Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

radius-server (System)

Syntax

Hierarchy Level

Description

Configure the RADIUS authentication server for subscriber access management, Layer 2 Tunnelling Protocol (L2TP), or Point-to-Point Protocol (PPP).

To configure multiple RADIUS servers, include multiple radius-server server-address statements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached.

Note:

The accounting-port and source-address options are not available on QFabric systems.

Options

server-address

Specify the IPv4 or IPv6 address of the RADIUS authentication server.
accounting-port port-number

Configure the accounting port number on which to contact the RADIUS server.

  • Range: 1 through 65,335

  • Default: 1813 (as specified in RFC 2866)
accounting-retry number

Configure the number of accounting retry attempts.

  • Range: 0 through 100 attempts

  • Default: 0
accounting-timeout seconds

Configure the accounting request timeout period.

  • Range: 0 through 1000 seconds

  • Default: 0
dynamic-request-port number

Configure the RADIUS client dynamic request port number

  • Range: 1 through 65535

  • Default: 3799
max-outstanding-requests value

Configure the maximum number of outstanding requests in flight to the server.

  • Range: 0 through 2000 requests

  • Default: 1000 requests
message-authenticator

Require the Message Authenticator attribute to be present in RADIUS server replies to the Access-Request message. If the reply does not contain the Message Authenticator attribute or if the Message Authenticator attribute is not the first attribute in the reply, the reply is silently discarded.

This setting is ignored when running RADIUS over TLS (RADSEC).

Note: The message-authenticator and no-message-authenticator settings are mutually-exclusive. We recommend that you explicitly set one or the other as required and not rely on the defaults.
no-message-authenticator

Do not require the Message Authenticator attribute to be present in RADIUS server replies to the Access-Request message.

This setting is ignored when running RADIUS over TLS (RADSEC).

Note: The message-authenticator and no-message-authenticator settings are mutually-exclusive. We recommend that you explicitly set one or the other as required and not rely on the defaults.
port port-number

Configure the port number on which to contact the RADIUS server.

  • Range: 1 through 65,335

  • Default: 1812 (as specified in RFC 2865)
preauthentication-port number

Configure the RADIUS server preauthentication-port number.

  • Range: 1 through 65535
preauthentication-secret secret

Configure the shared secret with the RADIUS server; it can include spaces if the character string is enclosed in quotation marks. The secret used by the local device must match that used by the RADIUS server.
retry value

Configure the number of times that the device is allowed to try to contact a RADIUS authentication server.

  • Range: 1 through 100

  • Default: 3
routing-instance routing-instance-name

Configure the routing instance name for the management routing instance. In the case of configuring the non-default management instance, use the value mgmt_junos. that is mgmt_junos. Configuring this option along with the management-instance statement enables authentication processes (for example, RADIUS and TACACS+) to use the non-default management routing instance for packet traffic.

Note:

You must also define the mgmt_junos routing instance under the [edit routing-instances] hierarchy level.

If you do not configure the mgmt_junos instance under the [edit routing-instances] hierarchy level and configure it only under tacplus-server or radius-server, the commit will fail.
secret password

(Required) Configure the password (shared secret) to use with the RADIUS server; it can include spaces if the character string is enclosed in quotation marks. The secret password used by the local device must match that used by the RADIUS server.
source-address source-address

Configure a valid IPv4 or IPv6 address configured on one of the device’s interfaces.
timeout seconds

Configure the amount of time the local device waits to receive a response from a RADIUS server.

  • Range: 1 through 1000 seconds

  • Default: 3 seconds
tls

Configure RADIUS over the Transport Layer Security (TLS) protocol.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced before Junos OS Release 7.4.

routing-instance introduced in Junos OS Release 18.1R1.

Related Documentation