Commands For Radius

9.7 Commands for RADIUS

9.7.1 aaa enable

Command: aaa enable
no aaa enable
Function: Enables the AAA authentication function in the switch. The no command disables the AAA authentication function.
Parameters: None.
Command mode: Global Mode
Default: AAA authentication is not enabled.
Usage guide: The AAA authentication for the switch must first be enabled in order to enable IEEE 802.1x authentication for the switch.
Example: Enable AAA authentication for the switch.

active500EM(config)#aaa enable

 

9.7.2 aaa-accounting enable

Command: aaa-accounting enable
no aaa-accounting enable
Function: Enables AAA accounting in the switch. The no command disables AAA accounting.
Parameters: None.
Command mode: Global Mode
Default: AAA accounting is not enabled.
Usage guide: When accounting is enabled in the switch, accounting will be performed according to the traffic or online port time the authenticated user is using. The switch will send an ?accounting started? message to the Radius accounting server upon starting accounting. An accounting packet for the online user to the?Radius accounting server every five seconds and an ?accounting stopped? message is sent to the?Radius accounting server on the accounting end.
Note: The switch sends the ?user offline? message to the?Radius accounting server only when accounting is enabled. The ?user offline? message will not be sent to the?Radius authentication server.
Example: Enable AAA accounting for the switch.

active500EM(config)#aaa-accounting enable

 

9.7.3 aaa-accounting update

Command: aaa-accounting update {enable | disable}
Function: Enable or disable the AAA update accounting function.
Parameters: None.
Command mode: Global Mode
Default: Enable the AAA update accounting function
Usage guide: After the update accounting function is enabled, the switch will send accounting messages to each online user on time.
Example: Disable the AAA update accounting function for the switch.

active500EM(config)#aaa-accounting update disable

 

9.7.4 debug aaa packet

Command: debug aaa packet {send | receive | all} interface {ethernet <interface-number>| <interface-name?}
no debug aaa packet {send | receive | all} interface {ethernet <interface-number> | <interface-name>}
Function: Enable the debug information of AAA for receiving and sending packets. The no command disables debugging.
Parameters:

  • send: enable the AAA debug information for sending packets.
  • receive: enable the AAA debug information for receiving packets.
  • all: enable the AAA debug information for both sending and receiving packets.
  • <interface-number>: the number of the interface.
  • <interface-name>: the name of the interface.

Command mode: Admin Mode
Default: None.
Usage guide: By enabling the debug information of AAA for sending and receiving packets, users can check the messages received and sent by the Radius protocol. This assists in diagnosing the cause of any faults.
Example: Enable the debug information of AAA for sending and receiving packets on interface1/0/1.

active500EM#debug aaa packet all interface Ethernet 1/0/1

 

9.7.5 debug aaa detail attribute

Command: debug aaa detail attribute interface {ethernet <interface-number> | <interface-name>}
no debug aaa detail attribute interface {ethernet <interface-number> | <interface-name>}
Function: Enable the AAA for Radius attribute details debug. The no command disables that debug information.
Parameters:

  • <interface-number>: number of the interface.
  • <interface-name>: name of the interface.

Command mode: Admin Mode
Default: None.
Usage guide: By enabling the AAA for Radius attribute details debug, users can check Radius attribute details of Radius messages.
Example: Enable the?AAA for Radius attribute details debug on interface 1/0/1.

active500EM#debug detail attribute interface Ethernet 1/0/1

 

9.7.6 debug aaa detail connection

Command: debug aaa detail connection
no debug aaa detail connection
Function: Enable AAA?connection details debug. The no command disables that debug information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: By enabling the?AAA connection details debug, users can check?AAA connection details.
Example: Enable?the AAA?connection details debug.

active500EM#debug aaa detail connection

 

9.7.7 debug aaa detail event

Command: debug aaa detail event
no debug detail event
Function: Enable the?AAA?events debug. The no command disables that debug information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: By enabling the?AAA events debug, users can check the events generated in the Radius protocol.
Example: Enable the?AAA events debug.

active500EM#debug aaa detail event

 

9.7.8 debug aaa error

Command: debug error
no debug error
Function: Enable the?AAA errors debug. The no command disables that debug information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: By enabling the?AAA errors debug, users can check the errors which occurs in the Radius protocol.
Example: Enable the?AAA errors debug.

active500EM#debug aaa error

 

9.7.9 radius nas-ipv4

Command: radius nas-ipv4 <ip-address>
no radius nas-ipv4
Function: Configure the Radius packet source IP address sent by the switch. The no command deletes the configuration.
Parameter:

  • <ip-address>:?Radius packet source IP address. The valid format is dotted decimal notation. It must be a valid unicast IP address.

