Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentAS5800
151152153154155156157158159160
Table Of Contents
4-17
Cisco AS5800 Operations, Administration, Maintenance, and Provisioning Guide
DOC-7810814=
Chapter 4 Administration
Access Service Security
Configure Router to RADIUS Server Communication
The RADIUS host is normally a multi-user system running RADIUS server software from Livingston,
Merit, Microsoft, or another software provider. A RADIUS server and a Cisco router use a shared secret
text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the
RADIUS server daemon, and a secret text string that it shares with the router. Use the radius-server
commands to specify the RADIUS server host and a secret text string.
To specify a RADIUS server host and shared secret text string, perform the following tasks in global
configuration mode:
Specify the IP address or host name of the remote RADIUS server host, and assign authentication
and accounting destination port numbers.
radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port port-number]
Specify the shared secret text string used between the router and the RADIUS server.
radius-server key string
To customize communication between the router and the RADIUS server, use the following optional
radius-server global configuration commands:
Specify the number of times the router transmits each RADIUS request to the server before giving
up (default is three).
radius-server retransmit retries
Specify the number of seconds a router waits for a reply to a RADIUS request before retransmitting
the request.
radius-server timeout seconds
Specify the number of minutes a RADIUS server, which is not responding to authentication
requests, is passed over by requests for RADIUS authentication.
radius-server deadtime minutes
Configure Router to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the network Cisco AS5800 and the RADIUS server, by using the
vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support
their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports
one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is
9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string of
the format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization.
Attribute and value are an appropriate attribute/value (AV) pair defined in the Cisco TACACS+
specification
sep is = for mandatory attributes and * for optional attributes.
This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.