radius-server host
Adds a RADIUS server to the set of servers used for authentication.
Syntax
[no] radius-server host {<ip-address> | <hostname>} [auth-port <port>] [auth-type <type>] [timeout <seconds>] [retransmit <retries>] [key <string>]
Parameters
<ip-address> | RADIUS server IPv4 or IPv6 address. |
<hostname> | RADIUS server hostname. |
auth-port <port> | Specifies the authentication port number to use with this RADIUS server. The default value is 1812. |
auth-type <type> | Specifies the authentication type to use with this RADIUS server. • chap—Specifies Challenge Handshake Authentication Protocol (CHAP), which provides better security than PAP. • mschapv2—Specifies Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2). • pap—Specifies Password Authentication Protocol (PAP). |
timeout <seconds> | Specifies the time-out period to use with this RADIUS server. |
retransmit <retries> | Specifies the number of times the client attempts to authenticate with any RADIUS server. The default value is 1. The range is from 0 to 5. To disable retransmissions, set it to 0. |
key <string> | Specifies the shared secret text string used to communicate with this RADIUS server. • 0—Specifies the shared secret to use with this RADIUS server. • 7—Specifies the RADIUS key with an encrypted string. |
Usage
RADIUS servers are tried in the order they are configured.
The same IP address can be used in more than one radius-server host command if the auth-port value is different for each. The auth-port value is a UDP port number. The auth-port value must be specified immediately after the host <ip-address> option (if present).
PAP authentication validates users before allowing them access to the RADIUS server resources. PAP is the most flexible protocol but is less secure than CHAP.
CHAP authentication validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This happens at the time of establishing the initial link and might happen again at any time afterwards. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server.
MSCHAPv2 addresses major security weaknesses found in CHAP and PAP. It provides asymmetric authentication between peers by piggybacking a peer challenge on the Response packet and an authentication response on the Success packet.
Some parameters override the RADIUS server global defaults. For details, see the SteelHead Deployment Guide.
The no command option stops sending RADIUS authentication requests to the host.
If no radius-server host <ip-address> is specified, all radius configurations for the host are deleted.
The no radius-server host <ip-address> auth-port <port> command can be specified to refine which host is deleted, as the previous command deletes all RADIUS servers with the specified IP address.
Example
amnesiac (config) # radius-server host 10.0.0.1 timeout 10 key XXXX retransmit 3
Product
SCC, Interceptor, Client Accelerator, SteelHead, SteelHead-v, SteelHead-c
Related Commands