 key rad1 UDP destination port for accounting requests.
• (Optional) For timeout seconds, specify the time
interval that the switch waits for the RADIUS server
to reply before resending. The range is 1 to 1000. This
setting overrides the radius-server timeout global
configuration command setting. If no timeout is set
with the radius-server host command, the setting of
the radius-server timeout command is used.
• (Optional) For retransmit retries, specify the number
of times a RADIUS request is resent to a server if that
server is not responding or responding slowly. The
range is 1 to 1000. If no retransmit value is set with
the radius-server host command, the setting of the
radius-server retransmit global configuration
command is used.
• (Optional) For key string, specify the authentication
and encryption key used between the switch and the
RADIUS daemon running on the RADIUS server.

Configuring RADIUS
31
 Configuring RADIUS
Defining AAA Server Groups

Command or Action Purpose

Note The key is a text string that must match the
encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius-server host command. Leading spaces
are ignored, but spaces within and at the end of
the key are used. If you use spaces in your key,
do not enclose the key in quotation marks unless
the quotation marks are part of the key.

To configure the switch to recognize more than one host

entry associated with a single IP address, enter this
command as many times as necessary, making sure that
each UDP port number is different. The switch software
searches for hosts in the order in which you specify them.
Set the timeout, retransmit, and encryption key values to
use with the specific RADIUS host.

Step 4 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 5 aaa group server radius group-name Defines the AAA server-group with a group name.
Example: This command puts the switch in a server group
configuration mode.
SwitchDevice(config)# aaa group server radius
group1

Step 6 server ip-address Associates a particular RADIUS server with the defined
server group. Repeat this step for each RADIUS server in
Example:
the AAA server group.
SwitchDevice(config-sg-radius)# server 172.20.0.1 Each server in the group must be previously defined in Step
auth-port 1000 acct-port 1001 2.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Configuring RADIUS
32
 Configuring RADIUS
Configuring RADIUS Authorization for User Privileged Access and Network Services

Command or Action Purpose

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Identifying the RADIUS Server Host, on page 25
RADIUS Server Host, on page 11
AAA Server Groups, on page 12

Configuring RADIUS Authorization for User Privileged Access and Network

Services

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been
configured.

Follow these steps to configure RADIUS authorization for user priviledged access and network services:

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization network radius
4. aaa authorization exec radius
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Configuring RADIUS
33
 Configuring RADIUS
Starting RADIUS Accounting

Command or Action Purpose

Step 3 aaa authorization network radius Configures the switch for user RADIUS authorization for
all network-related service requests.
Example:

SwitchDevice(config)# aaa authorization network

radius

Step 4 aaa authorization exec radius Configures the switch for user RADIUS authorization if
the user has privileged EXEC access.
Example:
The exec keyword might return user profile information
SwitchDevice(config)# aaa authorization exec radius (such as autocommand information).

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
You can use the aaa authorization global configuration command with the radius keyword to set parameters
that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
• Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.
• Use the local database if authentication was not performed by using RADIUS.

Related Topics
AAA Authorization, on page 13

Starting RADIUS Accounting

Follow these steps to start RADIUS accounting:

Configuring RADIUS
34
 Configuring RADIUS
Starting RADIUS Accounting

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa accounting network start-stop radius
4. aaa accounting exec start-stop radius
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa accounting network start-stop radius Enables RADIUS accounting for all network-related service
requests.
Example:

SwitchDevice(config)# aaa accounting network

start-stop radius

Step 4 aaa accounting exec start-stop radius Enables RADIUS accounting to send a start-record
accounting notice at the beginning of a privileged EXEC
Example:
process and a stop-record at the end.
SwitchDevice(config)# aaa accounting exec
start-stop radius

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Configuring RADIUS
35
 Configuring RADIUS
Configuring Settings for All RADIUS Servers

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To establishing a session with a router if the AAA server is unreachable, use the aaa accounting system
guarantee-first command. This command guarantees system accounting as the first record, which is the
default condition. In some situations, users might be prevented from starting a session on the console or
terminal connection until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router
reloads, use the no aaa accounting system guarantee-first command.
Related Topics
RADIUS Accounting, on page 13

Configuring Settings for All RADIUS Servers

Beginning in privileged EXEC mode, follow these steps to configure settings for all RADIUS servers:

SUMMARY STEPS
1. configure terminal
2. radius-server key string
3. radius-server retransmit retries
4. radius-server timeout seconds
5. radius-server deadtime minutes
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 radius-server key string Specifies the shared secret text string used between the
switch and all RADIUS servers.
Example:

Configuring RADIUS
36
 Configuring RADIUS
Configuring Settings for All RADIUS Servers

Command or Action Purpose

Note The key is a text string that must match the
SwitchDevice(config)# radius-server key
encryption key used on the RADIUS server.
your_server_key
Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in your key, do not enclose the key in
quotation marks unless the quotation marks are
part of the key.

