Configuring a RADIUS Server Template

Procedure

1. Run system-view

   The system view is displayed.

2. Run radius-server template template-name

   The RADIUS server template view is displayed.

   By default, the RADIUS server template named default is available on the device. This template can only be modified and cannot be deleted.

3. Configure RADIUS authentication and accounting servers.

   Step	Command	Remarks
   Configure a RADIUS authentication server.	Configure an IPv4 RADIUS authentication server: radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] * Configure an IPv6 RADIUS authentication server: radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *	By default, no RADIUS authentication server is configured.
   Configure a RADIUS accounting server.	Configure an IPv4 RADIUS accounting server: radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] * Configure an IPv6 RADIUS accounting server: radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *	By default, no RADIUS accounting server is configured.

4. Run radius-server shared-key cipher key-string

   The shared key of the RADIUS server is configured.

   By default, no shared key is configured for a RADIUS server.

   

   When a RADIUS server is configured in multiple RADIUS server templates:

   • If the RADIUS server templates use different shared keys, you need to configure the shared keys in each RADIUS server template view.
   • If the RADIUS server templates use the same shared key, you can configure the shared key in the system view using the radius-serverip-address{ ipv4-address | ipv6-address }shared-keycipherkey-string command.

   • When shared keys are configured in both the RADIUS server template view and system view, the configuration in the system view takes effect.

5. (Optional) Run radius-server algorithm { loading-share | master-backup } [ based-user ]

   The algorithm for selecting RADIUS servers is configured.

   By default, the algorithm for selecting RADIUS servers is primary/secondary (specified by master-backup).

   When multiple authentication or accounting servers are configured in a RADIUS server template, the device selects RADIUS servers based on the configured algorithm and the weight configured for each server.

   • When the algorithm for selecting RADIUS servers is set to primary/secondary, the server with a larger weight is the primary server. If servers have the same weight, the server configured first is the primary server.

   • If the algorithm for selecting RADIUS servers is set to load balancing, packets are sent to RADIUS servers according to weights of the servers.

6. (Optional) Run radius-server { retransmit retry-times | timeout time-value } ^*

   The number of times that RADIUS authentication request packets are retransmitted and the timeout interval are set.

   By default, RADIUS authentication request packets can be retransmitted three times, and the timeout interval is 5 seconds.

7. (Optional) Configure the format of the user name in packets sent from the device to the RADIUS server.

   • Run radius-server user-name domain-included

     The device is configured to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

   • Run radius-server user-name original

     The device is configured not to modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

   • Run undo radius-server user-name domain-included

     The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

   • Run undo radius-server user-name domain-included except-eap

     The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server (applicable to other authentication modes except EAP authentication).

   By default, the device does not modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

8. (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

   The traffic unit used by the RADIUS server is configured.

   By default, the RADIUS traffic unit is byte on the device.

9. (Optional) Run radius-attribute service-type with-authenonly-reauthen

   The reauthentication mode is set to reauthentication only.

   By default, the reauthentication mode is reauthentication and reauthorization.

   This function takes effect when the Service-Type attribute on the RADIUS server is set to Authenticate Only.

10. (Optional) Run radius-server framed-ip-address no-user-ip enable

    The device is enabled to encapsulate the RADIUS attribute Framed-IP-Address into RADIUS authentication request packets when the RADIUS authentication request packets sent by users do not carry user IP addresses.

    By default, the device does not encapsulate the RADIUS attribute Framed-IP-Address into a RADIUS authentication request packet when the RADIUS authentication request packet sent by a user does not carry the user IP address.