RADIUS for Multiple UDP Ports

Similar documents
AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

RADIUS Route Download

AAA Dead-Server Detection

Configuring Authorization

RADIUS Server Load Balancing

Encrypted Vendor-Specific Attributes

Configuring Switch-Based Authentication

Configuring RADIUS Servers

Configuring Security for the ML-Series Card

AAA Support for IPv6

IEEE 802.1X RADIUS Accounting

Fine-Grain NBAR for Selective Applications

DHCP Server RADIUS Proxy

Configuring the Physical Subscriber Line for RADIUS Access and Accounting

RADIUS Configuration Guide Cisco IOS XE Release 2

Fine-Grain NBAR for Selective Applications

Configuring Local Authentication and Authorization

IEEE 802.1X Open Authentication

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature

IEEE 802.1X Multiple Authentication

NBAR2 HTTP-Based Visibility Dashboard

Configuring Authorization

Configuring an FQDN ACL

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

NAT Routemaps Outside-to-Inside Support

Encrypted Vendor-Specific Attributes

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Password Strength and Management for Common Criteria

Named ACL Support for Noncontiguous Ports on an Access Control Entry

Configuring RADIUS and TACACS+ Servers

RADIUS Change of Authorization

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Flexible NetFlow - MPLS Support

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

Flexible NetFlow IPFIX Export Format

SSH Algorithms for Common Criteria Certification

Quality of Service for VPNs

RADIUS Commands. Cisco IOS Security Command Reference SR

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

Configuring DHCP Services for Accounting and Security

Configuring Secure Shell (SSH)

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Nested Class Map Support for Zone-Based Policy Firewall

Configuring the Physical Subscriber Line for RADIUS Access and Accounting

NAC-Auth Fail Open. Prerequisites for NAC-Auth Fail Open. Restrictions for NAC-Auth Fail Open. Information About Network Admission Control

Restrictions for Secure Copy Performance Improvement

Configuring Web-Based Authentication

Security Configuration Commands

SSL Custom Application

Using Flexible NetFlow Flow Sampling

Using Flexible NetFlow Flow Sampling

Configuring IP SLAs TCP Connect Operations

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Configuring Web-Based Authentication

ACL Syslog Correlation

IP SLAs TWAMP Responder

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

QoS Group Match and Set for Classification and Marking

BGP Route-Map Continue

Configuring Secure Shell (SSH)

Configuring IEEE 802.1X Port-Based Authentication

HSRP MD5 Authentication

Configuring Embedded Resource Manager-MIB

Configuring IP SLAs UDP Echo Operations

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

DMVPN Event Tracing. Finding Feature Information

Configuring TACACS+ About TACACS+

PPPoE Smart Server Selection

Cisco UBE Out-of-dialog OPTIONS Ping

Configuring IP SLAs ICMP Echo Operations

Enabling ALGs and AICs in Zone-Based Policy Firewalls

IP over IPv6 Tunnels. Information About IP over IPv6 Tunnels. GRE IPv4 Tunnel Support for IPv6 Traffic

PPPoE Smart Server Selection

Configuring Aggregate Authentication

OSPFv2 Cryptographic Authentication

Configuring IP SLAs HTTP Operations

Enabling ALGs and AICs in Zone-Based Policy Firewalls

Extended NAS-Port-Type and NAS-Port Support

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Configuring Secure Shell

Configuring Security Features on an External AAA Server

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

IEEE 802.1X with ACL Assignments

Configuring Web-Based Authentication

EIGRP Route Tag Enhancements

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS. Last Updated: November 2, 2012

Match-in-VRF Support for NAT

Configuring IP SLAs ICMP Path Echo Operations

L2TP IPsec Support for NAT and PAT Windows Clients

Flow-Based per Port-Channel Load Balancing

Configuring IP SLAs ICMP Echo Operations

Configuring IP SLAs ICMP Path Echo Operations

Configuring Secure Shell (SSH)

DHCP Client. Finding Feature Information. Restrictions for the DHCP Client

Configuring Web-Based Authentication

Prerequisites for AES and 3-DES Encryption Support for SNMP. Version 3. Finding Feature Information

Configuring Authentication Proxy

GET VPN Resiliency. Finding Feature Information. Prerequisites for GET VPN Resiliency

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

Transcription:

RADIUS security servers are identified on the basis of their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific authentication, authorization, and accounting (AAA) service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service for example, accounting the second host entry configured acts as a failover backup to the first one. If the first host entry fails to provide accounting services, the network access server tries the second host entry configured on the same device for accounting services. Finding Feature Information, page 1 Prerequisites for, page 1 Information About, page 2 How to Configure, page 3 Configuration Examples for, page 5 Additional References, page 6 Feature Information for, page 6 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for To configure RADIUS on your Cisco device or access server, you must perform these tasks: 1

