Configuring a switch to access a RADIUS server

Before you configure the actual accounting parameters, configure the switch to use a RADIUS server. This process is outlined in Configuring the switch to access a RADIUS server. Repeat this now only if one of the following applies:

  • The switch is not yet configured to use a RADIUS server

  • Your server data has changed

  • You need to specify a non-default UDP destination port for accounting requests

NOTE:

Switch operation expects a RADIUS server to accommodate both authentication and accounting.

Syntax: 

radius-server host <ip-address>
no radius-server host <ip-address>

Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. 


[acct-port < port-number >]

Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813) 


[key < key-string >]

Optional. Specifies an encryption key for use during accounting or authentication sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.

NOTE:

If you save the config file using Xmodem or TFTP, the key information is not saved in the file. This causes RADIUS authentication to fail when the config file is loaded back onto the switch. 


[encrypted-key < key-string >]

Encryption key to use with the RADIUS server, specified using a base64-encoded aes-256 encrypted string.

Example:

Suppose you want the switch to use the RADIUS server described below for both authentication and accounting purposes.

  • IP address: 10.33.18.151

  • A non-default UDP port number of 1750 for accounting.

For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and RADIUS is already configured as an authentication method for one or more types of access to the switch (Telnet, Console, etc.).

Because the radius-server command includes an acct-port keyword with a non-default UDP port number of 1750, the switch assigns this value as the UDP accounting port.

Configuring for a RADIUS server with a non-default accounting UDP port number

The radius-server command configures the switch to use a RADIUS server at IP address 10.33.18.151, with a non-default UDP accounting port of 1750, and a server-specific key of "source0151". 

switch(config)# radius-server host 10.33.18.151 
 acct-port 1750 key source0151
switch(config)# write mem

switch(config)# show radius

 Status and Counters - General RADIUS Information

  Deadtime(min) : 0
  Timeout(secs) : 5
  Retransmit Attempts : 3
  Global Encryption Key :
  Dynamic Authorization UDP Port : 3799

                  Auth Acct DM/ Time
  Server IP Addr  Port Port CoA Window Encryption Key
  --------------- ---- ---- --- ------ -------------------
  10.33.18.151    1812 1750 No  10     source0151