Configuring Timeout, Retransmission, and Key Values Per RADIUS Server



Similar documents
Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Configuring RADIUS Servers

RADIUS Authentication and Accounting

RADIUS Server Load Balancing

Configuring CSS Remote Access Methods

RADIUS Server Load Balancing

Configuring Access Service Security

Deploying an SESM/SSG Solution

Network Security and AAA

Switch Configuration Required to Support Cisco ISE Functions

GLBP - Gateway Load Balancing Protocol

Understanding and Configuring 802.1X Port-Based Authentication

Configuring Simple Network Management Protocol (SNMP)

Firewall Authentication Proxy for FTP and Telnet Sessions

Configuring the Cisco Secure PIX Firewall with a Single Intern

Call Flows for Simple IP Users

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Cisco IOS Security Command Reference: Commands S to Z, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Transferring Files Using HTTP or HTTPS

HTTP 1.1 Web Server and Client

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

OCS Training Workshop LAB14. Setup

DHCP Server Port-Based Address Allocation

Enhanced Password Security - Phase I

Supporting Document LNS Configuration

Flow-Based per Port-Channel Load Balancing

Network Address Translation Commands

Connecting to the Firewall Services Module and Managing the Configuration

Triple DES Encryption for IPSec

Enhanced Password Security - Phase I

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Configuring the Bundled SESM RADIUS Server

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

IPSec Network Security Commands

IOS Server Load Balancing

HOST AUTO CONFIGURATION (BOOTP, DHCP)

L2TP Dial-Out Load Balancing and Redundancy

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Configuring DNS. Finding Feature Information

Route-Switch-Controller Handover Redundancy on the Cisco AS5850

7750 SR OS System Management Guide

IOS Server Load Balancing

Configuring Basic Settings

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Configuring Health Monitoring

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

ROLE-BASED COMMAND-LINE INTERFACE ACCESS

Management, Logging and Troubleshooting

Configuring IKEv2 Load Balancer

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

Simple Network Management Protocol

IP Security Options Commands

CISCO IOS NETWORK SECURITY (IINS)

Tech Art: TA0001-Windows 2008 RADIUS for CISCO Device Authentication by John McManus

Sampled NetFlow. Feature Overview. Benefits

Lab Configure Remote Access Using Cisco Easy VPN

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

APNIC Members Training Course Security workshop. 2-4 July, Port Vila Vanuatu. In conjunction with PACNOG 4

Firewall Load Balancing

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

radius attribute nas-port-type

Configuring Health Monitoring

Configuring Primary and Backup Proxy Servers for Standalone Content Engines

Lab a Configure Remote Access Using Cisco Easy VPN

Firewall Support for SIP

DNS Commands ip dns spoofing

Introduction to Cisco router configuration

BRI to PRI Connection Using Data Over Voice

7450 ESS OS System Management Guide. Software Version: 7450 ESS OS 10.0 R1 February 2012 Document Part Number: * *

Configuring NetFlow Secure Event Logging (NSEL)

Installing and activating the DCA

Encrypted Preshared Key

Configuring Secure Socket Layer HTTP

Encrypted Preshared Key

Exam Topics in This Chapter

Configuring Logging. Information About Logging CHAPTER

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Leased Line Support for Cisco 2600/3600 Series Analog Modems

Cisco Configuring Commonly Used IP ACLs

Session Border Controller

NAT TCP SIP ALG Support

Network Data Encryption Commands

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

- Basic Router Security -

Configuring SIP Support for SRTP

Securing Networks with PIX and ASA

Special ISDN Signaling Commands

How To Configure A Cisco Router With A Cio Router

Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches

Using RADIUS Agent for Transparent User Identification

Teldat Router. RADIUS Protocol

Implementing Secure Shell

Table of Contents. Cisco How to Download a Software Image to a Cisco 2600 through TFTP Using the tftpdnld ROMmon Command

Enabling Remote Access to the ACE

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Table of Contents. Cisco How to Download a Software Image to a Cisco 2600 via TFTP Using the tftpdnld ROMmon Command

DHCP and DNS Services

CCNA Security. Chapter Three Authentication, Authorization, and Accounting Cisco Learning Institute.

