RADIUS
This chapter is a reference for Remote Authentication Dial In User Service (RADIUS) commands, RADIUS provides centralized Authentication, Authorization management for users that connect to and use a network service. RADIUS is specified in RFC 2865.
Note: Only network administrators can execute these commands.
Note: The commands below are supported only on the “management” VRF.
clear radius-server
Use this command to clear radius-server statistics.
Command Syntax
clear radius-server ((HOSTNAME | X:X::X:X | A.B.C.D)|) counters (vrf (management | all)|)
Parameters
A.B.C.D
IPv4 address of RADIUS server
X:X::X:X
IPv6 address of RADIUS server
HOSTNAME
DNS host name of RADIUS server
vrf management
To clear radius server counters for Virtual Routing and Forwarding management
all
To clear radius server counters for both management an default vrf
counters
To clear radius server counters for default vrf
Command Mode
Exec mode
Applicability
This command is introduced in OcNOS version 1.3.7.
Examples
#clear radius-server counters vrf management
debug radius
Use this command to display RADIUS debugging information.
Use the no form of this command stop displaying RADIUS debugging information.
Command Syntax
debug radius
no debug radius
Parameters
None
Command Mode
Executive mode and configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#debug radius
radius-server login host
Use this command to configure a RADIUS server for both accounting and authentication.
Use the no form of this command to remove a RADIUS server.
Command Syntax
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) seq-num (<1-8>)
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) seq-num (<1-8>) timeout <1-60>
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) seq-num (<1-8>)(acct-port <0-65535> |) | timeout <1-60> |)
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) seq-num (<1-8>)(|(auth-port <0-65535> (|(acct-port <0-65535> (|(timeout <1-60>))))))
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) seq-num (<1-8>)(|(key ((0 WORD) | (7 WORD))) (|(auth-port <0-65535> (|(acctport <0-65535> (|(timeout <1-60>))))))))
no radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|)
no radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) timeout
Parameters
login
Remote login
A.B.C.D
IPv4 address of RADIUS server
X:X::X:X
IPv6 address of RADIUS server
HOSTNAME
DNS host name of RADIUS server
seq-num
seq-num Sequence Number / Priority index for radius-servers
<1-8>
sequence number for servers
timeout
How long to wait for a response from the RADIUS server before declaring a timeout failure
<1-60>
Range of time out period in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server login host 203.0.113.15 vrf management seq-num 1
radius-server login host acct-port
Use this command to configure a RADIUS server and specify a UDP port to use for RADIUS accounting messages.
Use the no form of this command to remove a RADIUS server.
Command Syntax
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) (seq-num (<1-8>)|) acctport <0-65535> |) | timeout <1-60> |)
no radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) acct-port |) | timeout <1-60> |)
Parameters
login
Remote login
A.B.C.D
IPv4 address of RADIUS server
X:X::X:X
IPv6 address of RADIUS server
HOSTNAME
DNS host name of RADIUS server
acct-port
UDP port to use for RADIUS accounting messages
<0-65535>
Range of UDP port numbers
seq-num
seq-num Sequence Number / Priority index for radius-servers
<1-8>
sequence number for servers
timeout
How long to wait for a response from the RADIUS server before declaring a timeout failure
<1-60>
Range of timeout period in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
By default, radius-server login host acct-port is 1813
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server login host 192.168.2.3 vrf management seq-num 2 acct-port 23255
radius-server login host auth-port
Use this command to configure a RADIUS server and specify a UDP port to use for RADIUS authentication messages.
Use the no form of this command to remove a RADIUS server.
Command Syntax
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) (seq-num (<1-8>)|) (|(authport <0-65535> (|(acct-port <0-65535> (|(timeout <1-60>))))))
no radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) (auth-port (|(acct-port (|timeout))))
Parameters
login
Remote login
A.B.C.D
IPv4 address of RADIUS server
X:X::X:X
IPv6 address of RADIUS server
HOSTNAME
DNS host name of RADIUS server
seq-num
seq-num Sequence Number / Priority index for radius-servers
<1-8>
sequence number for servers
auth-port
UDP port to use for RADIUS accounting messages
<0-65535>
Range of UDP port numbers
acct-port
UDP port to use for RADIUS accounting messages
<0-65535>
Range of UDP port numbers
timeout
How long to wait for a response from the RADIUS server before declaring a timeout failure
<1-60>
Range of timeout period in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
By default, radius-server login host acct-port is 1812
Command Mode
Configure mode
Applicabilityh
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server login host 203.0.113.15 vrf management seq-num 1 auth-port 23255
radius-server login host key
Use this command to set per-server shared key (“shared secret”) which is a text string shared between the device and RADIUS servers.
Use the no form of this command to remove a server shared key.