Information About Use the aaa new-model global configuration command to enable AAA. AAA must be configured if you plan to use RADIUS. Use the aaa authentication global configuration command to define method lists for RADIUS authentication. Use line and interface commands to enable the defined method lists to be used. Information About Device-to-RADIUS Server Communication The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (CiscoSecure ACS), Livingston, Merit, Microsoft, or another software provider. Configuring device to RADIUS server communication can have several components: Hostname or IP address Authentication destination port Accounting destination port Timeout period Retransmission value Key string RADIUS security servers are identified on the basis of their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service for example, accounting the second host entry configured acts as a failover backup to the first one. If the first host entry fails to provide accounting services, the network access server tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order they are configured.) A RADIUS server and a Cisco device use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the device. The timeout, retransmission, and encryption key values are configurable globally for all RADIUS servers, on a per-server basis or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the device, use the three unique global commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these values on a specific RADIUS server, use the radius-server host command. 2

How to Configure You can configure both global and per-server timeout, retransmission, and key value commands simultaneously on the same Cisco network access server. If both global and per-server functions are configured on a device, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. How to Configure Configuring Device-to-RADIUS Server Communication SUMMARY STEPS 1. enable 2. configure terminal 3. radius-server host {hostname ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname ip-address}] 4. radius-server key {0 string 7 string string} 5. radius-server retransmit retries 6. radius-server timeout seconds 7. radius-server deadtime minutes 8. exit DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Device# configure terminal radius-server host {hostname ip-address} [auth-port port-number] [acct-port port-number] [timeout Specifies the IP address or hostname of the remote RADIUS server host and assigns authentication and accounting destination port numbers. In this step, the timeout, retransmission, and encryption key values are configured on a per-server basis. 3

Configuring Device-to-RADIUS Server Communication Step 4 Step 5 Step 6 Command or Action seconds] [retransmit retries] [key string] [alias {hostname ip-address}] Device(config)# radius-server host 10.45.1.2 radius-server key {0 string 7 string string} Device(config)# radius-server key myradiuspassword radius-server retransmit retries Device(config)# radius-server retransmit 25 radius-server timeout seconds Device(config)# radius-server timeout 6 Purpose auth-port port-number configures a specific UDP port on this RADIUS server to be used solely for authentication. acct-port port-number configures a specific UDP port on this RADIUS server to be used solely for accounting. alias configures up to eight multiple IP addresses for use when referring to RADIUS servers. To configure the network access server to recognize more than one host entry associated with a single IP address, repeat this command as many times as necessary, making sure that each UDP port number is different. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host. If no timeout is set, the global value is used; otherwise, enter a value from 1 to 1000. If no retransmit value is set, the global value is used; otherwise, enter a value from 1 to 1000. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. Specifies the shared secret text string used between the device and a RADIUS server. In this step, the encryption key value is configured globally for all RADIUS servers. Use the 0 string option to configure an unencrypted shared secret. Use the 7 string option to configure an encrypted shared secret. Specifies how many times the device transmits each RADIUS request to the server before giving up (the default is 3). In this step, the retransmission value is configured globally for all RADIUS servers. Specifies for how many seconds a device waits for a reply to a RADIUS request before retransmitting the request. In this step, the timeout value is configured globally for all RADIUS servers. 4

Configuration Examples for Step 7 Step 8 Command or Action radius-server deadtime minutes Device(config)# radius-server deadtime 5 exit Purpose Specifies for how many minutes a RADIUS server that is not responding to authentication requests is passed over by requests for RADIUS authentication. Returns to privileged EXEC mode. Device(config)# exit Configuration Examples for Device-to-RADIUS Server Communication The following example shows how to configure two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the device, and specific AAA commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46.! Enable AAA services on the device and define those services. aaa new-model aaa authentication login default group radius aaa authentication login console-login none aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius enable password tryit1!! Change the global retransmission value for all RADIUS servers. radius-server retransmit 4!! Configure per-server specific timeout, retransmission, and key values.! Change the default auth-port and acct-port values. radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key radkey!! Configure per-server specific timeout and key values. This server uses the global! retransmission value. radius-server host 172.29.39.46 timeout 6 key rad123 5

RADIUS Server with Server-Specific Values RADIUS Server with Server-Specific Values The following example shows how to configure server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46: radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123 Additional References Related Documents Related Topic Cisco IOS commands AAA and RADIUS commands AAA Document Title Cisco IOS Master Command List, All Releases Cisco IOS Security Command Reference Authentication, Authorization, and Accounting Configuration Guide (part of the Securing User Services Configuration Library) Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Link http://www.cisco.com/cisco/web/support/index.html Feature Information for The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. 6

Feature Information for Table 1: Feature Information for Feature Name Releases 12.0(7)T 12.2(4)T 12.2(27)SBA 12.2(33)SRC Cisco IOS XE Release 2.4 Feature Information RADIUS security servers are identified on the basis of their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. The following command was introduced or modified: radius-server host. 7

Feature Information for 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback