Radius Authorization Example

To use a RADIUS server for AAA authorization, AAA must be enabled. Then, specify the RADIUS server IP or host name and key.

Example 8-8 shows a sample configuration to authorize using RADIUS. Example 8-8. Sample Configuration Using RADIUS

NAS(config)#aaa new-model

NAS(config)#radius-server host 192.168.100.15 NAS(config)#radius-server key ladyhawk NAS(config)#username Elvis password k0nj0 NAS(config)#aaa authorization exec list group radius NAS(config)#aaa authorization network list group radius

• The aaa authorization exec radius command sets the RADIUS information that is used for EXEC authorization, autocommands, and access lists.

• The aaa authorization network radius command sets RADIUS for network authorization, address assignment, and access lists.

Example 8-9 shows the tasks performed to direct traffic to another server in the server group. Example 8-9. Configuring radius-server retry method reorder Command

Router1(config)#aaa new-model

Router1(config)#radius-server retry method reorder

Router1(config)#radius-server retransmit 1

Router1(config)#radius-server transaction max-tries 5

Router1(config)#radius-server host 192.168.100.15 key ladyhawk1

Router1(config)#radius-server host 192.168.100.16 key ladyhawk2

Router1(config)#radius-server host 192.168.100.17 key ladyhawk3

The configuration lines in this sample radius-server retry method reorder configuration mean the following:

• The reorder is configured as host 192.168.100.15 as the flagged server and the 192.168.100.16 as a second server.

• If both RADIUS servers are not responding to RADIUS packets but are not marked dead yet, the transmission for the first transaction from NAS is as follows:

192.168.100.15

192.168.100.16 192.168.100.16

192.168.100.17

• If RADIUS server 192.168.100.17 responds, all transactions initiated after that point will be sent to this host.

An additional 4 bytes of memory are required per server group. However, because most server configurations have only a small number of server groups configured, the additional 4 bytes should minimally impact performance.

To improve the RADIUS response times if a server fails, use the radius-server deadtime command in global configuration mode. The following is the syntax for this command:

radius-server deadtime minutes

The minutes parameter is an integer between 1 and 1440. RADIUS Accounting Example

Example 8-10 is the RADIUS accounting configuration using RADIUS with the AAA command set. Figure 8-2 shows this configuration.

0 0

Post a comment