Step 3 radius-server retransmit retries Specifies the number of times the switch sends each
RADIUS request to the server before giving up. The default
Example:
is 3; the range 1 to 1000.
SwitchDevice(config)# radius-server retransmit 5

Step 4 radius-server timeout seconds Specifies the number of seconds a switch waits for a reply
to a RADIUS request before resending the request. The
Example:
default is 5 seconds; the range is 1 to 1000.
SwitchDevice(config)# radius-server timeout 3

Step 5 radius-server deadtime minutes When a RADIUS server is not responding to authentication
requests, this command specifies a time to stop the request
Example:
on that server. This avoids the wait for the request to timeout
before trying the next configured server. The default is 0;
SwitchDevice(config)# radius-server deadtime 0
the range is 1 to 1440 minutes.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Identifying the RADIUS Server Host, on page 25
RADIUS Server Host, on page 11

Configuring RADIUS
37
 Configuring RADIUS
Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Follow these steps to configure the switch to use vendor-specific RADIUS attributes:

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server vsa send [accounting | authentication]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server vsa send [accounting | authentication] Enables the switch to recognize and use VSAs as defined
by RADIUS IETF attribute 26.
Example:
• (Optional) Use the accounting keyword to limit the
SwitchDevice(config)# radius-server vsa send set of recognized vendor-specific attributes to only
accounting attributes.
• (Optional) Use the authentication keyword to limit
the set of recognized vendor-specific attributes to only
authentication attributes.

If you enter this command without keywords, both

accounting and authentication vendor-specific attributes
are used.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring RADIUS
38
 Configuring RADIUS
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Command or Action Purpose

Step 5 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Vendor-Specific RADIUS Attributes, on page 13

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Follow these steps to configure the switch to use vendor-proprietary RADIUS server communication:

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} non-standard
4. radius-server key string
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Configuring RADIUS
39
 Configuring RADIUS
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Command or Action Purpose

Step 3 radius-server host {hostname | ip-address} non-standard Specifies the IP address or hostname of the remote RADIUS
server host and identifies that it is using a vendor-proprietary
Example:
implementation of RADIUS.
SwitchDevice(config)# radius-server host
172.20.30.15 nonstandard

Step 4 radius-server key string Specifies the shared secret text string used between the
switch and the vendor-proprietary RADIUS server. The
Example:
switch and the RADIUS server use this text string to encrypt
passwords and exchange responses.
SwitchDevice(config)# radius-server key rad124
Note The key is a text string that must match the
encryption key used on the RADIUS server.
Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in your key, do not enclose the key in
quotation marks unless the quotation marks are
part of the key.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
This feature allows access and authentication requests to be evenly across all RADIUS servers in a server
group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security
Configuration Guide, Release 12.4.
Related Topics
Vendor-Proprietary RADIUS Server Communication, on page 25

Configuring RADIUS
40
 Configuring RADIUS
Configuring CoA on the Switch

Configuring CoA on the Switch

Follow these steps to configure CoA on a switch. This procedure is required.

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa server radius dynamic-author
5. client {ip-address | name} [vrf vrfname] [server-key string]
6. server-key [0 | 7] string
7. port port-number
8. auth-type {any | all | session-key}
9. ignore session-key
10. ignore server-key
11. authentication command bounce-port ignore
12. authentication command disable-port ignore
13. end
14. show running-config
15. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa server radius dynamic-author Configures the switch as an authentication, authorization,
and accounting (AAA) server to facilitate interaction with
Example:
an external policy server.
SwitchDevice(config)# aaa server radius

Configuring RADIUS
41
 Configuring RADIUS
Configuring CoA on the Switch

Command or Action Purpose

dynamic-author

Step 5 client {ip-address | name} [vrf vrfname] [server-key Enters dynamic authorization local server configuration
string] mode and specifies a RADIUS client from which a device
will accept CoA and disconnect requests.

