11.18. RADIUS Authentication Commands

Command Purpose

To improve RADIUS response times when some servers might be unavailable and cause the unavailable servers to be skipped immediately, use the radius-server deadtime command in Global Config mode. To set dead-time to default value, use the no form of this command.

Prerequisites

Command Syntax

radius-server deadtime MINUTES

no radius-server deadtime

Command Mode

Global Config

Default

5 minutes

Usage

Use this command to cause the switch to mark as “dead” any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as “dead” is skipped by additional requests for the duration of minutes, unless there are no servers not marked “dead”.

The default value of the radius deadtime is 5 minutes.

Examples

The following is sample output from the radius deadtime command:

Switch# configure terminal
Switch(config)# radius deadtime 10

Related Commands

radius-server host

Command Purpose

To specify a RADIUS server host, use the radius-server host command in Global Config mode. To delete the specified RADIUS host, use the no form of this command.

Prerequisites

Command Syntax

radius-server host HOST_IP_ADDR ( source-interface IFNAME | source-ip SRC_IP_ADDR | )

radius-server host HOST_IP_ADDR { key ( 8 | secret | ) STRING | retransmit RETRIES | timeout SEC | mgmt-if IPV4_ADDR | auth-port AUTH_PORT | acct-port ACCT_PORT } ( source-interface IFNAME | source-ip SRC_IP_ADDR | )

radius-server host mgmt-if IPV4_ADDR

radius-server host mgmt-if IPV4_ADDR { key ( 8 | secret | ) STRING | retransmit RETRIES | timeout SEC | mgmt-if IPV4_ADDRauth-port AUTH_PORT }

no radius-server host ( mgmt-if | ) IPV4_ADDR ( mgmt-if IPV4_ADDRauth-port AUTH_PORT | )

Command Mode

Global Config

Default

None

Usage

You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.

If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.

If the source interface or source IP address is specified, the packet transmit will use the related IP address as source address.

Examples

The following is sample output from the radius-server host command:

Switch# configure terminal
Switch(config)# radius-server host 10.10.1.1 key abcde

Related Commands

radius-server key

radius-server timeout

Command Purpose

To specify the number of times the switch searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in Global Config mode. To disable retransmission, use the no form of this command.

Prerequisites

Command Syntax

radius-server retransmit RETRIES

no radius-server retransmit

Command Mode

Global Config

Default

3 attempts

Usage

The switch tries all servers, allowing each one to time out before increasing the retransmit count.

If the RADIUS server is only a few hops from the switch, we recommend that you configure the RADIUS server retransmit rate to 5.

The default value of radius retransmit is 3 attempts.

Examples

The following is sample output from the radius retransmit command:

Switch# configure terminal
Switch(config)# radius retransmit 5

Related Commands

radius-server host

radius-server key

Command Purpose

To set the interval for which a switch waits for a server host to reply, use the radius-server timeout command in Global Config mode. To restore the default, use the no form of this command.

Prerequisites

Command Syntax

radius-server timeout SECONDS

no radius-server timeout

Command Mode

Global Config

Default

None

Usage

Use this command to set the number of seconds a switch waits for a server host to reply before timing out.

If the RADIUS server is only a few hops from the switch, we recommend that you configure the RADIUS server timeout to 15 seconds.

The default value of radius timeout is 5 seconds.

Examples

The following is sample output from the radius timeout command:

Switch# configure terminal
Switch(config)# radius retransmit 15

Related Commands

radius-server host

radius-server key

Command Purpose

To set the shared encryption key of RADIUS server, use the radius-server key command in Global Config mode. To restore the default, use the no form of this command.

Prerequisites

Command Syntax

radius-server key KEY_STRING

no radius-server key

Command Mode

Global Config

Default

None

Usage

Use this command to set the shared encryption key in a switch.

Shared encryption key is the foundation of communicate between switch and server. You need set a same shared encryption string in authentication server and switch.

Examples

The following is sample output from the radius-server key command:

Switch# configure terminal
Switch(config)# radius-server key simple-key

Related Commands

radius-server host

Command Purpose

Use the “show radius-server” command to display radius server states of each IEEE 802.1x session.

Prerequisites

Command Syntax

show dot1x radius-server status ( interface IFNAME | )

Command Mode

Privileged EXEC

Default

None

Usage

Use this command to display the current radius-server and dead radius-servers of each IEEE 802.1 x sessions.

Examples

The following is sample output from the show radius-server command:

Switch# show dot1x radius-server status 

=====================================
802.1X session on interface eth-0-9:
current radius server:
 retransmit count  : 3
 server address    : 3.3.3.3:1812
 socket descriptor : 15
 last state        : 
radius servers in dead list:
 N/A
=====================================

Related Commands

radius-server host

Command Purpose

Use the “show radius-server” command to display radius server states of each IEEE 802.1x session.

Prerequisites

Command Syntax

show radius-server

Command Mode

Privileged EXEC

Default

None

Usage

Use this command to display the current radius-server and dead radius-servers of each IEEE 802.1 x sessions.

Examples

The following is sample output from the show radius-server command:

Switch# show radius-server 

=====================================
802.1X session on interface eth-0-9:
current radius server:
 retransmit count  : 3
 server address    : 3.3.3.3:1812
 socket descriptor : 15
 last state        : 
radius servers in dead list:
 N/A
=====================================

Related Commands

radius-server host