Configuring RADIUS

This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system,
defines its operation, and identifies appropriate and inappropriate network environments for using
RADIUS technology. The “RADIUS Configuration Task List” section describes how to configure
RADIUS with the authentication, authorization, and accounting (AAA) command set.
For a complete description of the RADIUS commands used in this chapter, refer to the “RADIUS
Commands” chapter in the Cisco IOS Security Command Reference. To locate documentation of other
commands that appear in this chapter, use the command reference master index or search online.

In This Chapter
This chapter includes the following sections:
• RADIUS Overview
• RADIUS Operation
• RADIUS Configuration Task List
• RADIUS Attributes
• RADIUS Configuration Examples

RADIUS Overview
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a
central RADIUS server that contains all user authentication and network service access information.
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with
any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA
security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all
Cisco platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security
while maintaining network access for remote users.

Cisco IOS Security Configuration Guide

SC-101
 Configuring RADIUS
RADIUS Operation

Use RADIUS in the following network environments that require access security:
• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
• Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a “smart card” access control system. In one case, RADIUS
has been used with Enigma’s security cards to validate users and grant access to network resources.
• Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This
might be the first step when you make a transition to a Terminal Access Controller Access Control
System Plus (TACACS+) server.
• Networks in which a user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point
Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having
authorization to run PPP using IP address 10.2.3.4 and the defined access list is started.
• Networks that require resource accounting. You can use RADIUS accounting independent of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and
so on) used during the session. An Internet service provider (ISP) might use a freeware-based
version of RADIUS access control and accounting software to meet special security and billing
needs.
RADIUS is not suitable in the following network security situations:
• Multiprotocol access environments. RADIUS does not support the following protocols:
– AppleTalk Remote Access (ARA)
– NetBIOS Frame Control Protocol (NBFCP)
– NetWare Asynchronous Services Interface (NASI)
– X.25 PAD connections
• Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be
used to authenticate from one router to a non-Cisco router if the non-Cisco router requires RADIUS
authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.

RADIUS Operation
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps
occur:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is not authenticated and is prompted to reenter the username and password,
or access is denied.

Cisco IOS Security Configuration Guide

SC-102
Configuring RADIUS
RADIUS Configuration Task List

c. CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional
data from the user.
d. CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select
a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network
authorization. You must first complete RADIUS authentication before using RADIUS authorization.
The additional data included with the ACCEPT or REJECT packets consists of the following:
• Services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections,
and PPP, Serial Line Internet Protocol (SLIP), or EXEC services.
• Connection parameters, including the host or client IP address, access list, and user timeouts.

RADIUS Configuration Task List

To configure RADIUS on your Cisco router or access server, you must perform the following tasks:
• Use the aaa new-model global configuration command to enable AAA. AAA must be configured if
you plan to use RADIUS. For more information about using the aaa new-model command, refer to
the “AAA Overview” chapter.
• Use the aaa authentication global configuration command to define method lists for RADIUS
authentication. For more information about using the aaa authentication command, refer to the
“Configuring Authentication” chapter.
• Use line and interface commands to enable the defined method lists to be used. For more
information, refer to the “Configuring Authentication” chapter.
The following configuration tasks are optional:
• If needed, use the aaa group server command to group selected RADIUS hosts for specific
services. For more information about using the aaa group server command, refer to the
“Configuring AAA Server Groups” section in this chapter.
• If needed, use the aaa dnis map command to select RADIUS server groups based on DNIS number.
To use this command, you must define RADIUS server groups using the aaa group server
command. For more information about using the aaa dnis map command, refer to the “Configuring
AAA Server Group Selection Based on DNIS” section in this chapter.
• If needed, use the aaa authorization global command to authorize specific user functions. For more
information about using the aaa authorization command, refer to the “Configuring Authorization”
chapter.
• If needed, use the aaa accounting command to enable accounting for RADIUS connections. For
more information about using the aaa accounting command, refer to the “Configuring Accounting”
chapter.
This section describes how to set up RADIUS for authentication, authorization, and accounting on your
network, and includes the following sections:
• Configuring Router to RADIUS Server Communication (Required)
• Configuring Router to Use Vendor-Specific RADIUS Attributes (Optional)
• Configuring Router for Vendor-Proprietary RADIUS Server Communication (Optional)
• Configuring Router to Query RADIUS Server for Static Routes and IP Addresses (Optional)
• Configuring Router to Expand Network Access Server Port Information (Optional)

