Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access



Similar documents
Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Configuring RADIUS Servers

RADIUS Server Load Balancing

RADIUS Authentication and Accounting

Configuring CSS Remote Access Methods

RADIUS Server Load Balancing

Configuring Access Service Security

Enhanced Password Security - Phase I

GLBP - Gateway Load Balancing Protocol

Enhanced Password Security - Phase I

Flow-Based per Port-Channel Load Balancing

Transferring Files Using HTTP or HTTPS

L2TP Dial-Out Load Balancing and Redundancy

Firewall Authentication Proxy for FTP and Telnet Sessions

Network Security and AAA

HTTP 1.1 Web Server and Client

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Deploying an SESM/SSG Solution

DHCP Server Port-Based Address Allocation

ROLE-BASED COMMAND-LINE INTERFACE ACCESS

Understanding and Configuring 802.1X Port-Based Authentication

Cisco IOS Security Command Reference: Commands S to Z, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

IOS Server Load Balancing

Connecting to the Firewall Services Module and Managing the Configuration

Switch Configuration Required to Support Cisco ISE Functions

Domain Name System Server Round-Robin Functionality for the Cisco AS5800

Configuring the Cisco Secure PIX Firewall with a Single Intern

IOS Server Load Balancing

Call Flows for Simple IP Users

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring Simple Network Management Protocol (SNMP)

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Route-Switch-Controller Handover Redundancy on the Cisco AS5850

Encrypted Preshared Key

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Encrypted Preshared Key

Image Verification. Finding Feature Information. Restrictions for Image Verification

Sampled NetFlow. Feature Overview. Benefits

Introduction to Cisco router configuration

APNIC Members Training Course Security workshop. 2-4 July, Port Vila Vanuatu. In conjunction with PACNOG 4

Firewall Support for SIP

Router Security Audit Logs

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

OCS Training Workshop LAB14. Setup

Firewall Load Balancing

Configuring SIP Support for SRTP

Configuring DNS. Finding Feature Information

Dynamic DNS Support for Cisco IOS Software

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Lab Configure Remote Access Using Cisco Easy VPN

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Supporting Document LNS Configuration

NetFlow Subinterface Support

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Lab a Configure Remote Access Using Cisco Easy VPN

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Lab Advanced Telnet Operations

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

- Basic Router Security -

Configuring IKEv2 Load Balancer

DNS Commands ip dns spoofing

CISCO IOS NETWORK SECURITY (IINS)

NetFlow v9 Export Format

Configuring Modem Transport Support for VoIP

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Basic Settings

Configuring LLDP, LLDP-MED, and Location Service

Configuring Secure Socket Layer HTTP

Enabling Remote Access to the ACE

Virtual Fragmentation Reassembly

Per-Packet Load Balancing

EasyServer II RADIUS authentication accounting dialin remote access

Firewall Stateful Inspection of ICMP

Triple DES Encryption for IPSec

Network Address Translation Commands

Two-Factor Authentication

Configuring Health Monitoring

Configuring NetFlow Secure Event Logging (NSEL)

CCNA Security. Chapter Three Authentication, Authorization, and Accounting Cisco Learning Institute.

Cisco Routers and Switches

Network Security 2. Module 6 Configure Remote Access VPN

Remote Access VPN Business Scenarios

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

NetFlow Auditor Manual Getting Started

Installing and activating the DCA

3.1 Connecting to a Router and Basic Configuration

Management, Logging and Troubleshooting

Module 6 Configure Remote Access VPN

Configuring VoIP Call Setup Monitoring

NAT TCP SIP ALG Support

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

- The PIX OS Command-Line Interface -

radius attribute nas-port-type

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Leased Line Support for Cisco 2600/3600 Series Analog Modems

Configuring Primary and Backup Proxy Servers for Standalone Content Engines

Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches

IP Security Options Commands

Implementing Secure Shell

Transcription:

Configuring Timeout, Retransmission, and Key Values per RADIUS Server The Configuring Timeout, Retransmission, and Key Values per RADIUS Server feature extends the functionality of the existing radius-server host command. This document contains the following sections: Feature Overview on page 1 Supported Platforms on page 2 Supported Standards, MIBs, and RFCs on page 2 Prerequisites on page 2 Configuration Tasks on page 3 Configuration Examples on page 4 Command Reference on page 5 Feature Overview The radius-server host command functions have been extended to include timeout, retransmission, and encryption key values that enables you to apply any or all of these functions to individual RADIUS servers on a per-server basis. In previous Cisco IOS releases, you could only apply timeout, retransmission, and encryption key values globally to all RADIUS servers in the router configuration by using three unique global commands: radius-server timeout, radius-server retransmit, and radius-server key. Note You can configure both global and per-server timeout, retransmission, and key value commands simultaneously on the same Cisco network access server. If both global and per-server functions are configured on a router, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. Benefits Greater Flexibility Offering per-server, timeout, retransmit, and key values functions provides the system administrator with greater flexibility when configuring RADIUS servers. Improved Network Security Unique key values help improve network security requiring different keys for different servers. Configuring Timeout, Retransmission, and Key Values per RADIUS Server 1

Related Features and Technologies Improved Server Access Per-server timeout and retransmit settings can help improve server access on busy networks where overall response times may vary widely from network to network. Related Features and Technologies RADIUS AAA Security Services Related Documents Cisco IOS Release 12.0 Security Configuration Guide Cisco IOS Release 12.0 Security Command Reference Supported Platforms Cisco AS5200 Cisco AS5300 Cisco AS5800 Cisco 7200 series Supported Standards, MIBs, and RFCs Standards None MIBs None For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. RFCs None Prerequisites Enable authentication, authorization, and accounting (AAA) security services with the aaa new-model command and configure AAA security services on the router or access server to support the RADIUS security protocol. Refer to the Cisco IOS Release 12.0 Security Configuration Guide for details on how to configure AAA services. 2 Cisco IOS Release 12.0(5)T

Configuring Global Timeout, Retransmission, and Key Values If you have at least one RADIUS server that does not have a per-server key, use the radius-server key command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. Refer to the Cisco IOS Release 12.0 Security Configuration Guide and Cisco IOS Release 12.0 Security Command Reference for details on how to configure radius-server key command. Configuration Tasks See the following sections for configuration tasks for the Configuring Timeout, Retransmission, and Key Values per RADIUS server feature. Each task in the list indicates if the task is optional or required. Configuring Global Timeout, Retransmission, and Key Values Configuring Per-Server Timeout, Retransmission, and Key Values Configuring Global Timeout, Retransmission, and Key Values Step Command Purpose 1 Router(config)# aaa new-model (Required) Enables the AAA access control model. Enables AAA security services (authentication, authorization, and accounting) on the router or access server to support the RADIUS security protocol. (Refer to the Cisco IOS Release 12.0 Security Configuration Guide for details on how to configure AAA services.) 2 Router(config)# radius-server timeout seconds (Optional) Sets the interval a router waits for a server host to reply for all RADIUS servers. The default value is 5 seconds. 3 Router(config)# radius-server retransmit retries (Optional) Specifies the number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. The default is 3 retries. 4 Router(config)# radius-server key {string} (Optional) Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. The radius-server key command has no default value; however, the key must match the encryption key used on the RADIUS server. This command is optional if you configure per-server keys for all RADIUS servers. If you have at least one RADIUS server that does not have a per-server key, you should set this value. Verifying Global Timeout, Retransmission, and Key Values To verify global timeout, retransmission, and key values, use the privileged EXEC show running-config command. Configuring Timeout, Retransmission, and Key Values per RADIUS Server 3

Configuring Per-Server Timeout, Retransmission, and Key Values Configuring Per-Server Timeout, Retransmission, and Key Values Step Command Purpose 1 Router(config)# aaa new-model (Required) Enables the AAA access control model. Enables AAA security services (authentication, authorization, and accounting) on the router or access server to support the RADIUS security protocol. (Refer to the Cisco IOS Release 12.0 Security Configuration Guide for details on how to configure AAA services.) 2 Router(config)# radius-server host {hostname ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] (Optional) Specifies a RADIUS server host to configure timeout, retransmit, and encryption key values on a per-server basis. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. Verifying Per-Server Timeout, Retransmission, and Key Values To verify global timeout, retransmission, and key values, use the privileged EXEC show running-config command. Configuration Examples This section provides the following configuration examples: RADIUS Server with Server-Specific Values Multiple RADIUS Servers with Global and Server-Specific Values RADIUS Server with Server-Specific Values The following example configures server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46: router(config)# radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123 Multiple RADIUS Servers with Global and Server-Specific Values The following configuration example configures two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the router, while specific AAA commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46. 4 Cisco IOS Release 12.0(5)T

Multiple RADIUS Servers with Global and Server-Specific Values! Enable AAA services on the router and define those services. router(config)# aaa new-model router(config)# aaa authentication login default radius router(config)# aaa authentication login console-login none router(config)# aaa authentication ppp default radius router(config)# aaa authorization network default radius router(config)# aaa accounting exec default start-stop radius router(config)# aaa accounting network default start-stop radius router(config)# enable password tryit1!! Change the global retransmission value for all RADIUS servers. router(config)# radius-server retransmit 4!! Configure per-server specific timeout, retransmission, and key values.! Change the default auth-port and acct-port values. router(config)# radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 router(config)# retransmit 3 key radkey!! Configure per-server specific timeout and key values. This server uses the global! retransmission value. router(config)# radius-server host 172.29.39.46 timeout 6 key rad123 Command Reference This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications. In this feature, the radius-server host command has been modified to add support for configuring timeout, retransmission, and key values per RADIUS server. Configuring Timeout, Retransmission, and Key Values per RADIUS Server 5

radius-server host radius-server host To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host. radius-server host {hostname ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] no radius-server host {hostname ip-address} Syntax Description hostname ip-address auth-port port-number acct-port port-number timeout seconds retransmit retries key DNS name of the RADIUS server host. IP address of the RADIUS server host. (Optional) Specifies the UDP destination port for authentication requests. (Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default authorization port number is 1645. (Optional) Specifies the UDP destination port for accounting requests. (Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default accounting port number is 1646. (Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000. (Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used. (Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command. (Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used. (Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. string (Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. 6 Cisco IOS Release 12.0(5)T

radius-server host Defaults No RADIUS host is specified; use global radius-server command values. Command Modes Global configuration Command History Release Cisco IOS Release 11.3 Cisco IOS Release 11.3(8)AA Cisco IOS Release 12.0(5)T Modification This command was introduced. This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server for the following platforms: Cisco AS5200, Cisco AS5300, Cisco AS5800, and Cisco 7200. This command was folded in to the Cisco IOS Release 12.0(5)T image. Usage Guidelines You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them. If no host specific timeout, retransmit, or key values are specified, the global values apply to that host. Examples The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication: router(config)# radius-server host host1 The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1: router(config)# radius-server host host1 auth-port 1612 acct-port 1616 Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line. The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets rad123 as the encryption key, matching the key on the RADIUS server: router(config)# radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123 To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting: router(config)# radius-server host host1.domain.com auth-port 0 router(config)# radius-server host host2.domain.com acct-port 0 Configuring Timeout, Retransmission, and Key Values per RADIUS Server 7

radius-server host Related Commands Command aaa new-model radius-server key radius-server retransmit radius-server timeout Description Changes the text displayed when users are prompted to enter a username. Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up. Sets the interval a router waits for a server host to reply. 8 Cisco IOS Release 12.0(5)T

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information