Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists in securing networks against unauthorized access, allowing a number of communication servers and clients to authenticate user identities through a central database.
RADIUS is a fully open and standard protocol defined by RFCs (authentication [RFC 2865] and accounting [RFC 2866]). RADIUS protocol is an AAA protocol using IP framing with UDP port 1812 for authentication and port 1813 for accounting.
The RADIUS process includes:
- RADIUS authentication, which you can use to identify remote users before you give them access to a central network site.
- RADIUS accounting, which enables data collection on the server during a remote user’s dial-in session with the client.
Here's an example RADIUS configuration used for switch management.
(config)# radius server host <IP_ADDRESS_RADIUS_SERVER> key
(config)# radius server host <IP_ADDRESS_RADIUS_SERVER> acct-enable
(config)# radius-server password fallback
Enabling Radius on Telnet/SSH sessions
(config)# cli password telnet radius
Enabling Radius on Serial console connection (Optional)
(config)# cli password serial radius
To modify Radius encapsulation, default is PAP
(config)# radius-server encapsulation ?
ms-chap-v2 MS-CHAP-V2 protocol
pap PAP protocol
# show radius-server
# show cli password type
The RADIUS server must also be configured with attributes to accept and respond to access requests from the switch. Refer article VOSS/ERS : AAA Radius Server Attributes for ERS and VOSS switches
for Radius server configuration details.