Cisco IOS Security Configuration Guide

SC-103
 Configuring RADIUS
RADIUS Configuration Task List

• Configuring AAA Server Groups (Optional)

• Configuring AAA Server Group Selection Based on DNIS (Optional)
• Specifying RADIUS Authentication
• Specifying RADIUS Authorization (Optional)
• Specifying RADIUS Accounting (Optional)
For RADIUS configuration examples using the commands in this chapter, refer to the “RADIUS
Configuration Examples” section at the end of the this chapter.

Configuring Router to RADIUS Server Communication

The RADIUS host is normally a multiuser system running RADIUS server software from Livingston,
Merit, Microsoft, or another software provider. Configuring router to RADIUS server communication
can have several components:
• Host name or IP address
• Authentication destination port
• Accounting destination port
• Timeout period
• Retransmission value
• Key string
RADIUS security servers are identified on the basis of their host name or IP address, host name and
specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP
address and UDP port number creates a unique identifier, allowing different ports to be individually
defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier
enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two
different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry configured acts as fail-over backup to the first one. Using this
example, if the first host entry fails to provide accounting services, the network access server will try the
second host entry configured on the same device for accounting services. (The RADIUS host entries will
be tried in the order they are configured.)
A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange
responses.To configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the router.
The timeout, retransmission, and encryption key values are configurable globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the router, use the three unique global
commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these
values on a specific RADIUS server, use the radius-server host command.

Note You can configure both global and per-server timeout, retransmission, and key value
commands simultaneously on the same Cisco network access server. If both global and
per-server functions are configured on a router, the per-server timer, retransmission, and
key value commands override global timer, retransmission, and key value commands.

Cisco IOS Security Configuration Guide

SC-104
 Configuring RADIUS
RADIUS Configuration Task List

To configure per-server RADIUS server communication, use the following command in global
configuration mode:

Command Purpose
radius-server host {hostname | ip-address} Specifies the IP address or host name of the remote RADIUS
[auth-port port-number] [acct-port port-number] server host and assign authentication and accounting destination
[timeout seconds] [retransmit retries] [key
string]
port numbers. Use the auth-port port-number option to configure
a specific UDP port on this RADIUS server to be used solely for
authentication. Use the acct-port port-number option to
configure a specific UDP port on this RADIUS server to be used
solely for accounting.
To configure the network access server to recognize more than
one host entry associated with a single IP address, simply repeat
this command as many times as necessary, making sure that each
UDP port number is different. Set the timeout, retransmit, and
encryption key values to use with the specific RADIUS host.
If no timeout is set, the global value is used; otherwise, enter a
value in the range 1 to 1000. If no retransmit value is set, the
global value is used; otherwise enter a value in the range 1 to
1000. If no key string is specified, the global value is used.

Note The key is a text string that must match the encryption key
used on the RADIUS server. Always configure the key as
the last item in the radius-server host command syntax
because the leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in
your key, do not enclose the key in quotation marks unless
the quotation marks themselves are part of the key.

To configure global communication settings between the router and a RADIUS server, use the following
radius-server global configuration commands:

Command Purpose
Step 1 radius-server key string Specifies the shared secret text string used between
the router and a RADIUS server.
Step 2 radius-server retransmit retries Specifies the number of times the router transmits
each RADIUS request to the server before giving up
(the default is three).
Step 3 radius-server timeout seconds Specifies the number of seconds a router waits for a
reply to a RADIUS request before retransmitting the
request.
Step 4 radius-server deadtime minutes Specifies the number of minutes a RADIUS server,
which is not responding to authentication requests, is
passed over by requests for RADIUS authentication.

Cisco IOS Security Configuration Guide

SC-105
 Configuring RADIUS
RADIUS Configuration Task List

Configuring Router to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the network access server and the RADIUS server by using the
vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their
own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one
vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and
the supported option has vendor-type 1, which is named “cisco-avpair.” The value is a string of the
following format:
protocol : attribute sep value *

“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization. “Attribute”
and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification,
and “sep” is “=” for mandatory attributes and “*” for optional attributes. This allows the full set of
features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be
activated during IP authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“

The following example shows how to cause a user logging in from a network access server to have
immediate access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service
(RADIUS).”
To configure the network access server to recognize and use VSAs, use the following command in global
configuration mode:

Command Purpose
radius-server vsa send [accounting | Enables the network access server to recognize and use VSAs as
authentication] defined by RADIUS IETF attribute 26.

For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, refer
to the “RADIUS Attributes” appendix.

Configuring Router for Vendor-Proprietary RADIUS Server Communication

Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for
communicating vendor-proprietary information between the network access server and the RADIUS
server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software
supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you
must specify the host running the RADIUS server daemon and the secret text string it shares with the
Cisco device. You specify the RADIUS host and secret text string by using the radius-server commands.
To identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS, use the
radius-server host non-standard command. Vendor-proprietary attributes will not be supported unless
you use the radius-server host non-standard command.

Cisco IOS Security Configuration Guide

SC-106
 Configuring RADIUS
RADIUS Configuration Task List

To specify a vendor-proprietary RADIUS server host and a shared secret text string, use the following
commands in global configuration mode:

Command Purpose
Step 1 radius-server host {hostname | ip-address} Specifies the IP address or host name of the remote
non-standard RADIUS server host and identify that it is using a
vendor-proprietary implementation of RADIUS.
Step 2 radius-server key string Specifies the shared secret text string used between
the router and the vendor-proprietary RADIUS
server. The router and the RADIUS server use this
text string to encrypt passwords and exchange
responses.

Configuring Router to Query RADIUS Server for Static Routes and IP Addresses
Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool
definitions on the RADIUS server instead of on each individual network access server in the network.
Each network access server then queries the RADIUS server for static route and IP pool information.
To have the Cisco router or access server query the RADIUS server for static routes and IP pool
definitions when the device first starts up, use the following command in global configuration mode:

Command Purpose
radius-server configure-nas Tells the Cisco router or access server to query the RADIUS
server for the static routes and IP pool definitions used throughout
its domain.

Note Because the radius-server configure-nas command is performed when the Cisco router
starts up, it will not take effect until you issue a copy system:running config
nvram:startup-config command.

Configuring Router to Expand Network Access Server Port Information

There are some situations when PPP or login authentication occurs on an interface different from the
interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP
authentication occurs on a virtual asynchronous interface “ttt” but the call itself occurs on one of the
channels of the ISDN interface.
The radius-server attribute nas-port extended command configures RADIUS to expand the size of the
NAS-Port attribute (RADIUS IETF attribute 5) field to 32 bits. The upper 16 bits of the NAS-Port
attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface
undergoing authentication.

Cisco IOS Security Configuration Guide

SC-107
 Configuring RADIUS
RADIUS Configuration Task List

To display expanded interface information in the NAS-Port attribute field, use the following command
in global configuration mode:

Command Purpose
radius-server attribute nas-port extended Expands the size of the NAS-Port attribute from 16 to 32 bits to
display extended interface information.

Note This command replaces the radius-server extended-portnames command.

On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not
provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if
a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as
NAS-Port = 20101.
Once again, this is because of the 16-bit field size limitation associated with RADIUS IETF NAS-Port
attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute
(RADIUS IETF attribute 26). Cisco's vendor-ID is 9, and the Cisco-NAS-Port attribute is subtype 2.
Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command.
The port information in this attribute is provided and configured using the aaa nas port extended
command.
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field
information, use the following commands in global configuration mode:

Command Purpose
Step 1 radius-server vsa send [accounting | authentication] Enables the network access server to recognize and
use vendor-specific attributes as defined by RADIUS
IETF attribute 26.
Step 2 aaa nas port extended Expands the size of the VSA NAS-Port field from 16
to 32 bits to display extended interface information.

The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want
this information to be sent, you can suppress it by using the no radius-server attribute nas-port
command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
For a complete list of RADIUS attributes, refer to the “RADIUS Attributes” appendix.

Configuring AAA Server Groups

Configuring the router to use AAA server groups provides a way to group existing server hosts. This
allows you to select a subset of the configured server hosts and use them for a particular service. A server
group is used in conjunction with a global server-host list. The server group lists the IP addresses of the
selected server hosts.
Server groups also can include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and a UDP port number creates a unique identifier,
allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured

Cisco IOS Security Configuration Guide

SC-108
 Configuring RADIUS
RADIUS Configuration Task List

for the same service—for example, accounting—the second host entry configured acts as fail-over
backup to the first one. Using this example, if the first host entry fails to provide accounting services,
the network access server will try the second host entry configured on the same device for accounting
services. (The RADIUS host entries will be tried in the order they are configured.)
To define a server host with a server group name, enter the following commands in global configuration
mode. The listed server must exist in global configuration mode:

Command Purpose
Step 1 Router(config)# radius-server host {hostname | Specifies and defines the IP address of the server host
ip-address} [auth-port port-number] [acct-port before configuring the AAA server-group. Refer to
port-number] [timeout seconds] [retransmit retries]
[key string]
the “Configuring Router to RADIUS Server
Communication” section for more information on the
radius-server host command.
Step 2 Router(config-if)# aaa group server {radius | Defines the AAA server-group with a group name.
tacacs+} group-name All members of a group must be the same type; that
is, RADIUS or TACACS+. This command puts the
router in server group subconfiguration mode.
Step 3 Router(config-sg)# server ip-address [auth-port Associates a particular RADIUS server with the
port-number] [acct-port port-number] defined server group. Each security server is
identified by its IP address and UDP port number.
Repeat this step for each RADIUS server in the AAA
server group.

Note Each server in the group must be defined

previously using the radius-server host
command.

Configuring AAA Server Group Selection Based on DNIS

Cisco IOS allows you to authenticate users to a particular AAA server group based on the session’s
Dialed Number Identification Service (DNIS) number. Any phone line (a regular home phone or a
commercial T1/PRI line) can be associated with several phone numbers. The DNIS number identifies
the number that was called to reach you.
For example, suppose you want to share the same phone number with several customers, but you want
to know which customer is calling before you pick up the phone. You can customize how you answer the
phone because DNIS allows you to know which customer is calling when you answer.
Cisco routers with either ISDN or internal modems can receive the DNIS number. This functionality
allows users to assign different RADIUS server groups for different customers (that is, different
RADIUS servers for different DNIS numbers). Additionally, using server groups you can specify the
same server group for AAA services or a separate server group for each AAA service.

Cisco IOS Security Configuration Guide

SC-109
 Configuring RADIUS
RADIUS Configuration Task List

Cisco IOS software provides the flexibility to implement authentication and accounting services in
several ways:
• Globally—AAA services are defined using global configuration access list commands and applied
in general to all interfaces on a specific network access server.
• Per Interface—AAA services are defined using interface configuration commands and applied
specifically to the interface being configured on a specific network access server.
• DNIS mapping—You can use DNIS to specify an AAA server to supply AAA services.
Because each of these AAA configuration methods can be configured simultaneously, Cisco has
established an order of precedence to determine which server or groups of servers provide AAA services.
The order of precedence is as follows:
• Per DNIS—If you configure the network access server to use DNIS to identify/determine which
server group provides AAA services, then this method takes precedence over any additional AAA
selection method.
• Per interface—If you configure the network access server per interface to use access lists to
determine how a server provides AAA services, this method takes precedence over any global
configuration AAA access lists.
• Globally—If you configure the network access server by using global AAA access lists to determine
how the security server provides AAA services, this method has the least precedence.

Note Prior to configuring AAA Server Group Selection Based on DNIS, you must configure the
list of RADIUS server hosts and configure the AAA server groups. See the “Configuring
Router to RADIUS Server Communication” and “Configuring AAA Server Groups”
sections in this chapter.

To configure the router to select a particular AAA server group based on the DNIS of the server group,
configure DNIS mapping. To map a server group with a group name with DNIS number, use the
following commands in global configuration mode:

Command Purpose
Step 1 Router(config)# aaa dnis map enable Enables DNIS mapping.
Step 2 Router(config)# aaa dnis map dnis-number Maps a DNIS number to a defined AAA server group;
authentication ppp group server-group-name the servers in this server group are being used for
authentication.
Step 3 Router(config)# aaa dnis map dnis-number accounting Maps a DNIS number to a defined AAA server group;
network [none | start-stop | stop-only] group the servers in this server group are being used for
server-group-name
accounting.

Specifying RADIUS Authentication

After you have identified the RADIUS server and defined the RADIUS authentication key, you need to
define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through
AAA, you need to enter the aaa authentication command, specifying RADIUS as the authentication
method. For more information, refer to the “Configuring Authentication” chapter.

Cisco IOS Security Configuration Guide

SC-110
 Configuring RADIUS
RADIUS Attributes

Specifying RADIUS Authorization

AAA authorization lets you set parameters that restrict a user’s network access. Authorization using
RADIUS provides one method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and support of IP,
IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you need to issue
the aaa authorization command, specifying RADIUS as the authorization method. For more
information, refer to the “Configuring Authorization” chapter.

Specifying RADIUS Accounting

The AAA accounting feature enables you to track the services users are accessing as well as the amount
of network resources they are consuming. Because RADIUS accounting is facilitated through AAA, you
need to issue the aaa accounting command, specifying RADIUS as the accounting method. For more
information, refer to the “Configuring Accounting” chapter.

RADIUS Attributes
The network access server monitors the RADIUS authorization and accounting functions defined by
RADIUS attributes in each user-profile. For a list of supported RADIUS attributes, refer to the
“RADIUS Attributes” appendix.
This section includes the following sections:
• Vendor-Proprietary RADIUS Attributes
• RADIUS Tunnel Attributes

Vendor-Proprietary RADIUS Attributes

An Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for
communicating vendor-proprietary information between the network access server and the RADIUS
server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco IOS
software supports a subset of vendor-proprietary RADIUS attributes. For a list of supported
vendor-proprietary RADIUS attributes, refer to the “RADIUS Attributes” appendix.

RADIUS Tunnel Attributes

RADIUS is a security server authentication, authorization, and accounting (AAA) protocol originally
developed by Livingston, Inc. RADIUS uses attribute value (AV) pairs to communicate information
between the security server and the network access server. RFC 2138 and RFC 2139 describe the basic
functionality of RADIUS and the original set of Internet Engineering Task Force (IETF)-standard AV
pairs used to send AAA information. Two draft IETF standards, “RADIUS Attributes for Tunnel
Protocol Support” and “RADIUS Accounting Modifications for Tunnel Protocol Support,” extend the
IETF-defined set of AV pairs to include attributes specific to virtual private dial-up networks (VPDNs);
these attributes are used to carry the tunneling information between the RADIUS server and the
tunnel initiator.

Cisco IOS Security Configuration Guide

SC-111
 Configuring RADIUS
RADIUS Configuration Examples

In the past, Cisco routers and access servers have only been able to support VPDN tunnel attributes by
using extensions to the Cisco vendor-specific attribute 26. This feature enables Cisco routers and access
servers to support the new RADIUS IETF-standard VPDN tunnel attributes. These new RADIUS
IETF-standard attributes are listed in the “RADIUS Attributes” appendix. Refer to the following three
configuration examples later in this chapter:
• L2TP Access Concentrator Examples
• L2TP Network Server Example
• RADIUS User Profile with RADIUS Tunneling Attributes Example
For more information about L2F, L2TP, VPN, or VPDN, refer to the Cisco IOS Dial Services
Configuration Guide: Network Services.

RADIUS Configuration Examples

The following sections provide RADIUS configuration examples:
• RADIUS Authentication and Authorization Example
• RADIUS Authentication, Authorization, and Accounting Example
• Vendor-Proprietary RADIUS Configuration Example
• RADIUS Server with Server-Specific Values Example
• Multiple RADIUS Servers with Global and Server-Specific Values Example
• Multiple RADIUS Server Entries for the Same Server IP Address Example
• RADIUS Server Group Examples
• Multiple RADIUS Server Entries Using AAA Server Groups Example
• AAA Server Group Selection Based on DNIS Example
• L2TP Access Concentrator Examples
• L2TP Network Server Example
• RADIUS User Profile with RADIUS Tunneling Attributes Example

RADIUS Authentication and Authorization Example

The following example shows how to configure the router to authenticate and authorize using RADIUS:
aaa authentication login use-radius group radius local
aaa authentication ppp user-radius if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius

The lines in this sample RADIUS authentication and authorization configuration are defined as follows:
• The aaa authentication login use-radius group radius local command configures the router to use
RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is
authenticated using the local database. In this example, use-radius is the name of the method list,
which specifies RADIUS and then local authentication.

Cisco IOS Security Configuration Guide

SC-112
 Configuring RADIUS
RADIUS Configuration Examples

• The aaa authentication ppp user-radius if-needed group radius command configures the
Cisco IOS software to use RADIUS authentication for lines using Point-to-Point Protocol (PPP)
with CHAP or PAP if the user has not already been authorized. If the EXEC facility has
authenticated the user, RADIUS authentication is not performed. In this example, user-radius is the
name of the method list defining RADIUS as the if-needed authentication method.
• The aaa authorization exec default group radius command sets the RADIUS information that is
used for EXEC authorization, autocommands, and access lists.
• The aaa authorization network default group radius command sets RADIUS for network
authorization, address assignment, and access lists.

RADIUS Authentication, Authorization, and Accounting Example

The following example shows a general configuration using RADIUS with the AAA command set:
radius-server host 123.45.1.2
radius-server key myRaDiUSpassWoRd
username root password ALongPassword
aaa authentication ppp dialins group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa authentication login admins local
aaa authorization exec default local
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem ri-is-cd
interface group-async 1
encaps ppp
ppp authentication pap dialins

The lines in this example RADIUS authentication, authorization, and accounting configuration are
defined as follows:
• The radius-server host command defines the IP address of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication, then (if the RADIUS server does
not respond) local authentication will be used on serial lines using PPP.
• The ppp authentication pap dialins command applies the “dialins” method list to the lines
specified.
• The aaa authorization network default group radius local command is used to assign an address
and other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa authentication login admins local command defines another method list, “admins,” for
login authentication.
• The login authentication admins command applies the “admins” method list for login
authentication.

Cisco IOS Security Configuration Guide

SC-113
 Configuring RADIUS
RADIUS Configuration Examples

Vendor-Proprietary RADIUS Configuration Example

The following example shows a general configuration using vendor-proprietary RADIUS with the AAA
command set:
radius-server host alcatraz non-standard
radius-server key myRaDiUSpassWoRd
radius-server configure-nas
username root password ALongPassword
aaa authentication ppp dialins group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa authentication login admins local
aaa authorization exec default local
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem ri-is-cd
interface group-async 1
encaps ppp
ppp authentication pap dialins

The lines in this example RADIUS authentication, authorization, and accounting configuration are
defined as follows:
• The radius-server host non-standard command defines the name of the RADIUS server host and
identifies that this RADIUS host uses a vendor-proprietary version of RADIUS.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The radius-server configure-nas command defines that the Cisco router or access server will query
the RADIUS server for static routes and IP pool definitions when the device first starts up.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication, then (if the RADIUS server does
not respond) local authentication will be used on serial lines using PPP.
• The ppp authentication pap dialins command applies the “dialins” method list to the lines
specified.
• The aaa authorization network default group radius local command is used to assign an address
and other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa authentication login admins local command defines another method list, “admins,” for
login authentication.
• The login authentication admins command applies the “admins” method list for login
authentication.

RADIUS Server with Server-Specific Values Example

The following example shows how to configure server-specific timeout, retransmit, and key values for
the RADIUS server with IP address 172.31.39.46:
radius-server host 172.31.39.46 timeout 6 retransmit 5 key rad123

Cisco IOS Security Configuration Guide

SC-114
 Configuring RADIUS
RADIUS Configuration Examples

Multiple RADIUS Servers with Global and Server-Specific Values Example

The following example shows how to configure two RADIUS servers with specific timeout, retransmit,
and key values. In this example, the aaa new-model command enables AAA services on the router,
while specific AAA commands define the AAA services. The radius-server retransmit command
changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command
configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP
addresses 172.16.1.1 and 172.29.39.46.
! Enable AAA services on the router and define those services.
aaa new-model
aaa authentication login default group radius
aaa authentication login console-login none
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable password tryit1
!
! Change the global retransmission value for all RADIUS servers.
radius-server retransmit 4
!
! Configure per-server specific timeout, retransmission, and key values.
! Change the default auth-port and acct-port values.
radius-server host 172.16.1.1 auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key
radkey
!
! Configure per-server specific timeout and key values. This server uses the global
! retransmission value.
radius-server host 172.29.39.46 timeout 6 key rad123

