Connectivity Guide
Usage Information The authentication key must match the key congured on the RADIUS server. You cannot enter spaces in the key.
The show running-configuration output displays both unencrypted and encrypted keys in encrypted
format. Congure global settings for the timeout and retransmit attempts allowed on RADIUS servers using the
radius-server retransmit and radius-server timeout commands. The no version of this
command removes a RADIUS server conguration.
Example
OS10(config)# radius-server host 1.5.6.4 key secret1
Supported Releases 10.2.0E or later
radius-server host tls
Congures a RADIUS server for RADIUS over TLS user authentication and secure communication. The radsec shared key and a security
prole that uses an X.509v3 certicate is required for RADIUS over TLS authentication.
Syntax
radius-server host {hostname | ip-address} tls security-profile profile-name
[auth-port tcp-port-number] key {0 authentication-key | 9 authentication-key |
authentication-key}
Parameters
• hostname — Enter the host name of the RADIUS server.
• ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
• tls — Enter tls to secure RADIUS server communication using the TLS protocol.
• security-profile profile-name — Enter the name of an X.509v3 security prole to use with
RADIUS over TLS authentication. To congure a security prole for an OS10 application, see Security proles.
• auth-port tcp-port-number — (Optional) Enter the TCP port number that the server uses for
authentication. The range is from 0 to 65535. The default is 2083.
• key 0 authentication-key — Enter the radsec shared key in plain text.
• key 9 authentication-key — Enter the radsec shared key in encrypted format.
• authentication-key — Enter the radsec shared key in plain text. It is not necessary to enter 0 before
the key.
Default TCP port 2083 on a RADIUS server is used for RADIUS over TLS communication.
Command Mode CONFIGURATION
Usage Information For RADIUS over TLS authentication, congure the radsec shared key on the server and OS10 switch. The show
running-configuration output displays both the unencrypted and encrypted key in encrypted format.
Congure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the
radius-server retransmit and radius-server timeout commands. The no version of this
command removes a RADIUS server from RADIUS over TLS communication.
RADIUS over TLS authentication requires that X.509v3 PKI certicates are congured on a certication authority
and installed on the switch. For more information, including a complete RADIUS over TLS example, see xref="X.
509v3 certicates".
Example
OS10(config)# radius-server host 1.5.6.4 tls security-profile radius-admin key
radsec
Supported Releases 10.4.3.0 or later
816 Security