radius-server authorization
Function
The radius-server authorization command configures the RADIUS authorization server.
The undo radius-server authorization command deletes the configured RADIUS authorization server.
By default, no RADIUS authorization server is configured.
Format
radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ protect enable ]
undo radius-server authorization { all | ip-address [ vpn-instance vpn-instance-name ] }
Parameters
Parameter |
Description |
Value |
|---|---|---|
ip-address |
Specifies the IP address of a RADIUS authorization server. |
The value is a unicast address in dotted decimal notation. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance that the RADIUS authorization server is bound to. |
The value must be an existing VPN instance name. |
server-group group-name |
Specifies the name of a RADIUS group corresponding to a RADIUS server template. |
The value is a string of 1 to 32 characters, including letters (case-sensitive), numerals (0 to 9), periods (.), hyphens (-), and underscores (_). The value cannot be - or --. |
shared-key cipher key-string |
Specifies the shared key of a RADIUS server. |
The value is a case-sensitive character string without spaces or question marks (?). key-string can be a string of 1 to 128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text. |
protect enable |
Enables the security hardening function. |
- |
all |
Deletes all RADIUS authorization servers. |
- |
Usage Guidelines
Usage Scenario
- CoA: After a user is successfully authenticated, you can modify the rights of the online user through the RADIUS authorization server. For example, a VLAN ID can be delivered to access users of a certain department through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to.
- DM: The administrator can forcibly disconnect a user through the RADIUS authorization server.
After the parameters such as IP address and shared key are configured for the RADIUS authorization server, the device can receive authorization requests from the server and grant rights to users according to the authorization information. After authorization is complete, the device returns authorization response packets carrying the results to the server.
- When a CoA or DM request packet carries the Message-Authenticator attribute, the device checks the Message-Authenticator attribute. If the check fails, the device discards the request packet and does not respond the packet. If the check succeeds, the device sends a CoA or DM response packet (ACK or NAK) that carries the Message-Authenticator attribute.
- When a CoA or DM request packet does not carry the Message-Authenticator attribute, the device does not check the attribute and sends a CoA or DM response packet (ACK or NAK) that does not carry the Message-Authenticator attribute.
When a CoA or DM request packet carries the Message-Authenticator attribute, if the radius-attribute disable message-authenticator receive command is configured, the device does not check the attribute and sends a response packet that does not carry the Message-Authenticator attribute; if the radius-attribute disable message-authenticator send command is configured, the device sends a response packet that does not carry the Message-Authenticator attribute even if the attribute check succeeds.
Precautions
To improve security, it is recommended that the password contains at least three types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 16 characters.