config user radius

Configure RADIUS server entries.

config user radius

Description: Configure RADIUS server entries.

edit <name>

set server {string}

set secret {password}

set secondary-server {string}

set secondary-secret {password}

set tertiary-server {string}

set tertiary-secret {password}

set timeout {integer}

set all-usergroup [disable|enable]

set use-management-vdom [enable|disable]

set nas-ip {ipv4-address}

set acct-interim-interval {integer}

set radius-coa [enable|disable]

set radius-port {integer}

set h3c-compatibility [enable|disable]

set auth-type [auto|ms_chap_v2|...]

set source-ip {string}

set username-case-sensitive [enable|disable]

set group-override-attr-type [filter-Id|class]

set class <name1>, <name2>, ...

set password-renewal [enable|disable]

set password-encoding [auto|ISO-8859-1]

set mac-username-delimiter [hyphen|single-hyphen|...]

set mac-password-delimiter [hyphen|single-hyphen|...]

set mac-case [uppercase|lowercase]

set acct-all-servers [enable|disable]

set switch-controller-acct-fast-framedip-detect {integer}

set interface-select-method [auto|sdwan|...]

set interface {string}

set switch-controller-service-type {option1}, {option2}, ...

set rsso [enable|disable]

set rsso-radius-server-port {integer}

set rsso-radius-response [enable|disable]

set rsso-validate-request-secret [enable|disable]

set rsso-secret {password}

set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]

set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute [User-Name|NAS-IP-Address|...]

set sso-attribute-key {string}

set sso-attribute-value-override [enable|disable]

set rsso-context-timeout {integer}

set rsso-log-period {integer}

set rsso-log-flags {option1}, {option2}, ...

set rsso-flush-ip-session [enable|disable]

set rsso-ep-one-ip-only [enable|disable]

set delimiter [plus|comma]

config accounting-server

Description: Additional accounting servers.

edit <id>

set status [enable|disable]

set server {string}

set secret {password}

set port {integer}

set source-ip {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

next

end

config user radius

Parameter

Description

Type

Size

Default

server

Primary RADIUS server CN domain name or IP address.

string

Not Specified

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

secondary-server

Secondary RADIUS CN domain name or IP address.

string

Not Specified

secondary-secret

Secret key to access the secondary server.

password

Not Specified

tertiary-server

Tertiary RADIUS CN domain name or IP address.

string

Not Specified

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

timeout

Time in seconds between re-sending authentication requests.

integer

Minimum value: 1 Maximum value: 300

5

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

 

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

 

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

 

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

 

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

 

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

source-ip

Source IP address for communications to the RADIUS server.

string

Not Specified

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

 

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

 

Option

Description

filter-Id

Filter-Id

class

Class

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

password-renewal

Enable/disable password renewal.

option

-

enable

 

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

password-encoding

Password encoding.

option

-

auto

 

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

mac-username-delimiter

MAC authentication username delimiter .

option

-

hyphen

 

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication username.

single-hyphen

Use single hyphen as delimiter for MAC authentication username.

colon

Use colon as delimiter for MAC authentication username.

none

No delimiter for MAC authentication username.

mac-password-delimiter

MAC authentication password delimiter .

option

-

hyphen

 

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication password.

single-hyphen

Use single hyphen as delimiter for MAC authentication password.

colon

Use colon as delimiter for MAC authentication password.

none

No delimiter for MAC authentication password.

mac-case

MAC authentication case .

option

-

lowercase

 

Option

Description

uppercase

Use uppercase MAC.

lowercase

Use lowercase MAC.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers .

option

-

disable

 

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping .

integer

Minimum value: 2 Maximum value: 600

2

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Not Specified

switch-controller-service-type

RADIUS service type.

option

-

 

Option

Description

login

User should be connected to a host.

framed

User use Framed Protocol.

callback-login

User disconnected and called back.

callback-framed

User disconnected and called back, then a Framed Protocol.

outbound

User granted access to outgoing devices.

administrative

User granted access to the administrative unsigned interface.

nas-prompt

User provided a command prompt on the NAS.

authenticate-only

Authentication requested, and no auth info needs to be returned.

callback-nas-prompt

User disconnected and called back, then provided a command prompt.

call-check

Used by the NAS in an Access-Request packet, Access-Accept to answer the call.

callback-administrative

User disconnected and called back, granted access to the admin unsigned interface.

rsso

Enable/disable RADIUS based single sign on feature.

option

-

disable

 

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

1813

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

disable

 

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

disable

 

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.

option

-

Calling-Station-Id

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

Class

 

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Not Specified

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

enable

 

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

rsso-context-timeout