Configuring RADIUS Globally
The configuration of RADIUS is almost identical to the configuration of TACACS+. RADIUS can be configured on a global basis, which is generally used in environments that use one RADIUS server or in environments in which all RADIUS servers within the network are configured to use the same security values. To configure RADIUS on the network access server, you must perform the following steps (note Steps 4 through 6 are optional):
1.Use the aaa new−model global configuration command to enable AAA. This command establishes a new AAA configuration. The command must be configured if you plan to support the RADIUS protocol.
2.Use the following command to configure the IP address or hostname of the RADIUS server:
radius−server host <hostname|ip−address>
3.Use this command to define the secret encryption key that is shared between the network access server and the RADIUS server:
radius−server key <0 string|7 string|string>
4.Use the radius−server retransmit <retries> command to specify how many times the router transmits each RADIUS request to the server before giving up.
5.Use the radius−server timeout <second> command to specify how many seconds a router waits for a reply to a RADIUS request before retransmitting the request.
6.Use the radius−server deadtime <minutes> command to specify how many minutes should pass before a RADIUS server that is not responding to authentication requests is passed over by requests for RADIUS authentication.
The preceding steps include the basic configuration commands needed to enable RADIUS globally on the network access server. Continuing with the example in Figure 2.8, the network access server named Seminole should now be configured to provide RADIUS services for user James. The access server Seminole is configured to communicate with the Cisco Secure ACS server at IP address 192.168.10.4.
The following configuration commands are needed to configure the router based on the requirements:
Enter configuration commands, one per line. End with CNTL/Z.
Seminole(config)#radius−server host 192.168.10.4
Seminole(config)#radius−server key 1Cisco9
Notice the similarities between the global configuration of TACACS+ and the global configuration of RADIUS. In the preceding configuration, the key 1Cisco9 is the encryption key that is shared between router Seminole and the Cisco Secure server at IP address 192.168.10.4. Issuing the show running−config command allows you to see the results of the preceding configuration:
radius−server host 192.168.10.4
radius−server key 1Cisco9
By issuing the show running−config command, you can review the configuration changes that were made to the local device; however, a few more commands are needed to verify that the network access server and the RADIUS server are communicating properly. After you verify that the configuration changes are correct, the next command you should issue is the debug radius command. The output of this command verifies that the network access server and the RADIUS server are communicating properly. The output of the debug radius command verifies that the network access server and the RADIUS server are communicating properly; the following lines show that the network access server Seminole in Figure 2.8 is communicating with the RADIUS server:
: Radius: IPC send 0.0.0.0/1645, Access−Request, id 0xB, len 52
: Attribute 4 6 AB187D5B
: Attribute 5 6 0000000B
: Attribute 2 6 0212D3C2
: Attribute 2 18 D21512AC
: Radius: Received from 192.168.10.4:1645, Access−Accept,
: id 0xB, len 24
The output of the debug radius command displays the attribute values that are carried in the RADIUS Access−Request packet and the length of the packet. The last line in the output displays the packet that is received from the RADIUS server and the Access−Accept value being returned to the network access server. If, however, the RADIUS server and the network access server could not communicate properly, the output from the debug radius would resemble this output:
: Radius: IPC Send 0.0.0.0:1645, Access−Request, id 0xA, len 57
: Attribute 4 6 AC150E5A
: Attribute 5 6 0000000A
: Attribute 1 7 62696C6C
: Attribute 2 18 49C28F6C
: Radius: Received from 192.168.10.4:1645, Access−Reject,
: id 0xA, len 20
: Radius: Reply for 4 fails decrypt