Configuring RADIUS AAA Servers

The number of RADIUS servers you can configure depends on available memory. The router has an embedded RADIUS client for authentication and accounting.

Note: You can configure B-RAS with RADIUS accounting, but without RADIUS authentication. In this configuration, the username and password on the remote end are not authenticated and can be set to any value.

You must assign an IP address to a RADIUS authentication or accounting server to configure it.

If you do not configure a primary authentication or accounting server, all authentication and accounting requests will fail. You can configure other servers as backup in the event that the primary server cannot be reached. Configure each server individually.

To configure an authentication or accounting RADIUS server:

1. Specify the authentication or accounting server address.
   host1(config)#radius authentication server 10.10.10.1 host1(config-radius)#orhost1(config)#radius accounting server 10.10.10.6 host1(config-radius)#
2. (Optional) Specify a UDP port for RADIUS authentication or accounting server requests.
   host1(config-radius)#udp-port 1645
3. Specify an authentication or accounting server secret.
   host1(config-radius)#key gismo
4. (Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server.
   host1(config-radius)#retransmit 2
5. (Optional) Specify the number of seconds between retries.
   host1(config-radius)#timeout 5
6. (Optional) Specify the maximum number of outstanding requests.
   host1(config-radius)#max-sessions 100
7. (Optional) Specify the amount of time to remove a server from the available list when a timeout occurs.
   host1(config-radius)#deadtime 10
8. (Optional) In Global Configuration mode, specify whether the E Series router should move on to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
   host1(config)#radius rollover-on-reject enable
9. (Optional) Enable duplicate address checking.
   host1(config)aaa duplicate-address-check enable
10. (Optional) Specify that duplicate accounting records be sent to the accounting server for a virtual router.
    host1(config)#aaa accounting duplication routerBoston
11. (Optional) Enter the correct virtual router context, and specify the virtual router group to which broadcast accounting records are sent.
    host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit
12. (Optional) Specify that immediate accounting updates be sent to the accounting server when a response is received to an Acct-Start message.
    host1(config)#aaa accounting immediate-update
13. (Optional) Specify whether the router collects all statistics or only the uptime status.
    host1(config)#aaa accounting time
14. (Optional) Specify that tunnel accounting be enabled or disabled.
    host1(config)#radius tunnel-accounting enable
15. (Optional) Specify the default authentication and accounting methods for the subscribers.
    host1(config)#aaa authentication ppp default radius none
16. (Optional) Disable UDP checksums on virtual routers you configure for B-RAS.
    host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable