Configuring RADIUS Servers
The RADIUS Servers table lets you configure up to three RADIUS servers. You can use RADIUS servers for RADIUS-based management-user login authentication and/or RADIUS-based accounting (sending of SIP CDRs to the RADIUS server).
When multiple RADIUS servers are configured, RADIUS server redundancy can be implemented. When the primary RADIUS server is offline, the device sends a RADIUS request twice (one retransmission) by default. If both requests fail (i.e., no response), the device considers the server as offline and attempts to send requests to the next server. The device continues sending RADIUS requests to the redundant RADIUS server even if the primary server returns to service later on. However, if a device restart occurs, the device sends RADIUS requests to the primary RADIUS server. By default, the device waits for up to two seconds (i.e., timeout) for a response from the RADIUS server for RADIUS requests and retransmission before it considers the server as offline.
You can configure the number of retransmission attempts with the RADIUS server before the device considers it as offline. For more information, see Configuring RADIUS Packet Retransmission.
For each RADIUS server, an IP address, IP Interface, port, and shared secret can be configured. Each RADIUS server can be defined for RADIUS-based login authentication and/or RADIUS-based accounting. By setting the relevant port (authentication or accounting) to "0" disables the corresponding functionality. If both ports are configured, the RADIUS server is used for authentication and accounting. All servers configured with non-zero Authorization ports form an Authorization redundancy group and the device sends authorization requests to one of them, depending on their availability. All servers configured with non-zero Accounting ports form an Accounting redundancy group and the device sends accounting CDRs to one of them, depending on their availability. Below are example configurations:
■ | Only one RADIUS server is configured and used for authorization and accounting purposes (no redundancy). Therefore, both the Authorization and Accounting ports are defined. |
■ | Three RADIUS servers are configured: |
● | Two servers are used for authorization purposes only, providing redundancy. Therefore, only the Authorization ports are defined, while the Accounting ports are set to 0. |
● | One server is used for accounting purposes only (i.e., no redundancy). Therefore, only the Accounting port is defined, while the Authorization port is set to 0. |
■ | Two RADIUS servers are configured and used for authorization and accounting purposes, providing redundancy. Therefore, both the Authorization and Accounting ports are defined. |
The status of the RADIUS severs can be viewed through CLI:
# show system radius servers status
The example below shows the status of two RADIUS servers in redundancy mode for authorization and accounting:
servers 0
ip-address 10.4.4.203
auth-port 1812
auth-ha-state "ACTIVE"
acc-port 1813
acc-ha-state "ACTIVE"
servers 1
ip-address 10.4.4.202
auth-port 1812
auth-ha-state "STANDBY"
acc-port 1813
acc-ha-state "STANDBY"
Where auth-ha-state and acc-ha-state display the authentication and accounting redundancy status respectively. "ACTIVE" means that the server was used for the last sent authentication or accounting request; "STANDBY" means that the server was not used in the last sent request.
● | To configure RADIUS-based accounting, see Configuring RADIUS Accounting. |
● | The device can send up to 201 concurrent RADIUS requests per RADIUS service type (Accounting or Authentication), per RADIUS server (up to three servers per service type), and per local port (up to |
The following procedure describes how to configure a RADIUS server through the Web interface. You can also configure it through ini file [RadiusServers] or CLI (configure system > radius servers).
➢ | To configure a RADIUS server: |
1. | Open the RADIUS Servers table (Setup menu > IP Network tab > AAA Servers folder > RADIUS Servers). |
2. | Click New; the following dialog box appears: |
3. | Configure a RADIUS server according to the parameters described in the table below. |
4. | Click Apply. |
RADIUS Servers Table Parameter Descriptions
Parameter |
Description |
---|---|
'Index' [Index] |
Defines an index number for the new table row. Note: Each row must be configured with a unique index. |
'IP Address' ip-address [IPAddress] |
Defines the IP address (IPv4 or IPv6) of the RADIUS server. By default, no value is defined (i.e., 0.0.0.0). Note: The IP address version (IPv4 or IPv6) of the RADIUS server's address and the assigned IP Interface (see 'Interface Name' parameter) must be the same. |
'Authentication Port' auth-port [AuthenticationPort] |
Defines the port of the RADIUS Authentication server for authenticating the device with the RADIUS server. When set to any value other than 0, the RADIUS server is used by the device for RADIUS-based management-user login authentication. When set to 0, RADIUS-based login authentication is not implemented. The valid value is 0 to any integer. The default is 1645. |
'Accounting Port' acc-port [AccountingPort] |
Defines the port of the RADIUS Accounting server to where the device sends accounting data of SIP calls as call detail records (CDR). When set to any value other than 0, the RADIUS server is used by the device for RADIUS-based accounting (CDR). When set to 0, RADIUS-based accounting is not implemented. The valid value is 0 to any integer. The default is 1646. |
'Shared Secret' shared-secret [SharedSecret] |
Defines the shared secret (password) for authenticating the device with the RADIUS server. This should be a cryptically strong password. The shared secret is also used by the RADIUS server to verify the authentication of the RADIUS messages sent by the device (i.e., message integrity). The valid value is up to 48 characters. By default, no value is defined. Note: The password cannot be configured with wide characters. |
'Interface Name' network-interface [InterfaceName] |
Assigns an IP Interface from the IP Interfaces table (see Configuring IP Network Interfaces) for RADIUS communication. By default, no value is defined. Note: The IP address version (IPv4 or IPv6) of the IP Interface and the RADIUS server's address (see 'IP Address' parameter above) must be the same. |