You are here: Home > CLI Commands > Just_CLI_Topics > show aaa authentication-server radius

show aaa authentication-server radius

show aaa authentication-server radius [statistics|<rad_server_name> radsec status]

Description

This command shows the configuration settings of RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers.

Syntax

Parameter

Description

statistics

Shows the statistics of all RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers.

<rad_server_name> radsec status

Shows status of RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  over TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. of specified RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Usage Guidelines

This command shows the configuration settings of RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers. For the remaining parameters, see the command syntax.

Examples

The following example shows the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server list with the names of all the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers:

(host) [mynode] #show aaa authentication-server radius

 

RADIUS Server List

------------------

Name References Profile Status

---- ---------- --------------

myserver 3

radius 0

servername 0

 

Total:3

The References column lists the number of other profiles that reference a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, and the Profile Status column indicates whether the profile is predefined. User-defined servers will not have an entry in the Profile Status column.

Include the optional statistics parameter to this command to show the following statistics for all RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers:

Parameter

Description

Server

Name of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Acct Rq

Accounting requests. This reports of the number of accounting messages (for example, start/stop/interim update) sent by the controller to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. This counter increments whenever the controller sends one of these messages.

Raw Rq

Raw requests. Number of raw authentication requests the controller sent to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

PAP Rq

Pap Requests. Number of PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. authentication requests the controller sent to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

CHAP Rq

CHAPChallenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients. requests. Number of CHAPChallenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients. authentication requests the controller sent to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

MSCHAP Rq

MSCHAP requests. Number of MS-CHAPMicrosoft Challenge Handshake Authentication Protocol. MS-CHAP is Password-based, challenge-response, mutual authentication protocol that uses MD4 and DES encryption. authentication requests the controller sent to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

MSCHAPv2 Rq

MSCHAPv2 requests. Number of MS-CHAPv2Microsoft Challenge  Handshake Authentication Protocol version 2. MS-CHAPv2 is an enhanced version of the MS-CHAP protocol that supports mutual authentication. requests the controller sent to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Mismatch Rsp

Mismatch responses. Number of responses from a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for which the controller does not have the proper request context.

Bad Auth

Bad authenticator. Number of responses from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with an invalid secret or bad reply digest.

Acc

Access accept. Number of responses from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with invalid secret or bad reply digest.

Rej

Access reject. Number of responses from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server that indicate that client authentication failed.

Acct Rsp

Accounting response. Number of responses sent from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server in response to accounting requests sent from the controller.

Chal

Access  challenge. Number of responses from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server containing a challenge for the client (to complete authentication).

Ukn Rsp

Unknown Response code. Number of responses from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server that were not understood by the controller due to the purpose or type of the response

Tmout

Timeouts. Number of messages sent by the controller for which the controller did not receive a response before the message timed out.

NOTE: Timeouts include RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting requests. Every request controller sends to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is monitored for a timeout, so each retry increments this counter.

AvgRspTme

Average response time. Time taken, on an average, for the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to respond to a message from the controller.

Tot Rq

Total errors. This counter reflects the total number of requests sent to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server (auth and accounting requests).

Tot Rsp

This counter reflects the total number of responses received by the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server (auth and accounting responses).

Rd Err

Read errors. This counter reflects the total number of errors encountered while reading off socket corresponding to that RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Uptime

Amount of for which the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server has been active/up. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is considered to have an UP status if the server is active and serving requests. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is considered to be DOWN if the server is not responding. For example, if the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server does not respond for (<no of retries> *< timeout>) seconds, the controller takes the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server down. It brings the radius server back into service after the dead timeout.

SEQ

Information corresponding to the sequence number of requests. SEQ total corresponds to the total number of sequence numbers that can be used to communicate with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. SEQ free corresponds to the free/available/not in use sequence numbers for a particular RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

The following example shows additional details for a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server named alpha:

(host) [mynode] #show aaa authentication-server radius alpha

 

RADIUS Server "alpha"

----------------------

Parameter Value

--------- -----

Host 10.15.28.101

Key ********

CPPM credentials ade/********

Auth Port 1812

Acct Port 1813

Radsec Port 2083

Retransmits 3

Timeout 5 sec

NAS ID N/A

NAS IP N/A

Enable IPv6 Disabled

NAS IPv6 N/A

Source Interface N/A

Use MD5 Disabled

Use IP address for calling station ID Disabled

Mode Enabled

Lowercase MAC addresses Disabled

MAC address delimiter none

Service-type of FRAMED-USER Disabled

Radsec Enabled

Radsec Trusted CA Name can-new

Radsec Server Cert Name N/A

Radsec Client Cert client-new

called-station-id macaddr colon disable

The output of this command includes the following information:

Parameter

Description

Host

IP address of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server

Key

Shared secret between the controller and the authentication server.

CPPM credentials

Setting this parameter allows the controller to use configurable username and password instead of a support password.

Auth port

Authentication port on the server.

Acct Port

Accounting port on the server.

Radsec Port

Displays the Radsec port for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  data transport.

Retransmits

Maximum number of retries sent to the server by the controller before the server is marked as down.

Timeout

Maximum time, in seconds, that the controller waits before timing out the request and resending it.

NAS ID

Network Access Server (NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. ) identifier to use in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

NAS IP

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address to send in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets. If you do not configure a server-specific NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP, the global NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP is used.

Enable IPv6

Shows if the RADIUS server is enabled in IPv6 mode.

NAS IPv6

IPv6 address for the global NAS IP which the controller uses to communicate with all the RADIUS servers.

Source Interface

The source interface VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID number.

Use MD5

If enabled, the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server will use a MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. hash of cleartext password.

Use IP address for calling station ID

If enabled, the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server will use an IP address instead of a MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address for calling station IDs.

Mode

Shows whether this server is Enabled or Disabled.

Lowercase MAC addresses

If this feature is enabled, the server will send MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses in lowercase letters.

MAC address delimiter

The character used as a MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address delimiter. If no character is specified, the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server will use a colon (:) by default.

Service-type of FRAMED-USER

If this option is enabled, the server sends the service-type as FRAMED-USER instead of LOGIN-USER. This option is disabled by default

Radsec

Displays the status of the Radsec server.

Radsec Trusted CA

Displays the Certificate Authority to sign Radsec certificates.

Radsec Server Cert Name

Displays the trusted Radsec server certificate.

Radsec Client Cert

Displays the Radsec client certificate on the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server that identifies and authenticates clients.

called-station-id

Configure this parameter to be sent with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute Called Station ID for authentication and accounting requests.

The called-station-id parameter can be configured to include AP group, AP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, AP name, controller IP, controller MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, or user vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

The default value is controller MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

The following example shows details of RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  over TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. for a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server named beta:

(host) [mynode] #show aaa authentication-server radius <servername> radsec status

 

Radius Server "beta" Radsec Status

------------------------------------

Radsec Server Attribute Value

----------------------- -----

In Service Yes

Connected Sockets 1

The output of this command includes the following information:

Parameter

Description

In Service

Shows the status of the Radsec RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Connected Sockets

Shows the number of TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connections with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Related Commands

Command

Description

aaa authentication-server radius

This command configures a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Command History

Version

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Enable and Config mode on Mobility Master.

/*]]>*/