Step 6 server-key [0 | 7] string Configures the RADIUS key to be shared between a device
and RADIUS clients.
Example:

SwitchDevice(config-sg-radius)# server-key
your_server_key

Step 7 port port-number Specifies the port on which a device listens for RADIUS
requests from configured RADIUS clients.
Example:

SwitchDevice(config-sg-radius)# port 25

Step 8 auth-type {any | all | session-key} Specifies the type of authorization the switch uses for
RADIUS clients.
Example:
The client must match all the configured attributes for
SwitchDevice(config-sg-radius)# auth-type any authorization.

Step 9 ignore session-key (Optional) Configures the switch to ignore the session-key.
For more information about the ignore command, see the
Cisco IOS Intelligent Services Gateway Command
Reference on Cisco.com.

Step 10 ignore server-key (Optional) Configures the switch to ignore the server-key.
Example: For more information about the ignore command, see the
Cisco IOS Intelligent Services Gateway Command
SwitchDevice(config-sg-radius)# ignore server-key Reference on Cisco.com.

Step 11 authentication command bounce-port ignore (Optional) Configures the switch to ignore a CoA request
to temporarily disable the port hosting a session. The
Example:
purpose of temporarily disabling the port is to trigger a
DHCP renegotiation from the host when a VLAN change
SwitchDevice(config-sg-radius)# authentication
command bounce-port ignore occurs and there is no supplicant on the endpoint to detect
the change.

Step 12 authentication command disable-port ignore (Optional) Configures the switch to ignore a nonstandard
command requesting that the port hosting a session be
Example:
administratively shut down. Shutting down the port results
in termination of the session.
SwitchDevice(config-sg-radius)# authentication

Configuring RADIUS
42
 Configuring RADIUS
Monitoring CoA Functionality

Command or Action Purpose

command disable-port ignore Use standard CLI or SNMP commands to re-enable the
port.

Step 13 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-sg-radius)# end

Step 14 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring CoA Functionality

Table 7: Privileged EXEC show Commands

Command Purpose

show aaa attributes protocol radius Displays AAA attributes of RADIUS commands.

Table 8: Global Troubleshooting Commands

Command Purpose

debug radius Displays information for troubleshooting RADIUS.

debug aaa coa Displays information for troubleshooting CoA processing.

debug aaa pod Displays information for troubleshooting POD packets.

debug aaa subsys Displays information for troubleshooting POD packets.

debug cmdhd [detail | error | events] Displays information for troubleshooting command headers.

For detailed information about the fields in these displays, see the command reference for this release.

Configuring RADIUS
43
 Configuring RADIUS
Configuration Examples for Controlling Switch Access with RADIUS

Configuration Examples for Controlling Switch Access with

RADIUS
Examples: Identifying the RADIUS Server Host
This example shows how to configure one RADIUS server to be used for authentication and another to be
used for accounting:

SwitchDevice(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1

SwitchDevice(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2

This example shows how to configure host1 as the RADIUS server and to use the default ports for both
authentication and accounting:

SwitchDevice(config)# radius-server host host1

Example: Using Two Different RADIUS Group Servers

In this example, the switch is configured to recognize two different RADIUS group servers (group1 and
group2). Group1 has two different host entries on the same RADIUS server configured for the same services.
The second host entry acts as a fail-over backup to the first entry.

SwitchDevice(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

SwitchDevice(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
SwitchDevice(config)# aaa new-model
SwitchDevice(config)# aaa group server radius group1
SwitchDevice(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
SwitchDevice(config-sg-radius)# exit
SwitchDevice(config)# aaa group server radius group2
SwitchDevice(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
SwitchDevice(config-sg-radius)# exit

Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes

For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization
(during PPP IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

This example shows how to provide a user logging in from a switch with immediate access to privileged
EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

This example shows how to specify an authorized VLAN in the RADIUS server database:

Configuring RADIUS
44
 Configuring RADIUS
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

cisco-avpair= ”tunnel-type(#64)=VLAN(13)”
cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)”
cisco-avpair= ”tunnel-private-group-id(#81)=vlanid”

This example shows how to apply an input ACL in ASCII format to an interface for the duration of this
connection:

cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0”

cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any”
cisco-avpair= “mac:inacl#3=deny any any decnet-iv”

This example shows how to apply an output ACL in ASCII format to an interface for the duration of this
connection:

cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”

Example: Configuring the Switch for Vendor-Proprietary RADIUS Server

Communication
This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124
between the switch and the server:

SwitchDevice(config)# radius-server host 172.20.30.15 nonstandard

SwitchDevice(config)# radius-server key rad124

Configuring RADIUS
45
 Configuring RADIUS
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Configuring RADIUS
46