Multiple RADIUS Server Entries for the Same Server IP Address Example
The following example shows how to configure the network access server to recognize several RADIUS
host entries with the same IP address. Two different host entries on the same RADIUS server are
configured for the same services—authentication and accounting. The second host entry configured acts
as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are
configured.)
! This command enables AAA.
aaa new-model
! The next command configures default RADIUS parameters.
aaa authentication ppp default group radius
! The next set of commands configures multiple host entries for the same IP address.
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.20.0.1 auth-port 2000 acct-port 2000

RADIUS Server Group Examples

The following example shows how to create server group radgroup1 with three different RADIUS server
members, each using the default authentication port (1645) and accounting port (1646):
aaa group server radius radgroup1
server 172.16.1.11
server 172.17.1.21
server 172.18.1.31

Cisco IOS Security Configuration Guide

SC-115
 Configuring RADIUS
RADIUS Configuration Examples

The following example shows how to create server group radgroup2 with three RADIUS server
members, each with the same IP address but with unique authentication and accounting ports:
aaa group server radius radgroup2
server 172.16.1.1 auth-port 1000 acct-port 1001
server 172.16.1.1 auth-port 2000 acct-port 2001
server 172.16.1.1 auth-port 3000 acct-port 3001

Multiple RADIUS Server Entries Using AAA Server Groups Example

The following example shows how to configure the network access server to recognize two different
RADIUS server groups. One of these groups, group1, has two different host entries on the same
RADIUS server configured for the same services. The second host entry configured acts as fail-over
backup to the first one.
! This command enables AAA.
aaa new-model
! The next command configures default RADIUS parameters.
aaa authentication ppp default group group1
! The following commands define the group1 RADIUS server group and associate servers
! with it.
aaa group server radius group1
server 172.20.0.1 auth-port 1000 acct-port 1001
! The following commands define the group2 RADIUS server group and associate servers
! with it.
aaa group server radius group2
server 172.20.0.1 auth-port 2000 acct-port 2001
! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined server groups.
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.20.0.1 auth-port 2000 acct-port 2001
radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

Cisco IOS Security Configuration Guide

SC-116
 Configuring RADIUS
RADIUS Configuration Examples

AAA Server Group Selection Based on DNIS Example

The following example shows how to select RADIUS server groups based on DNIS to provide specific
AAA services:
! This command enables AAA.
aaa new-model
!
! The following set of commands configures the RADIUS attributes for each server
! that will be associated with one of the defined server groups.
radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco1
radius-server host 172.17.0.1 auth-port 1645 acct-port 1646 key cisco2
radius-server host 172.18.0.1 auth-port 1645 acct-port 1646 key cisco3
radius-server host 172.19.0.1 auth-port 1645 acct-port 1646 key cisco4
radius-server host 172.20.0.1 auth-port 1645 acct-port 1646 key cisco5

! The following commands define the sg1 RADIUS server group and associate servers
! with it.
aaa group server radius sg1
server 172.16.0.1
server 172.17.0.1
! The following commands define the sg2 RADIUS server group and associate a server
! with it.
aaa group server radius sg2
server 172.18.0.1
! The following commands define the sg3 RADIUS server group and associate a server
! with it.
aaa group server radius sg3
server 172.19.0.1
! The following commands define the default-group RADIUS server group and associate
! a server with it.
aaa group server radius default-group
server 172.20.0.1
!
! The next set of commands configures default-group RADIUS server group parameters.
aaa authentication ppp default group default-group
aaa accounting network default start-stop group default-group
!
! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined
! RADIUS server groups. In this configuration, all PPP connection requests using
! DNIS 7777 are sent to the sg1 server group. The accounting records for these
! connections (specifically, start-stop records) are handled by the sg2 server group.
! Calls with a DNIS of 8888 use server group sg3 for authentication and server group
! default-group for accounting. Calls with a DNIS of 9999 use server group
! default-group for authentication and server group sg3 for accounting records
! (stop records only). All other calls with DNIS other than the ones defined use the
! server group default-group for both authentication and stop-start accounting records.
aaa dnis map enable
aaa dnis map 7777 authentication ppp group sg1
aaa dnis map 7777 accounting network start-stop group sg2
aaa dnis map 8888 authentication ppp group sg3
aaa dnis map 9999 accounting network stop-only group sg3

L2TP Access Concentrator Examples

The following example shows a basic L2TP configuration for the L2TP access concentrator (LAC) for
the topology shown in Figure 7. The local name is not defined, so the host name used is the local name.
Because the L2TP tunnel password is not defined, the username password is used. In this example,
VPDN is configured locally on the LAC and does not take advantage of the new RADIUS
tunnel attributes.

Cisco IOS Security Configuration Guide

SC-117
 Configuring RADIUS
RADIUS Configuration Examples

Figure 7 Topology for Configuration Examples

Dial client Corporate

network
LAC = DJ

ISP or PSTN LT2P tunnel

22108
LNS = partner

! Enable AAA globally.

aaa new-model
! Enable AAA authentication for PPP and list the default method to use for PPP
! authentication.
aaa authentication ppp default local
! Define the username as “DJ.”
username DJ password 7 030C5E070A00781B
! Enable VPDN.
vpdn enable
! Define VPDN group number 1.
vpdn-group 1
! Allow the LAC to respond to dialin requests using L2TP from IP address 172.21.9.13
! domain “cisco.com.”
request dialin l2tp ip 172.21.9.13 domain cisco.com

The following example shows how to configure the LAC if RADIUS tunnel attributes are supported. In
this example, there is no local VPDN configuration on the LAC; the LAC, instead, is configured to query
the remote RADIUS security server.
! Enable global AAA securities services.
aaa new-model
! Enable AAA authentication for PPP and list RADIUS as the default method to use
! for PPP authentication.
aaa authentication ppp default group radius local
! Enable AAA (network) authorization and list RADIUS as the default method to use for
! authorization.
aaa authorization network default group radius
! Define the username as “DJ.”
username DJ password 7 030C5E070A00781B
! Enable VPDN.
vpdn enable
! Configure the LAC to interface with the remote RADIUS security server.
radius host 171.69.1.1 auth-port 1645 acct-port 1646
radius-server key cisco

Cisco IOS Security Configuration Guide

SC-118
 Configuring RADIUS
RADIUS Configuration Examples

L2TP Network Server Example

The following example shows a basic L2TP configuration with corresponding comments on the L2TP
network server (LNS) for the topology shown in Figure 7:
! Enable AAA globally.
aaa new-model
! Enable AAA authentication for PPP and list the default method to use for PPP
! authentication.
aaa authentication ppp default local
! Define the username as “partner.”
username partner password 7 030C5E070A00781B
! Create virtual-template 1 and assign all values for virtual access interfaces.
interface Virtual-Template1
! Borrow the IP address from interface ethernet 1.
ip unnumbered Ethernet0
! Disable multicast fast switching.
no ip mroute-cache
! Use CHAP to authenticate PPP.
ppp authentication chap
! Enable VPDN.
vpdn enable
! Create vpdn-group number 1.
vpdn-group 1
! Accept all dialin l2tp tunnels from virtual-template 1 from remote peer DJ.
accept dialin l2tp virtual-template 1 remote DJ

RADIUS User Profile with RADIUS Tunneling Attributes Example

The following example shows a RADIUS user profile (Merit Daemon format) that includes RADIUS
tunneling attributes:
example.com Password=”cisco” Service-Type=Outbound
Tunnel-Type = :1:L2TP
Tunnel-Medium-Type = :1:IP
Tunnel-Server-Endpoint = :1:10.0.0.1
Tunnel-Password = :1:”welcome”
Tunnel-Assignment-ID = :1:”nas”

Cisco IOS Security Configuration Guide

SC-119
 Configuring RADIUS
RADIUS Configuration Examples

Cisco IOS Security Configuration Guide

SC-120