Command Syntax
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) (seq-num (<1-8>)|) (|(key ((0 WORD) | (7 WORD)) (|(auth-port <0-65535> (|(acct-port <0-65535>
(|(timeout <1-60>))))))))
no radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) (key ((0 WORD) | (7 WORD) ) (|(auth-port <0-65535> (|(acct-port (|(timeout)))))))
Parameters
login
Remote login
A.B.C.D
IPv4 address of RADIUS server
X:X::X:X
IPv6 address of RADIUS server
HOSTNAME
DNS host name of RADIUS server
seq-num
seq-num Sequence Number / Priority index for radius-servers
<1-8>
sequence number for servers
0
Unencrypted (clear text) shared key
WORD
Unencrypted key value; maximum length 63 characters
7
Hidden shared key
WORD
Hidden key value; maximum length 63 characters
WORD
Unencrypted (clear text) shared key value; maximum length 63 characters
auth-port
UDP port to use for RADIUS accounting messages
<0-65535>
Range of UDP port numbers
acct-port
UDP port to use for RADIUS accounting messages
<0-65535>
Range of UDP port numbers
timeout
How long to wait for a response from the RADIUS server before declaring a timeout failure
<1-60>
Range of timeout period in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server login host 203.0.113.15 vrf management seq-num 1 key 0 testing auth-port 23255
radius-server login key
Use this command to set a global preshared key (“shared secret”) which is a text string shared between the device and RADIUS servers.
Use the no form of this command to remove a global preshared key.
Command Syntax
radius-server login key ((0 WORD) | (7 WORD)) (vrf management|)
radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME) (vrf management|) (seq-num
(<1-8>)|) (|(key ((0 WORD) | (7 WORD)) (|(auth-port <0-65535> (|(acctport <0-65535> (|(timeout <1-60>))))))))
no radius-server login key ((0 WORD) | (7 WORD)) (vrf management|)
no radius-server login host (A.B.C.D | X:X::X:X | HOSTNAME)(vrf management|)(seqnum(<1-8>)|) (key ((0 WORD) | (7 WORD)) (|(auth-port <0-65535> (|(acctport(|(timeout)))))))
Parameters
login
Remote login
0
Unencrypted (clear text) shared key
WORD
Unencrypted key value; maximum length 63 characters
7
Hidden shared key
WORD
Hidden key value; maximum length 63 characters
WORD
Unencrypted (clear text) shared key value; maximum length 63 characters
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server login key 7 p2AcxlQA vrf management
#configure terminal
(config)#no radius-server login key 7 p2AcxlQA vrf management
radius-server login timeout
Use this command to set the global timeout which is how long the device waits for a response from a RADIUS server before declaring a timeout failure.
Use the no form of this command to set the global timeout to its default (1 second).
Note: TELNET client session's default timeout is 60 seconds, so configuring timeout of 60 seconds timeout impacts TELNET client applications, because it cannot be fallback to use the other configured server/group. Hence it is recommended to configure 57 seconds or lesser timeout while using TELNET. This timeout doesn't have an impact on SSH connections.
Command Syntax
radius-server login timeout <1-60> (vrf management|)
no radius-server login timeout (vrf management|)
Parameters
login
Remote login
<1-60>
Range of timeout period in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Note: The system takes minimum 3 secs to timeout even though the configured timeout value is less than 3 seconds. Hence do not configure timeout value less than 3 secs. The timeout range value is mentioned as 1-60 secs for backward compatibility.
Default
By default, radius-server login timeout is 5 seconds
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server login timeout 15 vrf management
#configure terminal
(config)#no radius-server login timeout 15 vrf management
show debug radius
Use this command to display debugging information.
Command Syntax
show debug radius
Parameters
None
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show debug radius
RADIUS client debugging is on
show radius-server
Use this command to display the RADIUS server configuration.
Command Syntax
show radius-server (|vrf(management|all))((WORD)|(groups (GROUP|)|)|sorted
Parameters
WORD
DNS host name or IP address
groups
RADIUS server group
GROUP
Group name; if this parameter is not specified, display all groups
sorted
Sort by RADIUS server name
vrf
management or all VRFs
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show radius-server vrf management
VRF: management
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
Radius Server : 10.12.12.39
Sequence Number : 1
available for authentication on port : 1812
available for accounting on port : 1813
RADIUS shared secret : ********
Failed Authentication count : 0
Successful Authentication count : 0
Failed Connection Request : 0
Last Successful authentication :
Radius Server : 1.1.1.1
Sequence Number : 2
available for authentication on port : 1234
available for accounting on port : 1234
timeout : 5
Failed Authentication count : 0
Successful Authentication count : 0
Failed Connection Request : 0
Last Successful authentication :
Table 15-22 explains the output fields.
Table 15-22: show radius-server fields
Entry | Description |
---|
VRF | Virtual Routing and Forwarding (VRF) default support. |
Timeout Value | Period the local router waits to receive a response from a RADIUS accounting server before retransmitting the message |
Total number of servers | Number of authentication requests received by the authentication server. |
show running-config radius
Use this command to display RADIUS configuration settings in the running configuration.
Command Syntax
show running-config radius
Parameters
None
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show running-config radius
radius-server login key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb vrf management
radius-server login host 10.12.12.39 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb