Fortinet white logo
Fortinet white logo

CLI Reference

config user radius

config user radius

Configure RADIUS server entries.

config user radius
    Description: Configure RADIUS server entries.
    edit <name>
        set account-key-cert-field [othername|rfc822name|...]
        set account-key-processing [same|strip]
        config accounting-server
            Description: Additional accounting servers.
            edit <id>
                set interface {string}
                set interface-select-method [auto|sdwan|...]
                set port {integer}
                set secret {password}
                set server {string}
                set source-ip {string}
                set status [enable|disable]
                set vrf-select {integer}
            next
        end
        set acct-all-servers [enable|disable]
        set acct-interim-interval {integer}
        set all-usergroup [disable|enable]
        set auth-type [auto|ms_chap_v2|...]
        set ca-cert {string}
        set call-station-id-type [legacy|IP|...]
        set class <name1>, <name2>, ...
        set client-cert {string}
        set delimiter [plus|comma]
        set group-override-attr-type [filter-Id|class]
        set h3c-compatibility [enable|disable]
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set mac-case [uppercase|lowercase]
        set mac-password-delimiter [hyphen|single-hyphen|...]
        set mac-username-delimiter [hyphen|single-hyphen|...]
        set nas-id {string}
        set nas-id-type [legacy|custom|...]
        set nas-ip {ipv4-address}
        set password-encoding [auto|ISO-8859-1]
        set password-renewal [enable|disable]
        set radius-coa [enable|disable]
        set radius-port {integer}
        set require-message-authenticator [enable|disable]
        set rsso [enable|disable]
        set rsso-context-timeout {integer}
        set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
        set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
        set rsso-ep-one-ip-only [enable|disable]
        set rsso-flush-ip-session [enable|disable]
        set rsso-log-flags {option1}, {option2}, ...
        set rsso-log-period {integer}
        set rsso-radius-response [enable|disable]
        set rsso-radius-server-port {integer}
        set rsso-secret {password}
        set rsso-validate-request-secret [enable|disable]
        set secondary-secret {password}
        set secondary-server {string}
        set secret {password}
        set server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-ip-interface {string}
        set sso-attribute [User-Name|NAS-IP-Address|...]
        set sso-attribute-key {string}
        set sso-attribute-value-override [enable|disable]
        set status-ttl {integer}
        set switch-controller-acct-fast-framedip-detect {integer}
        set switch-controller-nas-ip-dynamic [enable|disable]
        set switch-controller-service-type {option1}, {option2}, ...
        set tertiary-secret {password}
        set tertiary-server {string}
        set timeout {integer}
        set tls-min-proto-version [default|SSLv3|...]
        set transport-protocol [udp|tcp|...]
        set use-management-vdom [enable|disable]
        set username-case-sensitive [enable|disable]
        set vrf-select {integer}
    next
end

config user radius

Parameter

Description

Type

Size

Default

account-key-cert-field

Define subject identity field in certificate for user access right checking.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 email address in SAN.

dnsname

DNS name in SAN.

cn

CN in subject.

account-key-processing

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

option

-

same

Option

Description

same

Same as subject identity field.

strip

Strip domain string from subject identity field.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers.

option

-

disable

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

ca-cert

CA of server to trust under TLS.

string

Maximum length: 79

call-station-id-type

Calling & Called station identifier type configuration , this option is not available for 802.1x authentication.

option

-

legacy

Option

Description

legacy

Calling & Called station identifier is the value previously used by each daemon.

IP

Calling & Called station identifier is the value of IP address.

MAC

Calling & Called station identifier is the value of MAC address.

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

client-cert

Client certificate to use under TLS.

string

Maximum length: 35

delimiter

Configure delimiter to be used for separating profile group names in the SSO attribute.

option

-

plus

Option

Description

plus

Plus character "+".

comma

Comma character ",".

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

Option

Description

filter-Id

Filter-Id

class

Class

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

mac-case

MAC authentication case.

option

-

lowercase

Option

Description

uppercase

Use uppercase MAC.

lowercase

Use lowercase MAC.

mac-password-delimiter

MAC authentication password delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication password.

single-hyphen

Use single hyphen as delimiter for MAC authentication password.

colon

Use colon as delimiter for MAC authentication password.

none

No delimiter for MAC authentication password.

mac-username-delimiter

MAC authentication username delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication username.

single-hyphen

Use single hyphen as delimiter for MAC authentication username.

colon

Use colon as delimiter for MAC authentication username.

none

No delimiter for MAC authentication username.

name

RADIUS server entry name.

string

Maximum length: 35

nas-id

Custom NAS identifier.

string

Maximum length: 255

nas-id-type

NAS identifier type configuration.

option

-

legacy

Option

Description

legacy

NAS-ID value is the value previously used by each daemon.

custom

NAS-ID value is customized.

hostname

NAS-ID value is hostname or HA group name if applicable.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

password-encoding

Password encoding.

option

-

auto

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

password-renewal

Enable/disable password renewal.

option

-

enable

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

require-message-authenticator

Require message authenticator in authentication response.

option

-

enable

Option

Description

enable

Make the validation of message authenticator mandatory in authentication response.

disable

Make the validation of message authenticator optional in authentication response.

rsso

Enable/disable RADIUS based single sign on feature.

option

-

disable

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-context-timeout

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

integer

Minimum value: 0 Maximum value: 4294967295

28800

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.

option

-

Calling-Station-Id

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-ep-one-ip-only

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

option

-

disable

Option

Description

enable

Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

disable

Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

rsso-flush-ip-session

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

option

-

disable

Option

Description

enable

Enable flush user IP sessions on RADIUS accounting stop.

disable

Disable flush user IP sessions on RADIUS accounting stop.

rsso-log-flags

Events to log.

option

-

protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

Option

Description

protocol-error

Enable this log type.

profile-missing

Enable this log type.

accounting-stop-missed

Enable this log type.

accounting-event

Enable this log type.

endpoint-block

Enable this log type.

radiusd-other

Enable this log type.

none

Disable all logging.

rsso-log-period

Time interval in seconds that group event log messages will be generated for dynamic profile events.

integer

Minimum value: 0 Maximum value: 4294967295

0

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

disable

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

1813

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

disable

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

secondary-secret

Secret key to access the secondary server.

password

Not Specified

secondary-server

Secondary RADIUS CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

server-identity-check

Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

source-ip-interface

Source interface for communication with the RADIUS server.

string

Maximum length: 15

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

Class

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Maximum length: 35

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

enable

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

status-ttl

Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time.

integer

Minimum value: 0 Maximum value: 600

300

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping.

integer

Minimum value: 2 Maximum value: 600

2

switch-controller-nas-ip-dynamic *

Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip.

option

-

disable

Option

Description

enable

Enable dynamic NAS-IP setting.

disable

Disable dynamic NAS-IP setting.

switch-controller-service-type

RADIUS service type.

option

-

Option

Description

login

User should be connected to a host.

framed

User use Framed Protocol.

callback-login

User disconnected and called back.

callback-framed

User disconnected and called back, then a Framed Protocol.

outbound

User granted access to outgoing devices.

administrative

User granted access to the administrative unsigned interface.

nas-prompt

User provided a command prompt on the NAS.

authenticate-only

Authentication requested, and no auth info needs to be returned.

callback-nas-prompt

User disconnected and called back, then provided a command prompt.

call-check

Used by the NAS in an Access-Request packet, Access-Accept to answer the call.

callback-administrative

User disconnected and called back, granted access to the admin unsigned interface.

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

tertiary-server

Tertiary RADIUS CN domain name or IP address.

string

Maximum length: 63

timeout

Time in seconds to retry connecting server.

integer

Minimum value: 1 Maximum value: 300

5

tls-min-proto-version

Minimum supported protocol version for TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

transport-protocol

Transport protocol to be used.

option

-

udp

Option

Description

udp

UDP.

tcp

TCP.

tls

TLS over TCP.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

vrf-select

VRF ID used for connection to server.

integer

Minimum value: 0 Maximum value: 511

0

* This parameter may not exist in some models.

config accounting-server

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

port

RADIUS accounting port number.

integer

Minimum value: 0 Maximum value: 65535

0

secret

Secret key.

password

Not Specified

server

Server CN domain name or IP address.

string

Maximum length: 63

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

status

Status.

option

-

disable

Option

Description

enable

Log to remote syslog server.

disable

Do not log to remote syslog server.

vrf-select

VRF ID used for connection to server.

integer

Minimum value: 0 Maximum value: 511

0

config user radius

config user radius

Configure RADIUS server entries.

config user radius
    Description: Configure RADIUS server entries.
    edit <name>
        set account-key-cert-field [othername|rfc822name|...]
        set account-key-processing [same|strip]
        config accounting-server
            Description: Additional accounting servers.
            edit <id>
                set interface {string}
                set interface-select-method [auto|sdwan|...]
                set port {integer}
                set secret {password}
                set server {string}
                set source-ip {string}
                set status [enable|disable]
                set vrf-select {integer}
            next
        end
        set acct-all-servers [enable|disable]
        set acct-interim-interval {integer}
        set all-usergroup [disable|enable]
        set auth-type [auto|ms_chap_v2|...]
        set ca-cert {string}
        set call-station-id-type [legacy|IP|...]
        set class <name1>, <name2>, ...
        set client-cert {string}
        set delimiter [plus|comma]
        set group-override-attr-type [filter-Id|class]
        set h3c-compatibility [enable|disable]
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set mac-case [uppercase|lowercase]
        set mac-password-delimiter [hyphen|single-hyphen|...]
        set mac-username-delimiter [hyphen|single-hyphen|...]
        set nas-id {string}
        set nas-id-type [legacy|custom|...]
        set nas-ip {ipv4-address}
        set password-encoding [auto|ISO-8859-1]
        set password-renewal [enable|disable]
        set radius-coa [enable|disable]
        set radius-port {integer}
        set require-message-authenticator [enable|disable]
        set rsso [enable|disable]
        set rsso-context-timeout {integer}
        set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
        set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
        set rsso-ep-one-ip-only [enable|disable]
        set rsso-flush-ip-session [enable|disable]
        set rsso-log-flags {option1}, {option2}, ...
        set rsso-log-period {integer}
        set rsso-radius-response [enable|disable]
        set rsso-radius-server-port {integer}
        set rsso-secret {password}
        set rsso-validate-request-secret [enable|disable]
        set secondary-secret {password}
        set secondary-server {string}
        set secret {password}
        set server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-ip-interface {string}
        set sso-attribute [User-Name|NAS-IP-Address|...]
        set sso-attribute-key {string}
        set sso-attribute-value-override [enable|disable]
        set status-ttl {integer}
        set switch-controller-acct-fast-framedip-detect {integer}
        set switch-controller-nas-ip-dynamic [enable|disable]
        set switch-controller-service-type {option1}, {option2}, ...
        set tertiary-secret {password}
        set tertiary-server {string}
        set timeout {integer}
        set tls-min-proto-version [default|SSLv3|...]
        set transport-protocol [udp|tcp|...]
        set use-management-vdom [enable|disable]
        set username-case-sensitive [enable|disable]
        set vrf-select {integer}
    next
end

config user radius

Parameter

Description

Type

Size

Default

account-key-cert-field

Define subject identity field in certificate for user access right checking.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 email address in SAN.

dnsname

DNS name in SAN.

cn

CN in subject.

account-key-processing

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

option

-

same

Option

Description

same

Same as subject identity field.

strip

Strip domain string from subject identity field.

acct-all-servers

Enable/disable sending of accounting messages to all configured servers.

option

-

disable

Option

Description

enable

Send accounting messages to all configured servers.

disable

Send accounting message only to servers that are confirmed to be reachable.

acct-interim-interval

Time in seconds between each accounting interim update message.

integer

Minimum value: 60 Maximum value: 86400

0

all-usergroup

Enable/disable automatically including this RADIUS server in all user groups.

option

-

disable

Option

Description

disable

Do not automatically include this server in a user group.

enable

Include this RADIUS server in every user group.

auth-type

Authentication methods/protocols permitted for this RADIUS server.

option

-

auto

Option

Description

auto

Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2

Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap

Microsoft Challenge Handshake Authentication Protocol.

chap

Challenge Handshake Authentication Protocol.

pap

Password Authentication Protocol.

ca-cert

CA of server to trust under TLS.

string

Maximum length: 79

call-station-id-type

Calling & Called station identifier type configuration , this option is not available for 802.1x authentication.

option

-

legacy

Option

Description

legacy

Calling & Called station identifier is the value previously used by each daemon.

IP

Calling & Called station identifier is the value of IP address.

MAC

Calling & Called station identifier is the value of MAC address.

class <name>

Class attribute name(s).

Class name.

string

Maximum length: 79

client-cert

Client certificate to use under TLS.

string

Maximum length: 35

delimiter

Configure delimiter to be used for separating profile group names in the SSO attribute.

option

-

plus

Option

Description

plus

Plus character "+".

comma

Comma character ",".

group-override-attr-type

RADIUS attribute type to override user group information.

option

-

Option

Description

filter-Id

Filter-Id

class

Class

h3c-compatibility

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

option

-

disable

Option

Description

enable

Enable H3C compatibility.

disable

Disable H3C compatibility.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

mac-case

MAC authentication case.

option

-

lowercase

Option

Description

uppercase

Use uppercase MAC.

lowercase

Use lowercase MAC.

mac-password-delimiter

MAC authentication password delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication password.

single-hyphen

Use single hyphen as delimiter for MAC authentication password.

colon

Use colon as delimiter for MAC authentication password.

none

No delimiter for MAC authentication password.

mac-username-delimiter

MAC authentication username delimiter.

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC authentication username.

single-hyphen

Use single hyphen as delimiter for MAC authentication username.

colon

Use colon as delimiter for MAC authentication username.

none

No delimiter for MAC authentication username.

name

RADIUS server entry name.

string

Maximum length: 35

nas-id

Custom NAS identifier.

string

Maximum length: 255

nas-id-type

NAS identifier type configuration.

option

-

legacy

Option

Description

legacy

NAS-ID value is the value previously used by each daemon.

custom

NAS-ID value is customized.

hostname

NAS-ID value is hostname or HA group name if applicable.

nas-ip

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

ipv4-address

Not Specified

0.0.0.0

password-encoding

Password encoding.

option

-

auto

Option

Description

auto

Use original password encoding.

ISO-8859-1

Use ISO-8859-1 password encoding.

password-renewal

Enable/disable password renewal.

option

-

enable

Option

Description

enable

Enable password renewal.

disable

Disable password renewal.

radius-coa

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

option

-

disable

Option

Description

enable

Enable RADIUS CoA.

disable

Disable RADIUS CoA.

radius-port

RADIUS service port number.

integer

Minimum value: 0 Maximum value: 65535

0

require-message-authenticator

Require message authenticator in authentication response.

option

-

enable

Option

Description

enable

Make the validation of message authenticator mandatory in authentication response.

disable

Make the validation of message authenticator optional in authentication response.

rsso

Enable/disable RADIUS based single sign on feature.

option

-

disable

Option

Description

enable

Enable RADIUS based single sign on feature.

disable

Disable RADIUS based single sign on feature.

rsso-context-timeout

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

integer

Minimum value: 0 Maximum value: 4294967295

28800

rsso-endpoint-attribute

RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.

option

-

Calling-Station-Id

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-endpoint-block-attribute

RADIUS attributes used to block a user.

option

-

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

rsso-ep-one-ip-only

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

option

-

disable

Option

Description

enable

Enable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

disable

Disable replacement of old IP address with new IP address for the same endpoint on RADIUS accounting start.

rsso-flush-ip-session

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

option

-

disable

Option

Description

enable

Enable flush user IP sessions on RADIUS accounting stop.

disable

Disable flush user IP sessions on RADIUS accounting stop.

rsso-log-flags

Events to log.

option

-

protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other

Option

Description

protocol-error

Enable this log type.

profile-missing

Enable this log type.

accounting-stop-missed

Enable this log type.

accounting-event

Enable this log type.

endpoint-block

Enable this log type.

radiusd-other

Enable this log type.

none

Disable all logging.

rsso-log-period

Time interval in seconds that group event log messages will be generated for dynamic profile events.

integer

Minimum value: 0 Maximum value: 4294967295

0

rsso-radius-response

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

option

-

disable

Option

Description

enable

Enable sending RADIUS response packets.

disable

Disable sending RADIUS response packets.

rsso-radius-server-port

UDP port to listen on for RADIUS Start and Stop records.

integer

Minimum value: 0 Maximum value: 65535

1813

rsso-secret

RADIUS secret used by the RADIUS accounting server.

password

Not Specified

rsso-validate-request-secret

Enable/disable validating the RADIUS request shared secret in the Start or End record.

option

-

disable

Option

Description

enable

Enable validating RADIUS request shared secret.

disable

Disable validating RADIUS request shared secret.

secondary-secret

Secret key to access the secondary server.

password

Not Specified

secondary-server

Secondary RADIUS CN domain name or IP address.

string

Maximum length: 63

secret

Pre-shared secret key used to access the primary RADIUS server.

password

Not Specified

server

Primary RADIUS server CN domain name or IP address.

string

Maximum length: 63

server-identity-check

Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

source-ip-interface

Source interface for communication with the RADIUS server.

string

Maximum length: 15

sso-attribute

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

option

-

Class

Option

Description

User-Name

Use this attribute.

NAS-IP-Address

Use this attribute.

Framed-IP-Address

Use this attribute.

Framed-IP-Netmask

Use this attribute.

Filter-Id

Use this attribute.

Login-IP-Host

Use this attribute.

Reply-Message

Use this attribute.

Callback-Number

Use this attribute.

Callback-Id

Use this attribute.

Framed-Route

Use this attribute.

Framed-IPX-Network

Use this attribute.

Class

Use this attribute.

Called-Station-Id

Use this attribute.

Calling-Station-Id

Use this attribute.

NAS-Identifier

Use this attribute.

Proxy-State

Use this attribute.

Login-LAT-Service

Use this attribute.

Login-LAT-Node

Use this attribute.

Login-LAT-Group

Use this attribute.

Framed-AppleTalk-Zone

Use this attribute.

Acct-Session-Id

Use this attribute.

Acct-Multi-Session-Id

Use this attribute.

sso-attribute-key

Key prefix for SSO group value in the SSO attribute.

string

Maximum length: 35

sso-attribute-value-override

Enable/disable override old attribute value with new value for the same endpoint.

option

-

enable

Option

Description

enable

Enable override old attribute value with new value for the same endpoint.

disable

Disable override old attribute value with new value for the same endpoint.

status-ttl

Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time.

integer

Minimum value: 0 Maximum value: 600

300

switch-controller-acct-fast-framedip-detect

Switch controller accounting message Framed-IP detection from DHCP snooping.

integer

Minimum value: 2 Maximum value: 600

2

switch-controller-nas-ip-dynamic *

Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip.

option

-

disable

Option

Description

enable

Enable dynamic NAS-IP setting.

disable

Disable dynamic NAS-IP setting.

switch-controller-service-type

RADIUS service type.

option

-

Option

Description

login

User should be connected to a host.

framed

User use Framed Protocol.

callback-login

User disconnected and called back.

callback-framed

User disconnected and called back, then a Framed Protocol.

outbound

User granted access to outgoing devices.

administrative

User granted access to the administrative unsigned interface.

nas-prompt

User provided a command prompt on the NAS.

authenticate-only

Authentication requested, and no auth info needs to be returned.

callback-nas-prompt

User disconnected and called back, then provided a command prompt.

call-check

Used by the NAS in an Access-Request packet, Access-Accept to answer the call.

callback-administrative

User disconnected and called back, granted access to the admin unsigned interface.

tertiary-secret

Secret key to access the tertiary server.

password

Not Specified

tertiary-server

Tertiary RADIUS CN domain name or IP address.

string

Maximum length: 63

timeout

Time in seconds to retry connecting server.

integer

Minimum value: 1 Maximum value: 300

5

tls-min-proto-version

Minimum supported protocol version for TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

transport-protocol

Transport protocol to be used.

option

-

udp

Option

Description

udp

UDP.

tcp

TCP.

tls

TLS over TCP.

use-management-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

Option

Description

enable

Send requests using the management VDOM.

disable

Send requests using the current VDOM.

username-case-sensitive

Enable/disable case sensitive user names.

option

-

disable

Option

Description

enable

Enable username case-sensitive.

disable

Disable username case-sensitive.

vrf-select

VRF ID used for connection to server.

integer

Minimum value: 0 Maximum value: 511

0

* This parameter may not exist in some models.

config accounting-server

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

port

RADIUS accounting port number.

integer

Minimum value: 0 Maximum value: 65535

0

secret

Secret key.

password

Not Specified

server

Server CN domain name or IP address.

string

Maximum length: 63

source-ip

Source IP address for communications to the RADIUS server.

string

Maximum length: 63

status

Status.

option

-

disable

Option

Description

enable

Log to remote syslog server.

disable

Do not log to remote syslog server.

vrf-select

VRF ID used for connection to server.

integer

Minimum value: 0 Maximum value: 511

0