Administrator Guide
Applying the Method List to Terminal Lines
To enable RADIUS AAA login authentication for a method list, apply it to a terminal line.
To configure a terminal line for RADIUS authentication and authorization, use the following commands.
• Enter LINE mode.
CONFIGURATION mode
line {aux 0 | console 0 | vty number [end-number]}
• Enable AAA login authentication for the specified RADIUS method list.
LINE mode
login authentication {method-list-name | default}
This procedure is mandatory if you are not using default lists.
• To use the method list.
CONFIGURATION mode
authorization exec methodlist
Specifying a RADIUS Server Host
When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the
number of retries, and the timeout.
To specify a RADIUS server host and configure its communication parameters, use the following command.
• Enter the host name or IP address of the RADIUS server host.
CONFIGURATION mode
radius-server host {hostname | ip-address} [auth-port port-number] [retransmit retries]
[timeout seconds] [key [encryption-type] key]
Configure the optional communication parameters for the specific host:
• auth-port port-number: the range is from 0 to 65335. Enter a UDP port number. The default is 1812.
• retransmit retries: the range is from 0 to 100. Default is 3.
• timeout seconds: the range is from 0 to 1000. Default is 5 seconds.
• key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42
characters long. This key must match the key configured on the RADIUS server host.
If you do not configure these optional parameters, the global default values for all RADIUS host are applied.
To specify multiple RADIUS server hosts, configure the radius-server host command multiple times. If you configure multiple
RADIUS server hosts, the system attempts to connect with them in the order in which they were configured. When the switch
authenticates a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an
accept or reject response.
If you want to change an optional parameter setting for a specific host, use the radius-server host command. To change the global
communication settings to all RADIUS server hosts, refer to Setting Global Communication Parameters for all RADIUS Server Hosts.
To view the RADIUS configuration, use the show running-config radius command in EXEC Privilege mode.
To delete a RADIUS server host, use the no radius-server host {hostname | ip-address} command.
Setting Global Communication Parameters for all RADIUS Server
Hosts
You can configure global communication parameters (auth-port, key, retransmit, and timeout parameters) and specific host
communication parameters on the same system.
However, if you configure both global and specific host parameters, the specific host parameters override the global parameters for that
RADIUS server host.
To set global communication parameters for all RADIUS server hosts, use the following commands.
• Set a time interval after which a RADIUS host server is declared dead.
CONFIGURATION mode
radius-server deadtime seconds
• seconds: the range is from 0 to 2147483647. The default is 0 seconds.
Security
811