The radius-server authentication command configures a RADIUS authentication server.
The undo radius-server authentication command deletes the configured RADIUS authentication server.
By default, no RADIUS authentication server is specified.
radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *
radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *
undo radius-server authentication [ ipv4-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight ] * ] ]
undo radius-server authentication [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight ] ] ]
Parameter |
Description |
Value |
|---|---|---|
ipv4-address |
Specifies the IPv4 address of a RADIUS authentication server. |
The value is a valid unicast address in dotted decimal notation. |
ipv6-address |
Specifies the IPv6 address of a RADIUS authentication server. |
The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X. |
port |
Specifies the port number of a RADIUS authentication server. |
The value is an integer that ranges from 1 to 65535. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance that the RADIUS authentication server is bound to. |
The value must be an existing VPN instance name. |
source loopback interface-number |
Specifies the IP address of the loopback interface taken as the source IP address. interface-number specifies the number of a loopback interface. |
The loopback interface must already exist. |
source ip-address ipv4-address |
Specifies the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server. If this parameter is specified, ensure that the value of this parameter is the same as the client's IPv4 address specified on the RADIUS authentication server. If this parameter is not specified, the IPv4 address of the outbound interface is used as the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server. |
The value is a valid unicast address in dotted decimal notation. |
source ip-address ipv6-address |
Specifies the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server. If this parameter is not specified, the IPv6 address of the outbound interface is used as the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server. This address cannot be a virtual IPv6 address of a VRRP6 group. |
The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X. |
source vlanif interface-number |
Specifies the IP address of a VLANIF interface as the source IP address. interface-number specifies the number of a VLANIF interface. |
The VLANIF interface must exist. |
weight weight-value |
Specifies the weight of a RADIUS authentication server. When multiple servers are available, the device uses the server with the highest weight to perform authentication. If the servers have the same weights, the device uses the server configured first to perform authentication. |
The value is an integer that ranges from 0 to 100. The default value is 80. |
Usage Scenario
To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. The device uses the RADIUS protocol to communicate with a RADIUS authentication server to obtain authentication information, and authenticates users based on the authentication information. The device sends authentication packets to the RADIUS authentication server only after the IP address and port number of the RADIUS authentication server are specified in the RADIUS server template.
When the 802.1x authentication mode is set to EAP, the device and RADIUS authentication servers exchange packets multiple times. During the first exchange process, the device sends a request packet to the primary RADIUS authentication server. If the device resends the request packet for the maximum number of times but does not receive a response packet from the primary RADIUS authentication server, the device sends a request packet to the secondary RADIUS authentication server. If the secondary RADIUS authentication server sends a response packet to the device, the device will directly send request packets to the secondary RADIUS authentication server in the following exchange processes. In this way, the device does not need to send a request packet to the primary RADIUS authentication server first in the following exchange processes, shortening the authentication time and preventing the user authentication connection from being disconnected because the client does not receive a response packet for a long time.
Precautions
# Configure the IP address of the primary RADIUS authentication server to 10.163.155.13 and the port number to 1812.
<HUAWEI> system-view [HUAWEI] radius-server template group1 [HUAWEI-radius-group1] radius-server authentication 10.163.155.13 1812
# Configure the IP address of the secondary RADIUS authentication server to 10.163.155.15, the port number to 1812 and the weigh to 50.
<HUAWEI> system-view [HUAWEI] radius-server template group1 [HUAWEI-radius-group1] radius-server authentication 10.163.155.15 1812 weight 50