Command mode: Global Mode
Default: No specific?Radius packet source IP address is configured. The IP address of the interface from which the?Radius packets are sent is used as the?Radius packet source IP address.
Usage guide: The source IP address must belongs to one of the IP interfaces of the switch. Otherwise, a bind IP address fail message will be returned when the switch sends the?Radius packet. Use the loopback interface IP address as the source IP address. This avoids packets from the?Radius server to be dropped when the interface link is down.
Example: Configure the?Radius packet source?IP address to 192.168.2.254.

active500EM#radius nas-ipv4 192.168.2.254

 

9.7.10 radius nas-ipv6

Command: radius nas-ipv6 <ipv6-address>
no radius nas-ipv6
Function: Configure the Radius packet source IPv6 address sent by the switch. The no command deletes the configuration.
Parameter:

  • <ipv6-address>:?Radius packet source IPv6 address. It must be a valid unicast IPv6 address.

Command mode: Global Mode
Default: No specific?Radius packet source IPv6 address is configured. The interface IPv6 address from which the?Radius packets are sent is used as the source IPv6 address of?Radius packet.
Usage guide: The source IPv6 address must belongs to one of the IPv6 interfaces of the switch. Otherwise a binding IPv6 address failure message will be returned when the switch sends a?Radius packet. Use the loopback interface IPv6 address as the source IPv6 address. This prevents packets from the?Radius server to be dropped when the interface link is down.
Example: Configure the?Radius packet source IPv6 address to 2001:da8:456::1.

active500EM#radius nas-ipv6 2001:da8:456::1

 

9.7.11 radius-server accounting host

Command: radius-server accounting host {<ipv4-address> | <ipv6-address>} [port <port-number>] [key {0 | 7} <string>] [primary] no radius-server accounting host {<ipv4-address> | <ipv6-address>}
Function: Specifies the IPv4/IPv6 address and the port number for the primary server for?Radius accounting server. The no command deletes the?Radius accounting server.
Parameters:

  • <ipv4-address> | <ipv6-address>: IPv4/IPv6 server address.
  • <port-number>: server listening port number from 0 to 65535.
  • <string>: key string. If the key option is set to 0, the key is not encrypted and its range should not exceed 64 characters. If the key option is set to 7, the key is encrypted and its range should not exceed 64 characters.
  • primary: primary server. Multiple?Radius servers can be configured and would be available.?The Radius server will be searched using the configured order if primary is not configured. Otherwise, the specified?Radius server will be used first.

Command mode: Global Mode
Default: No?Radius accounting server is configured.
Usage guide: This command is used to specify the IPv4/IPv6 address and port number of the specified?Radius server for switch accounting. Multiple command instances can be configured. The <port-number> parameter is used to specify the accounting port number which must be the same as the specified accounting port on the?Radius server. The default port number is 1813. If this port number is set to 0, the accounting port number will be generated randomly and can result in an invalid configuration. This command can be used repeatedly to configure multiple?Radius servers communicating with the switch. The switch will send accounting packets to all the configured accounting servers, and all the accounting servers can be backup servers for each other. If primary is specified, then the specified?Radius server will be the primary server. The?Radius primary server can be configured using the IPv4 or IPv6 address.
Example: Set the?Radius accounting server of the IPv6 address to 2004:1:2:3::2, as the primary server, with the accounting port number as 3000.

active500EM(config)#radius-server accounting host 2004:1:2:3::2 port 3000 primary

 

9.7.12 radius-server authentication host

Command: radius-server authentication host {<ipv4-address> | <ipv6-address>} [port <port-number>][key <string>] [primary] [access-mode {dot1x | telnet | wireless}] no radius-server authentication host {<ipv4-address> | <ipv6-address>}
Function: Specifies the IPv4 or IPv6 address and listening port number, cipher key, primary server designation, and access mode for the Radius server. The no command deletes the Radius authentication server.
Parameters:

  • <ipv4-address> | <ipv6-address>: IPv4/IPv6 server address.
  • <port-number>: listening port number. The valid values are from 0 to 65535. 0 stands for non-authentication server usage.
  • <string>: key string. If the key option is set to 0, the key is not encrypted and its range should not exceed 64 characters. If the key option is set to 7, the key is encrypted and its range should not exceed 64 characters.
  • primary: primary server. Multiple?Radius servers can be configured and would be available.?The Radius server will be searched by the configured order if primary is not configured. Otherwise, the specified?Radius server will be used last.
  • [access-mode {dot1x | telnet | wireless}]: designates the current?Radius server which uses 802.1x authentication, telnet authentication or wireless authentication. All services can use the current?Radius server.

