You are here: Home > CLI Commands > Just_CLI_Topics > aaa authentication-server radius

aaa authentication-server radius

aaa authentication-server radius <rad_server_name>

acct-modifier <profile_name>

acctport <port>

authport <port>

auth-modifier <profile_name>

called-station-id type

{ap-group | ap-macaddr | ap-name | ipaddr | macaddr | vlan-id}

[delimiter {colon | dash | none}] [include-ssid {enable |disable}]

clone <server>

cppm username <username> password <password>

enable enable-ipv6

enable-radsec

host <ipaddr>|<FQDN>

key <psk>

mac-delimiter [colon | dash | none | oui-nic]

mac-lowercase

nas-identifier <string>

nas-ip <ipaddr>

nas-ip6 <ipv6-adrress>

no

radsec-client-cert-name <name>

radsec-port <radsec-port>

radsec-trusted-cacert-name <radsec-trusted-ca>

radsec-trusted-servercert-name <name>

retransmit <number>

service-type-framed-user

source-interface vlan <vlan> ip6addr <ipv6addr>

timeout <seconds>

use-ip-for-calling-station

use-md5

Description

This command configures a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Syntax

Parameter

Description

Range

Default

<rad_server_name>

Name that identifies the server.

acct-modifier <profile_name>

Attributes modifier for accounting-request.

acctport <port>

Accounting port on the server.

1-65535

1813

authport <port>

Authentication port on the server

1-65535

1812

auth-modifier

Attributes modifier for access-request.

called-station-id type
{ap-group | ap-macaddr | ap-name |
ipaddr | macaddr | vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.-id}

Configure this parameter to be sent with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute Called Station ID for authentication and accounting requests.

The called-station-id parameter can be configured to include AP group, AP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, AP name, Mobility Master IP, Mobility Master MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, or user vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

The default value is Mobility Master MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

macaddr

clone <server>

Name of an existing RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server configuration from which parameter values are copied.

cppm username <username>
password <password>

Configure the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. username and password. The Mobility Master authenticating to ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. is enhanced to use configurable username and password instead of support password. The support password is vulnerable to attacks as the server certificate presented by ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server is not validated.

enable

Enables the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

enable-ipv6

Enables the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server in IPv6 mode.

enable-radsec

Enables RadSec for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  data transport over TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data.  and TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. .

host

Identify the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server either by its IP address or FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet..

<ipaddr>

IPv4 or IPv6 address of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

<FQDN>

FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The maximum supported length is 63 characters.

key <psk>

Shared secret between the Mobility Master and the authentication server. The maximum length is 128 characters.

mac-delimiter

[colon | dash | none | oui-nic]

Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address with user-defined delimiter.

none

mac-lowercase

Send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  addresses as lowercase.

nas-identifier <string>

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to use in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

nas-ip <ip-addr>

The NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address to be sent in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets from that server. If you define a local NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP setting using this command and also define a global NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP using the command ip radius nas-ip <ip-addr>, the global NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address takes precedence.

nas-ip6 <ipv6-address>

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IPv6 address to send in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

You can configure a global NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IPv6 address that the Mobility Master uses for communications with all RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers. If you do not configure a server-specific NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IPv6, the global NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IPv6 is used. To set the global NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IPv6, enter the ipv6 radius nas-ip6 <ipv6-address> command.

no

Negates any configured parameter.

radsec-client-cert
<radsec-client-cert>

Configures a RadSec client certificate on the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to identify and authenticate clients.

radsec-port <radsec-port>

Designates a RadSec port for RADIUS data transport.

1-65535

2083

radsec-trusted-cacert-name
<radsec-trusted-ca>

Designates a CA to sign RadSec certificates.

radsec-trusted-servercert-name
<radsec-trusted-ca>

Designates a trusted RadSec server certificate.

retransmit <number>

Maximum number of retries sent to the server by the Mobility Master before the server is marked as down.

0-3

3

service-type-framed-user

Send the service-type as FRAMED-USER instead of LOGIN-USER. This option is disabled by default.

disabled

source-interface vlan <vlan> ip6addr <ipv6addr>

This option associates a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to allow the server-specific source interface to override the global configuration.

If you associate a Source Interface (by entering a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. number) with a configured server, then the source IP address of the packet will be that interface’s IP address.

If you do not associate the Source Interface with a configured server (leave the field blank), then the IP address of the global Source Interface will be used.

If you want to configure an IPv6 address for the Source Interface, specify the IPv6 address for the ip6addr parameter.

timeout <seconds>

Maximum time, in seconds, that the Mobility Master waits before timing out the request and resending it.

1-30

5 seconds

use-ip-for-calling-station

Use an IP address instead of a MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address for calling station IDs. This option is disabled by default.

disabled

use-md5

Use MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. hash of cleartext password.

disabled

Usage Guidelines

You configure a server before you can add it to one or more server groups. You create a server group for a specific type of authentication (see aaa server-group).

Example

The following command configures and enables a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server:

(host) [md] (config) #aaa authentication-server radius radius

(host) [md] (RADIUS Server "radius") #host 10.1.1.244

(host) [md] (RADIUS Server "radius") #key qwERtyuIOp

(host) [md] (RADIUS Server "radius") #enable

Command History

Release

Modification

ArubaOS 8.1.0.0

The acct-modifier and auth-modifier parameters were introduced.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/