radius-server authentication

Function

The radius-server authentication command configures a RADIUS authentication server.

The undo radius-server authentication command deletes the configured RADIUS authentication server.

By default, no RADIUS authentication server is specified.

Format

radius-server authentication ip-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address | vlanif interface-number } | weight weight-value ] ^*

undo radius-server authentication [ ip-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address | vlanif interface-number } | weight ] ^* ] ]

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address of a RADIUS authentication server.	The value is in dotted decimal notation. It must be a valid unicast address.
port	Specifies the port number of a RADIUS authentication server.	The value is an integer that ranges from 1 to 65535. The port must be consistent with that on the RADIUS server.
vpn-instance vpn-instance-name	Specifies the name of a VPN instance that the RADIUS authentication server is bound to.	The VPN instance must already exist.
source loopback interface-number	Specifies the number of a loopback interface. The IP address of loopback interface serves as that for sending RADIUS packets to RADIUS authentication server.	The loopback interface must already exist.
source ip-address ip-address	Specifies the source IP address in RADIUS packets sent from the device to a RADIUS authentication server. If this parameter is specified, ensure that the value of this parameter is the same as the client's IP address specified on the RADIUS authentication server. If this parameter is not specified, the IP address of the outbound interface is used as the source IP address in RADIUS packets sent from the device to a RADIUS authentication server.	The value is a valid unicast address in dotted decimal notation.
source vlanif interface-number	Specifies the IP address of a VLANIF interface as the source IP address. interface-number specifies the number of a VLANIF interface.	The VLANIF interface must exist.
weight weight-value	Specifies the weight of a RADIUS authentication server. When multiple servers are available, the device uses the server with the highest weight to perform authentication. If the servers have the same weights, the device uses the server configured first to perform authentication.	The value is an integer that ranges from 0 to 100. The default value is 80.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. The device uses the RADIUS protocol to communicate with a RADIUS authentication server to obtain authentication information, and authenticates users based on the authentication information. The device sends authentication packets to the RADIUS authentication server only after the IP address and port number of the RADIUS authentication server are specified in the RADIUS server template.

When the radius-server algorithm master-backup command has been executed to set the algorithm for selecting RADIUS servers to primary/secondary and both the primary and secondary authentication servers have been configured, the device sends authentication request packets to the secondary authentication server when the following two conditions are met:

The primary authentication server does not send any authentication response packet.
The maximum number of times that the device retransmits authentication request packets is reached.

In an HRP scenario, if the source ip-address ip-address parameter is specified, the entire command is not backed up to the remote device and you need to manually configure this command on the remote device.

You are advised to configure different RADIUS servers for the source VLANIF interface, source IP address, and source loopback interface and bind the servers to the same RADIUS template. Otherwise, the device creates multiple RADIUS servers even if the source and destination IP addresses of RADIUS request packets sent by different RADIUS templates are the same. As a result, only the first created RADIUS server receives RADIUS response packets, while other RADIUS servers cannot. To check the RADIUS server configuration, run the display radius-server item ip-address { ipv4-address | ipv6-address } authentication command.

Example

# Configure the IP address of the primary RADIUS authentication server to 10.163.155.13 and the port number to 1812.

<sysname> system-view
[sysname] radius-server template group1
[sysname-radius-group1] radius-server authentication 10.163.155.13 1812

# Configure the IP address of the secondary RADIUS authentication server to 10.163.155.15, the port number to 1812 and the weigh to 50.

<sysname> system-view
[sysname] radius-server template group1
[sysname-radius-group1] radius-server authentication 10.163.155.15 1812 weight 50