RADIUS Server Configuration

Successful subscriber management AAA methods are often supplied by a RADIUS server, although there are cases where other forms of AAA, including local methods independent of network availability, are appropriate.

RADIUS server configuration is a dependent step in subscriber management configuration. In other words, if you configure an optional RADIUS profile for AAA, then you must configure a RADIUS server to go along with it. So, RADIUS server configuration is dependent on RADIUS profile configuration.

The way that the RADIUS server configuration relates to all subscriber management configuration tasks is shown in the picture below.

ngaccess cli2 radius server
Figure 1. RADIUS Server Configuration

Configuring the RADIUS Server

supervisor@switch: cfg> set config access radius-server
  <server-name>         Name of the RADIUS server

supervisor@switch: cfg> set config access radius-server radius-server-1
  <cr>
  accounting             RADIUS accounting mode
  address                RADIUS server address
  authentication         RADIUS authentication mode
  coa                    RADIUS Change-of-Authorization (CoA) mode
  rate                   Maximum RADIUS requests per/second
  routing-instance       Instance name
  secret-encrypted-text  RADIUS secret in encrypted text
  secret-plain-text      RADIUS secret in plain text
  source-address         Source address used for RADIUS packets

The following example shows a typical …​

supervisor@switch: cfg> show config access radius-server radius-server-1
{
  "rtbrick-config:radius-server": {
    "server-name": "radius-server-1",
    "address": "198.51.100.101",
    "source-address": "198.51.100.200",
    "secret-encrypted-text": "$21e4946e31b406de98b3077aef03ed5a7",
    "authentication": {
      "enable": "true"
    },
    "accounting": {
      "enable": "true"
    },
    "coa": {
      "enable": "true"
    }
  }
}
Attribute Description

address

RADIUS server IPv4 address.

Multiple RADIUS servers with the same IPv4 address are currently not supported, even if the instance or port is different.!

source-address

Local source IPv4 address.

routing-instance

The routing instance in which the RADIUS server is reachable.

secret-encrypted-text

secret-plain-text

RADIUS secret, which can be provided as plaintext or already encrypted text.

rate

Maximum RADIUS requests per second.

Default: 600 Range: 1 - 65535

Configuring Authentication

supervisor@switch: cfg> set access radius-server radius-server-1 authentication
  <cr>
  enable                Enable RADIUS authentication
  outstanding           Maximum number of outstanding authentication requests
  port                  RADIUS server authentication port
  retry                 Maximum retries for authentication request packets
  timeout               Authentication request timeout in seconds
Attribute Description

enable

Enable RADIUS authentication.

Default: false

port

RADIUS authentication port.

Default: 1812 Range: 1 - 65535

retry

This option specifies the number of authentication retries before declaring this server as unreachable for authentication. After reaching the limit, the client begins to send requests to other RADIUS servers and rejects the request after receiving the end of the list.

Default: 3 Range: 1 - 255

timeout

Authentication request timeout in seconds.

Default: 5 Range: 1 - 65535

outstanding

This option specifies the maximum number of outstanding authentication requests for this RADIUS server. A request is counted as outstanding if sent out but the response is not received.

Default: 100 Range: 1 - 65535

Configuring Accounting

supervisor@switch: cfg> set access radius-server radius-server-1 accounting
  <cr>
  enable                Enable RADIUS accounting
  outstanding           Maximum number of outstanding accounting requests
  port                  RADIUS server accounting port
  retry                 Maximum retries for accounting request packets
  timeout               Accounting request timeout in seconds
Attribute Description

enable

Enable RADIUS accounting.

Default: false

port

RADIUS authentication port.

Default: 1813 Range: 1 - 65535

retry

This option specifies the number of accounting retries before declaring this server as unreachable for accounting. After reaching the limit, the client begins to send requests to other RADIUS servers.

Default: 10 Range: 1 - 255

timeout

Authentication request timeout in seconds.

Default: 30 Range: 1 - 65535

outstanding

This option specifies the maximum number of outstanding accounting requests for this RADIUS server. A request is counted as outstanding if sent out, but the response is not received.

Default: 100 Range: 1 - 65535

Configuring Change-of-Authorization (CoA)

supervisor@switch: cfg> set access radius-server radius-server-1 coa
  <cr>
  enable                Enable Change-of-Authorization (CoA)
  port                  Local RADIUS CoA port
Attribute Description

enable

Enable receiving of RADIUS CoA requests from this server.

Default: false

port

RADIUS CoA port.

Default: 3799 Range: 1 - 65535