Table Of Contents
Configuring Timeout, Retransmission, and Key Values per RADIUS Server
Feature Overview
Benefits
Related Features and Technologies
Related Documents
Supported Platforms
Supported Standards, MIBs, and RFCs
Prerequisites
Configuration Tasks
Configuring Global Timeout, Retransmission, and Key Values
Verifying Global Timeout, Retransmission, and Key Values
Configuring Per-Server Timeout, Retransmission, and Key Values
Verifying Per-Server Timeout, Retransmission, and Key Values
Configuration Examples
RADIUS Server with Server-Specific Values
Multiple RADIUS Servers with Global and Server-Specific Values
Command Reference
radius-server host
Syntax Description
Defaults
Command Modes
Command History
Usage Guidelines
Examples
Related Commands
Configuring Timeout, Retransmission, and Key Values per RADIUS Server
The Configuring Timeout, Retransmission, and Key Values per RADIUS Server feature extends the functionality of the existing radius-server host command. This document contains the following sections:
•
Feature Overview
•Supported Platforms
•Supported Standards, MIBs, and RFCs
•Prerequisites
•Configuration Tasks
•Configuration Examples
•Command Reference
Feature Overview
The radius-server host command functions have been extended to include timeout, retransmission, and encryption key values that enables you to apply any or all of these functions to individual RADIUS servers on a per-server basis. In previous Cisco IOS releases, you could only apply timeout, retransmission, and encryption key values globally to all RADIUS servers in the router configuration by using three unique global commands: radius-server timeout, radius-server retransmit, and radius-server key.
Note You can configure both global and per-server timeout, retransmission, and key value commands simultaneously on the same Cisco network access server. If both global and per-server functions are configured on a router, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands.
Benefits
Greater Flexibility
Offering per-server, timeout, retransmit, and key values functions provides the system administrator with greater flexibility when configuring RADIUS servers.
Improved Network Security
Unique key values help improve network security requiring different keys for different servers.
Improved Server Access
Per-server timeout and retransmit settings can help improve server access on busy networks where overall response times may vary widely from network to network.
Related Features and Technologies
•RADIUS
•AAA Security Services
Related Documents
•Cisco IOS Release 12.0 Security Configuration Guide
•Cisco IOS Release 12.0 Security Command Reference
Supported Platforms
•Cisco AS5200
•Cisco AS5300
•Cisco AS5800
•Cisco 7200 series
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
None
Prerequisites
•Enable authentication, authorization, and accounting (AAA) security services with the aaa new-model command and configure AAA security services on the router or access server to support the RADIUS security protocol. Refer to the Cisco IOS Release 12.0 Security Configuration Guide for details on how to configure AAA services.
•If you have at least one RADIUS server that does not have a per-server key, use the radius-server key command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. Refer to the Cisco IOS Release 12.0 Security Configuration Guide and Cisco IOS Release 12.0 Security Command Reference for details on how to configure radius-server key command.
Configuration Tasks
See the following sections for configuration tasks for the Configuring Timeout, Retransmission, and Key Values per RADIUS server feature. Each task in the list indicates if the task is optional or required.
•Configuring Global Timeout, Retransmission, and Key Values
•Configuring Per-Server Timeout, Retransmission, and Key Values
Configuring Global Timeout, Retransmission, and Key Values
Step
|
Command
|
Purpose
|
1
|
Router(config)# aaa new-model
|
(Required) Enables the AAA access control model. Enables AAA security services (authentication, authorization, and accounting) on the router or access server to support the RADIUS security protocol. (Refer to the Cisco IOS Release 12.0 Security Configuration Guide for details on how to configure AAA services.)
|
2
|
Router(config)# radius-server timeout seconds
|
(Optional) Sets the interval a router waits for a server host to reply for all RADIUS servers. The default value is 5 seconds.
|
3
|
Router(config)# radius-server retransmit retries
|
(Optional) Specifies the number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. The default is 3 retries.
|
4
|
Router(config)# radius-server key {string}
|
(Optional) Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. The radius-server key command has no default value; however, the key must match the encryption key used on the RADIUS server. This command is optional if you configure per-server keys for all RADIUS servers. If you have at least one RADIUS server that does not have a per-server key, you should set this value.
|
Verifying Global Timeout, Retransmission, and Key Values
To verify global timeout, retransmission, and key values, use the privileged EXEC show running-config command.
