radius-server host secure ipsec

Syntax

Syntax for a RADIUS server that uses IPsec for authentication:

radius-server host {<FQDN> | <IPV4> | <IPV6>}

[key [plaintext <PASSKEY> | ciphertext <PASSKEY>]]

[timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]

[auth-type {pap | chap}] [acct-port <ACCT-PORT>] [retries <RETRY-COUNT>]

[tracking {enable | disable}] [tracking-mode {any | dead-only}] [vrf <VRF-NAME>]

secure ipsec authentication spi <SPI-INDEX> <AUTH-TYPE> <AUTH-KEY-TYPE> [<AUTH-KEY>]

no radius-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>]

[vrf <VRF-NAME>] secure ipsec authentication

 

Syntax for a RADIUS server that uses IPsec for both authentication and encryption:

radius-server host {<FQDN> | <IPV4> | <IPV6>}

[key [plaintext <PASSKEY> | ciphertext <PASSKEY>]]

[timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]

[auth-type {pap | chap}] [acct-port <ACCT-PORT>] [retries <RETRY-COUNT>]

[tracking {enable | disable}] [tracking-mode {any | dead-only}] [vrf <VRF-NAME>]

secure ipsec encryption spi <SPI-INDEX> <AUTH-TYPE> <AUTH-KEY-TYPE>

[<AUTH-KEY>] <ENCRYPT-TYPE> <ENCRYPT-KEY-TYPE> [<ENCRYPT-KEY>]

 

no radius-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>]

[vrf <VRF-NAME>] secure ipsec encryption

Description

Adds a RADIUS server that uses IPsec for enhanced security (authentication and possibly encryption). By default, the RADIUS server is associated with the server group named radius.

The no form of this command removes a previously added RADIUS (with IPsec) server.

Command context

config

Parameters

{<FQDN> | <IPV4> | <IPv6>}

Specifies the RADIUS server as:

key [plaintext <PASSKEY> | ciphertext <PASSKEY>]

Selects either a plaintext or an encrypted local shared-secret passkey for the server. As per RFC 2865, shared-secret can be a mix of alphanumeric and special characters. Plaintext passkeys are between 1 and 32 alphanumeric and special characters.

timeout <TIMEOUT-SECONDS>

Specifies the timeout. The range is 1 to 60 seconds. If a timeout is not specified, the value from the global timeout for RADIUS is used.

port <PORT-NUMBER>

Specifies the authentication port number. Range: 1 to 65535. Default: 1812.

auth-type {pap | chap}

Selects either the PAP (the default) or CHAP authentication types. If this parameter is not specified, the RADIUS global default is used.

acct-port <ACCT-PORT>

Specifies the UDP accounting port number. Range: 1 to 65535. Default: 1813.

retries <RETRY-COUNT>

Specifies the number of retry attempts for contacting the specified RADIUS server. Range is 0 to 5 attempts. If no retry value is provided, the default value of 1 is used.

tracking {enable | disable}

Enables or disables server tracking for the RADIUS server. Tracked servers are probed at the start of each server tracking interval to check if they are reachable.

Use command radius-server tracking to configure RADIUS server tracking globally.

tracking-mode {any | dead-only}

Configures tracking mode for the RADIUS server that has tracking enabled with the server. The tracking mode is used to monitor the status of RADIUS server reachability. The default tracking mode is any.

Sets the tracking mode to:

vrf <VRF-NAME>

Specifies the VRF name to be used for communicating with the server. If no VRF name is provided, the default VRF named default is used.

spi <SPI-INDEX>

Specifies the Security Parameters Index. The SPI is an identification tag carried in the IPsec AH header. The SPI must be unique on the switch. Range: 256 to 4294967295.

<AUTH-TYPE>

Specifies the authentication algorithm: md5, sha1, or sha256.

<AUTH-KEY-TYPE>

Specifies the authentication key type: plaintext, hex-string, or ciphertext.

[<AUTH-KEY>]

Specifies the authentication key. For <AUTH-TYPE> of ciphertext, this is the ciphertext string.

For <AUTH-TYPE> of plaintext or hex-string:

<ENCRYPT-TYPE>

Specifies the encryption algorithm: 3des, aes, des, or null.

<ENCRYPT-KEY-TYPE>

Specifies the encryption key type: plaintext, hex-string, or ciphertext.

[<ENCRYPT-KEY>]

Specifies the encryption key. For <ENCRYPT-TYPE> of ciphertext, this is the ciphertext string.

For <ENCRYPT-TYPE> of plaintext or hex-string:

Authority

Administrators or local user group members with execution rights for this command.

Usage

If the fully qualified domain name is provided for the RADIUS server host, a DNS server must be configured and accessible through the same VRF as mentioned for the server host. This configuration is required for the resolution of the RADIUS server hostname to its IP address. If a DNS server is not available for this VRF, the RADIUS servers reachable through this VRF must be configured by means of their IP addresses only.

Examples

Adding a RADIUS server with an IPv4 address, a plaintext passkey, and IPsec authentication (md5 plaintext).

Adding a RADIUS server with an IPv4 address and a prompted IPsec authentication (md5) plaintext authentication key.

Adding a RADIUS server with an IPv4 address, IPsec authentication (MD5 plaintext), and IPsec encryption (AES plaintext):

Adding a RADIUS server by providing an IPv4 address and IPsec MD5 authentication type, and then responding to prompts for the keys and encryption type:

Adding a RADIUS server with an IPv4 address, tracking enabled, tracking mode, IPsec authentication (MD5 plaintext), IPsec encryption (AES plaintext) is set to dead-only:

Removing a RADIUS server:

Removing the ipsec configuration from a RADIUS server: