RADIUS security servers are identified by host name or IP address,
host name and specific UDP port numbers, or IP address and specific UDP port
numbers. The combination of the IP address and UDP port number creates a unique
identifier, which enables RADIUS requests to be sent to multiple UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS
server are configured for the same service, such as authentication, the second
host entry configured acts as the fail-over backup to the first one. The RADIUS
host entries are tried in the order that they are configured.
Beginning in privileged EXEC mode, follow these steps to configure the
RADIUS server parameters on the switch.
Step 1 Enter
global configuration mode.
Step 2 Configure the
RADIUS server parameters on the switch with the radius-server host
{hostname | ip-address} auth-port port-number
key string command.
For
hostname | ip-address, specify the host name or IP address of
the remote RADIUS server. For auth-port port-number,
specify the UDP destination port for authentication requests. The default is
1812. For key string, specify the authentication and
encryption key used between the switch and the RADIUS server. The key is a text
string that must match the encryption key used on the RADIUS server.
 |
NOTE:
Always configure the key as the last item in the
radius-server host command syntax because leading spaces
are ignored, but spaces within and at the end of the key are used. If spaces
are used in the key, do not enclose the key in quotation marks unless the
quotation marks are part of the key.
|
If multiple RADIUS servers are to be used, re-enter this command.
Step 3 Return to privileged EXEC mode.
Step 4 Verify the configuration.
To delete the specified RADIUS server, use the no radius-server
host {hostname | ip-address} global configuration
command.
The example in Figure
shows how to
specify the server with IP address 172.20.39.46 as the RADIUS server, to use
port 1612 as the authorization port, and to set the encryption key to rad123,
matching the key on the RADIUS server.
The timeout, retransmission, and
encryption key values for all RADIUS servers can be globally configured by
using the radius-server host global configuration command.
To configure these options on a per-server basis, use the
radius-server timeout, radius-server
retransmit, and the radius-server key global
configuration commands.
Some settings on the RADIUS server need to be
configured as well. These settings include the IP address of the switch and the
key string to be shared by both the server and the switch.