Configuring Per-Server Timeout, Retransmission, and Key Values
Step
|
Command
|
Purpose
|
1
|
Router(config)# aaa new-model
|
(Required) Enables the AAA access control model. Enables AAA security services (authentication, authorization, and accounting) on the router or access server to support the RADIUS security protocol. (Refer to the Cisco IOS Release 12.0 Security Configuration Guide for details on how to configure AAA services.)
|
2
|
Router(config)# radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port port-number] [timeout seconds]
[retransmit retries] [key string]
|
(Optional) Specifies a RADIUS server host to configure timeout, retransmit, and encryption key values on a per-server basis.
Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
|
Verifying Per-Server Timeout, Retransmission, and Key Values
To verify global timeout, retransmission, and key values, use the privileged EXEC show running-config command.
Configuration Examples
This section provides the following configuration examples:
•RADIUS Server with Server-Specific Values
•Multiple RADIUS Servers with Global and Server-Specific Values
RADIUS Server with Server-Specific Values
The following example configures server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46:
router(config)# radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123
Multiple RADIUS Servers with Global and Server-Specific Values
The following configuration example configures two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the router, while specific AAA commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46.
! Enable AAA services on the router and define those services.
router(config)# aaa new-model
router(config)# aaa authentication login default radius
router(config)# aaa authentication login console-login none
router(config)# aaa authentication ppp default radius
router(config)# aaa authorization network default radius
router(config)# aaa accounting exec default start-stop radius
router(config)# aaa accounting network default start-stop radius
router(config)# enable password tryit1
! Change the global retransmission value for all RADIUS servers.
router(config)# radius-server retransmit 4
! Configure per-server specific timeout, retransmission, and key values.
! Change the default auth-port and acct-port values.
router(config)# radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3
router(config)# retransmit 3 key radkey
! Configure per-server specific timeout and key values. This server uses the global
router(config)# radius-server host 172.29.39.46 timeout 6 key rad123
Command Reference
This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications. In this feature, the radius-server host command has been modified to add support for configuring timeout, retransmission, and key values per RADIUS server.
radius-server host
To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries] [key string]
no radius-server host {hostname | ip-address}
Syntax Description
hostname
|
DNS name of the RADIUS server host.
|
ip-address
|
IP address of the RADIUS server host.
|
auth-port
|
(Optional) Specifies the UDP destination port for authentication requests.
|
port-number
|
(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default authorization port number is 1645.
|
acct-port
|
(Optional) Specifies the UDP destination port for accounting requests.
|
port-number
|
(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default accounting port number is 1646.
|
timeout
|
(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.
|
seconds
|
(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.
|
retransmit
|
(Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.
|
retries
|
(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.
|
key
|
(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.
The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
|
string
|
(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
|
Defaults
No RADIUS host is specified; use global radius-server command values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
Cisco IOS Release 11.3
|
This command was introduced.
|
Cisco IOS Release 11.3(8)AA
|
This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server for the following platforms: Cisco AS5200, Cisco AS5300, Cisco AS5800, and Cisco 7200.
|
Cisco IOS Release 12.0(5)T
|
This command was folded in to the Cisco IOS Release 12.0(5)T image.
|
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.
If no host specific timeout, retransmit, or key values are specified, the global values apply to that host.
Examples
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
router(config)# radius-server host host1
The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
router(config)# radius-server host host1 auth-port 1612 acct-port 1616
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
router(config)# radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6
To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
router(config)# radius-server host host1.domain.com auth-port 0
router(config)# radius-server host host2.domain.com acct-port 0
Related Commands
Command
|
Description
|
aaa new-model
|
Changes the text displayed when users are prompted to enter a username.
|
radius-server key
|
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
|
radius-server retransmit
|
Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up.
|
radius-server timeout
|
Sets the interval a router waits for a server host to reply.
|
