4000 Router Series Security Command Reference

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port

number in the range of 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS

authentication server.

• cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

{ In non-FIPS mode, the key is a string of 1 to 117 cha ra ct e r s .

{ In FIPS mode, the key is a string of 15 to 117 c h aract e r s .

• simple string: Sets a plaintext shared key. The string argument is case sensitive.

{ In non-FIPS mode, the key is a string of 1 to 64 characters.

{ In FIPS mode, the key is a string of 15 to 64 characters that must contain digits, uppercase letters,

lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication

server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is

on the public network, do not specify this option.

Usage guidelines

Make sure that the service port and shared key settings of the primary RADIUS authentication server are

the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP

address, port number, and VPN settings.

The shared key configured by this command takes precedence over the shared key configured by using

the key authentication command.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance

vpn-instance-name option. The VPN specified by this command takes precedence over the VPN

specified for the RADIUS scheme.

If you use the primary authentication command to modify or delete the primary authentication server

during an authentication process, communication with the primary server times out, and the device looks

for an active server with the highest priority for authentication.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in

ciphertext.

Examples

# Specify the primary authentication server with IP address 10.110 .1.1, U D P p o r t n u m b e r 1812, a n d

plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.