Untitled :: Resources

RADIUS Server Configuration

Successful subscriber management AAA methods are often supplied by a RADIUS server, although there are cases where other forms of AAA, including local methods independent of networks availability, are appropriate.

RADIUS server configuration is a dependent step in subscriber management configuration. In other words, if you configure an optional RADIUS profile for AAA, then you must configure a RADIUS server to go along with it. So, RADIUS server configuration is dependent on RADIUS profile configuration.

The way that the RADIUS server configuration relates to all subscriber management configuration tasks is shown in the picture below.

Figure 1. RADIUS Server Configuration

Configuring the RADIUS Server

supervisor@switch: cfg> show config access radius-server
  <server-name>         Name of the RADIUS server

supervisor@switch: cfg> show config access radius-server radius-server-1
  <cr>
  accounting             RADIUS accounting mode
  address                RADIUS server address
  authentication         RADIUS authentication mode
  coa                    RADIUS Change-of-Authorization (CoA) mode
  rate                   Maximum RADIUS requests per/second
  routing-instance       Instance name
  secret-encrypted-text  RADIUS secret in encrypted text
  secret-plain-text      RADIUS secret in plain text
  source-address         Source address used for RADIUS packets

The following example shows a typical …

supervisor@switch: cfg> show config access radius-server radius-server-1
{
  "rtbrick-config:radius-server": {
    "server-name": "radius-server-1",
    "address": "198.51.100.101",
    "source-address": "198.51.100.200",
    "secret-encrypted-text": "$21e4946e31b406de98b3077aef03ed5a7",
    "authentication": {
      "enable": "true"
    },
    "accounting": {
      "enable": "true"
    },
    "coa": {
      "enable": "true"
    }
  }
}

Attribute	Description
address	RADIUS server IPv4 address. Multiple RADIUS servers with the same IPv4 address are currently not supported, even if the instance or port is different.!
source-address	Local source IPv4 address.
routing-instance	The routing instance in which the RADIUS server is reachable.
secret-encrypted-text secret-plain-text	RADIUS secret which can be provided as plaintext or already encrypted text.
rate	Maximum RADIUS requests per second. Default: 600 Range: 1 - 65535

Attribute

Description

address

RADIUS server IPv4 address.

Multiple RADIUS servers with the same IPv4 address are currently not supported, even if the instance or port is different.!

source-address

Local source IPv4 address.

routing-instance

The routing instance in which the RADIUS server is reachable.

secret-encrypted-text

secret-plain-text

RADIUS secret which can be provided as plaintext or already encrypted text.

rate

Maximum RADIUS requests per second.

Default: 600 Range: 1 - 65535

Configuring Authentication

supervisor@switch: cfg> set access radius-server radius-server-1 authentication
  <cr>
  enable                Enable RADIUS authentication
  outstanding           Maximum number of outstanding authentication requests
  port                  RADIUS server authentication port
  retry                 Maximum retries for authentication request packets
  timeout               Authentication request timeout in seconds

Attribute	Description
enable	Enable RADIUS authentication. Default: false
port	RADIUS authentication port. Default: 1812 Range: 1 - 65535
retry	This options specifies the number of authentication retries before declaring this server as unreachable for authentication. After reaching the limit the client begins to send requests to other RADIUS servers and rejects the request after receiving the end of the list. Default: 3
timeout	Authentication request timeout in seconds. Default: 5 Range: 1 - 65535
outstanding	This options specifies the maximum number of outstanding authentication requests for this RADIUS server. A request is counted as outstanding if sent out but response is not received. Default: 100 Range: 1 - 65535

Attribute

Description

enable

Enable RADIUS authentication.

Default: false

port

RADIUS authentication port.

Default: 1812 Range: 1 - 65535

retry

This options specifies the number of authentication retries before declaring this server as unreachable for authentication. After reaching the limit the client begins to send requests to other RADIUS servers and rejects the request after receiving the end of the list.

Default: 3

timeout

Authentication request timeout in seconds.

Default: 5 Range: 1 - 65535

outstanding

This options specifies the maximum number of outstanding authentication requests for this RADIUS server. A request is counted as outstanding if sent out but response is not received.

Default: 100 Range: 1 - 65535

Configuring Accounting

supervisor@switch: cfg> set access radius-server radius-server-1 accounting
  <cr>
  enable                Enable RADIUS accounting
  outstanding           Maximum number of outstanding accounting requests
  port                  RADIUS server accounting port
  retry                 Maximum retries for accounting request packets
  timeout               Accounting request timeout in seconds

Attribute	Description
enable	Enable RADIUS accounting. Default: false
port	RADIUS authentication port. Default: 1813 Range: 1 - 65535
retry	This options specifies the number of accounting retries before declaring this server as unreachable for accounting. After reaching the limit the client begins to send requests to other RADIUS servers. Default: 10
timeout	Authentication request timeout in seconds. Default: 30 Range: 1 - 65535
outstanding	This options specifies the maximum number of outstanding accounting requests for this RADIUS server. A request is counted as outstanding if sent out but response is not received. Default: 100 Range: 1 - 65535

Attribute

Description

enable

Enable RADIUS accounting.

Default: false

port

RADIUS authentication port.

Default: 1813 Range: 1 - 65535

retry

This options specifies the number of accounting retries before declaring this server as unreachable for accounting. After reaching the limit the client begins to send requests to other RADIUS servers.

Default: 10

timeout

Authentication request timeout in seconds.

Default: 30 Range: 1 - 65535

outstanding

This options specifies the maximum number of outstanding accounting requests for this RADIUS server. A request is counted as outstanding if sent out but response is not received.

Default: 100 Range: 1 - 65535

Configuring Change-of-Authorization (CoA)

supervisor@switch: cfg> set access radius-server radius-server-1 coa
  <cr>
  enable                Enable Change-of-Authorization (CoA)
  port                  Local RADIUS CoA port

Attribute	Description
enable	Enable receive of RADIUS CoA requests from this server. Default: false
port	RADIUS CoA port. Default: 3799 Range: 1 - 65535

Attribute

Description

enable

Enable receive of RADIUS CoA requests from this server.

Default: false

port

RADIUS CoA port.

Default: 3799 Range: 1 - 65535