Release Notes for Cisco C881G-U-K9

Transcription:

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server Feature Summary The radius-server host command functions have been extended to include timeout, retransmission, and encryption key values on a per-server basis. Currently, timeout, retransmission, and encryption key values are applied globally to all RADIUS servers in the router configuration with three unique global commands: radius-server timeout, radius-server retransmit, and radius-server key. Benefits Offering per-server key, timeout, and retransmit functions provides the system administrator with greater flexibility when configuring RADIUS servers. Unique key values help improve network security requiring different keys for different servers. Per-server timeout and retransmit settings can help improve server access on busy networks where overall response times may vary widely from network to network. Platforms This feature is supported on the following platforms: Cisco AS5200 Cisco AS5300 Cisco AS5800 Cisco 7200 series Configuring Timeout, Retransmission, and Key Values Per RADIUS Server 1

Prerequisites Prerequisites Enable AAA authentication with the aaa new-model command and configure AAA security services on the router or access server to support the RADIUS security protocol. Refer to the Security Configuration Guide for details on how to configure AAA services for RADIUS servers. If you have at least one RADIUS server that does not have a per-server key, use the radius-server key command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. Supported MIBs and RFCs No MIBs or RFCs are supported by this feature. Configuration Tasks Table 1 describes the tasks for configuring timeout, retransmission, and key values for a specific RADIUS server. Enter these commands in global configuration mode: Table 1 Configuring Timeout, Retransmission, and Key Values per RADIUS Server Command aaa new-model radius-server timeout seconds radius-server retransmit retries radius-server key {string} radius-server host {hostname ip-address}[auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Description Use this command to enable the AAA access control model. Configure AAA security services (authentication, authorization, and accounting) on the router or access server to support the RADIUS security protocol. Refer to the Security Configuration Guide for details on how to configure AAA services. (Optional) Use this command to set the interval a router waits for a server host to reply for all RADIUS servers. The default value is 5 seconds. (Optional) Use this command to specify the number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. The default is 3 retries. (Optional) Use this command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. The radius-server key has no default value; however, the key must match the encryption key used on the RADIUS server. This command is optional if you configure per-server keys for all RADIUS servers. If you have at least one RADIUS server that does not have a per-server key, you should set this value. (Optional) Use this command to specify a RADIUS server host and to configure timeout, retransmit, and encryption key values on a per-server basis. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. 2 Cisco IOS Release 11.3(8) AA

Configuration Examples The following example configures server-specific timeout, retransmit, and key values for the RADIUS server with IP address 172.31.39.46: radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123 The following configuration example configures two RADIUS servers with specific timeout, retransmit, and key values. In this example, the aaa new-model command enables AAA services on the router, while specific authentication, authorization, and accounting commands define the AAA services. The radius-server retransmit command changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46.! Enable AAA services on the router and define those services. aaa new-model aaa authentication login default radius aaa authentication login console-login none aaa authentication ppp default radius aaa authorization network default radius aaa accounting exec default start-stop radius aaa accounting network default start-stop radius enable password tryit1!! Change the global retransmission value for all RADIUS servers. radius-server retransmit 4!! Configure per-server specific timeout, retransmission, and key values.! Change the default auth-port and acct-port values. radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key radkey!! Configure per-server specific timeout and key values. This server uses the global! retransmission value. radius-server host 172.29.39.46 timeout 6 key rad123 Command Reference The radius-server host command has been modified to add support for configuring timeout, retransmission, and key values per RADIUS server. Configuring Timeout, Retransmission, and Key Values Per RADIUS Server 3

Command Reference radius-server host To specify a RADIUS server host, use the radius-server host configuration command. Use the no form of this command to delete the specified RADIUS host. radius-server host {hostname ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] no radius-server host {hostname ip-address} Syntax Description hostname ip-address auth-port port-number acct-port port-number timeout seconds retransmit retries key DNS name of the RADIUS server host. IP address of the RADIUS server host. (Optional) Specifies the UDP destination port for authentication requests. (Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default authorization port number is 1645. (Optional) Specifies the UDP destination port for accounting requests. (Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default accounting port number is 1646. (Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000. (Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used. (Optional) The number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command. (Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used. (Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. 4 Cisco IOS Release 11.3(8) AA

radius-server host string (Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. Default No RADIUS host is specified; use global radius-server command values. Command Mode Global configuration Usage Guidelines This command first appeared in Cisco IOS Release 11.3. Options for configuring timeout, retransmission, and key values per RADIUS server were added in release 11.3(8) AA. You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them. If no host specific timeout, retransmit, or key values are specified, the global values apply to that host. For a list of supported vendor-specific RADIUS attributes, refer to the RADIUS Attributes appendix in the Security Configuration Guide. Examples The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication: radius-server host host1 The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1: radius-server host host1 auth-port 1612 acct-port 1616 Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line. The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets rad123 as the encryption key, matching the key on the RADIUS server: radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123 To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting: radius-server host host1.domain.com auth-port 0 radius-server host host2.domain.com acct-port 0 Configuring Timeout, Retransmission, and Key Values Per RADIUS Server 5

Command Reference Related Commands aaa new-model radius-server timeout radius-server retransmit radius-server key 6 Cisco IOS Release 11.3(8) AA

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information