Configuring a RADIUS Server

Context

You can specify the RADIUS server connected to the device in a RADIUS server template. Such a template contains the server IP address, port number, source interface, and shared key settings.

The settings in a RADIUS server template must be the same as those on the RADIUS server.

Procedure

Run system-view
The system view is displayed.
Run radius-server template template-name
The RADIUS server template view is displayed.

By default, no RADIUS server template is available on the device.

Configure RADIUS authentication and accounting servers.

Step	Command	Remarks
Configure a RADIUS authentication server.	radius-server authentication ip-address port [ vpn-instance vpn-instance-name \| source { loopback interface-number \| ip-address ip-address \| vlanif interface-number } \| weight weight-value ] ^*	By default, no RADIUS authentication server is configured.
Configure a RADIUS accounting server.	radius-server accounting ip-address port [ vpn-instance vpn-instance-name \| source { loopback interface-number \| ip-address ip-address \| vlanif interface-number } \| weight weight-value ] ^*	By default, no RADIUS accounting server is configured.

Run radius-server shared-key cipher key-string
The shared key of the RADIUS server is configured.
When a RADIUS server is configured in multiple RADIUS server templates:
- If the RADIUS server templates use different shared keys, you need to configure the shared keys in each RADIUS server template view.
- If the RADIUS server templates use the same shared key, you can configure the shared key in the system view using the radius-serverip-addressip-addressshared-keycipherkey-string command.
- When shared keys are configured in both the RADIUS server template view and system view, the configuration in the system view takes effect.
(Optional) Run radius-server algorithm { loading-share | master-backup } [ based-user ]
The algorithm for selecting RADIUS servers is configured.

By default, the algorithm for selecting RADIUS servers is primary/secondary (specified by master-backup).
When multiple authentication or accounting servers are configured in a RADIUS server template, the device selects RADIUS servers based on the configured algorithm and the weight configured for each server.
- When the algorithm for selecting RADIUS servers is set to primary/secondary, the server with a larger weight is the primary server. If servers have the same weight, the server configured first is the primary server.
- If the algorithm for selecting RADIUS servers is set to load balancing, packets are sent to RADIUS servers according to weights of the servers.
(Optional) Run radius-server { retransmit retry-times | timeout time-value } ^*
The number of times that RADIUS authentication request packets are retransmitted and the timeout interval are set.

By default, RADIUS authentication request packets can be retransmitted three times, and the timeout interval is 5 seconds.
(Optional) Configure the format of the user name in packets sent from the device to the RADIUS server.
- Run radius-server user-name domain-included
  
  The device is configured to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.
- Run radius-server user-name original
  
  The device is configured not to modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.
- Run undo radius-server user-name domain-included
  
  The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.
- Run undo radius-server user-name domain-included except-eap
  
  The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server (applicable to other authentication modes except EAP authentication).
By default, the device does not encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.
(Optional) Run radius-server group-filter { class | filter-id }
The group filtering field that functions as the group name on the RADIUS server is configured.

By default, the group filtering field is class.
(Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by the RADIUS server is configured.

By default, the RADIUS traffic unit is byte on the device.
(Optional) Run radius-attribute service-type with-authenonly-reauthen
The reauthentication mode is set to reauthentication only.

By default, the reauthentication mode is reauthentication and reauthorization.

This function takes effect when the Service-Type attribute on the RADIUS server is set to Authenticate Only.

Verifying the Configuration

Run the display radius-server configuration [ template template-name ] command to check the RADIUS server template configuration.

Verifying the Connectivity Between the Device and RADIUS Server

Run the test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ] command to test the connectivity between the device and RADIUS authentication server or accounting server and check whether the authentication server or accounting server can perform authentication or accounting for users.

If an error message is displayed in the command output, troubleshoot the fault according to Testing Whether a User Can Pass RADIUS Authentication or Accounting.