radius-server authorization
Function
The radius-server authorization command sets the IP address and shared key of the RADIUS authorization server.
The undo radius-server authorization command deletes the RADIUS authorization server.
By default, no RADIUS authorization server is configured.
This command is supported only on the NetEngine 8000 F1A.
Format
radius-server authorization ip-address [ vpn-instance string ] [ destination-ip destination-ip-addr ] [ destination-port destination-port-id ] { { shared-key key | shared-key-cipher { key2 | key3 } } | server-group groupname } * [ ack-reserved-interval interval ]
undo radius-server authorization ip-address [ vpn-instance string ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| ip-address |
Specifies the IP address of a RADIUS authorization server, expressed in dotted decimal notation. |
The value is in dotted decimal notation. |
| vpn-instance string |
Indicates the VPN instance to which the RADIUS authorization server belongs. |
The value is a string of 1 to 31 characters and must be the name of a configured VPN instance. |
| destination-ip destination-ip-addr |
Specifies the IP address of CoA packets. |
It is in dotted decimal notation. |
| destination-port destination-port-id |
Specifies the port number of CoA packets. |
The value is an integer ranging from 0 to 65535. Commonly used port numbers include 1812, 1813, 1645, 1646, 3799, and those defined by users. Incorrectly configured port numbers cause CoA packets to be discarded. |
| shared-key key |
Specifies the shared key for the RADIUS server in simple text. |
The value is a string of 1 to 128 characters. |
| shared-key-cipher key2 |
Indicates the shared cipher key configured for the RADIUS server. |
In the case of a simple text password, the value is a string of 1 to 128 case-sensitive characters, without spaces. |
| shared-key-cipher key3 |
Indicates the shared cipher key configured for the RADIUS server. |
In the case of a cipher text password, the value is a string of 1 to 268 case-sensitive characters, without spaces. |
| server-group groupname |
Specifies the name of the RADIUS server group corresponding to the RADIUS authorization server. |
The value is a string of 1 to 32 characters and must be the name of a configured RADIUS server group. |
| ack-reserved-interval interval |
Specifies the period when the authorization acknowledgment packets are saved. |
The value ranges from 0 to 300, in seconds. The default value is 0. |
Usage Guidelines
Usage Scenario
This command is used to configure the global RADIUS authorization server. It is used for service authorization when users choose services dynamically. You can configure multiple RADIUS authorization servers.
To keep the RADIUS authorization response packet for the packets retransmitted by the RADIUS authorization, you need to set the duration for keeping the authorization response packet when you configure the RADIUS authorization server. To disable this function, you can run this command to set the duration for keeping the authorization response packet to 0. If you set the duration for keeping authorization response packet, the system keeps the authorization response packets of users to respond to the retransmitted packets; however, if many operators use the Disconnect message (DM) to disconnect users or use the Change of Authorization (CoA) packet to change the user attributes, a large amount of memory is occupied. If either or both of the destination-ip and destination-port parameters are specified, the device checks either or both of the destination IP address and destination port number carried in a CoA packet sent by a user before sending the packet to the RADIUS server. The device discards the packet if either or both of the destination IP address and destination port number differ from those specified. By default, the function to check the destination IP address and destination port number in a CoA packet is disabled. If server-group groupname is configured, the RADIUS authorization server selects the RADIUS server group specified by groupname as the corresponding RADIUS server group. If server-group groupname is not configured, the RADIUS authorization server selects the RADIUS server group with an index of 0 (usually the RADIUS server group configured first) as the corresponding RADIUS server group. If the RADIUS server group with an index of 0 does not exist, no corresponding RADIUS server group is available for the RADIUS authorization server.Precautions
You are advised to configure a shared-key that has no less than 16 bytes and consists of at least two types of the following characters: lowercase letters, uppercase letters, numerals, and special characters.
Before running the radius-server authorization command, run the radius local-ip command in the system view to enable UDP ports 1645, 1646, and 3799 corresponding to the source IP address. If a customized port number needs to be configured, run the radius-server extended-source-ports command first to configure the extended source port used for sending and receiving RADIUS packets.Example
<HUAWEI> system-view [~HUAWEI] radius-server authorization 10.3.150.3 destination-port 3799 shared-key-cipher Root@123
<HUAWEI> system-view [~HUAWEI] radius-server authorization 10.10.10.1 shared-key-cipher Root@123