Command mode: Global Mode
Default: No?Radius authentication server is configured.
Usage guide: This command is used to specify the IPv4 or IPv6 address and port number, cipher key string and access mode of the specified?Radius server for switch authentication. Multiple command instances can be configured. The port parameter is used to specify the authentication port number, which must be the same as the specified authentication port in the?Radius server. The default port number is 1812. If this port number is set to 0, the specified server is regarded as non-authenticating. This command can be used repeatedly to configure multiple?Radius servers communicating with the switch. The configured order is used as the priority for the switch authentication server. When the first server has responded (whether the authentication succeeds or fails), the switch does not send the authentication request to the next. If primary is specified, then the specified?Radius server will be the primary server. It will use the cipher key which is configured by the radius-server key <string> global command if the current?Radius server is not configured with key<string>. It can designate that the current?Radius server only use 802.1x authentication, telnet authentication, or wireless authentication via an access-mode option. The access-mode option is not configured and all services can use the current?Radius server.
Example: Set the?Radius authentication server address to 2004:1:2:3::2.

active500EM(config)#radius-server authentication host 2004:1:2:3::2

 

9.7.13 radius-server dead-time

Command: radius-server dead-time <minutes>
no radius-server dead-time
Function: Configures the restore time when the Radius server is down. The no command restores the default setting.
Parameters:

  • <minute>: restore time for the?Radius server in minutes. The valid range is 1 to 255.

Command mode: Global Mode
Default: 5 minutes.
Usage guide: This command specifies the wait time for the?Radius server to recover from inaccessible to accessible. When the switch acknowledges a server to be inaccessible, it marks that server as having an invalid status. After the interval specified by this command; the system resets the status for that server to valid.
Example: Set the down-restore time for?Radius server to 3 minutes.

active500EM(config)#radius-server dead-time 3

 

9.7.14 radius-server key

Command: radius-server key {0 | 7} <string>
no radius-server key
Function: Specifies the key for the Radius server (authentication and accounting). The no command deletes the key for the Radius server.
Parameters:

  • <string>: key string for the?Radius server. If the key option is set to 0, the key is not encrypted and its range should not exceed 64 characters. If key option is set to 7, the key is encrypted and its range should not exceed 64 characters.

Command mode: Global Mode
Default: None.
Usage guide: The key is used in encrypted communication between the switch and the specified?Radius server. The key set must be the same as the?Radius server. Proper?Radius authentication and accounting will not perform properly if the key set is not the same as the?Radius server.
Example: Set the?Radius authentication key to ?test?.

active500EM(config)#radius-server key 0 test

 

9.7.15 radius-server retransmit

Command: radius-server retransmit <retries>
no radius-server retransmit
Function: Configures the re-transmission times for Radius authentication packets. The no command restores the default setting.
Parameters:

  • <retries>: retransmission times for the?Radius server. The valid range is 0 to 100.

Command mode: Global Mode
Default: 3 times.
Usage guide: This command specifies the retransmission time for a packet that does not receive a?Radius server response. If the authentication information is missing from the authentication server, the AAA authentication request will need to be re-transmitted to the authentication server. If the AAA request retransmission count reaches the retransmission threshold without a server response, the server will be considered nonoperational and the switch sets the server to invalid.
Example: Set the?Radius authentication packet retransmission time to five times.

active500EM(config)#radius-server retransmit 5

 

9.7.16 radius-server timeout

Command: radius-server timeout <seconds>
no radius-server timeout
Function: Configures the timeout timer for Radius server. The no command restores the default setting.
Parameters:

  • <seconds>: timer value (second) for?Radius server timeout. The valid range is 1 to 1000.

Command mode: Global Mode
Default: 3 seconds.
Usage guide: This command specifies the wait interval for the switch to receive a response from the?Radius server. The switch waits for corresponding response packets after sending?Radius server request packets. If the?Radius server response is not received in the specified wait interval, the switch resends the request packet or sets the server to invalid.
Example: Set the?Radius authentication timeout timer value to 30 seconds.

active500EM(config)#radius-server timeout 30

 

9.7.17 radius-server accounting-interim-update timeout

Command: radius-server accounting-interim-update timeout <seconds>
no radius-server accounting-interim-update timeout
Function: Set the send fee-counting update messages interval. The no command resets to the default configuration.
Parameters:

  • <seconds>: send fee-counting update message interval; in seconds. The valid range is from 60 to 3600.

Command mode: Global Mode
Default: 300 seconds.
User Guide: This command sets the interval for NAS to send fee-counting update messages. When a user goes online, NAS will send a fee-counting update message of this user to the?Radius server at the configured interval.
The sending fee-counting update messages interval is relative to the maximum number of users supported by NAS. The smaller the interval, the less the maximum number of the users supported by NAS. The bigger the interval, the greater the maximum number of the users supported by NAS. The following is the recommended ratio of sending fee-counting update messages interval to the maximum number of users supported by NAS:

The maximum number of users The sending fee-counting update messages interval (in seconds)
1~299 300?default value?
300~599 600
600~1199 1200
1200~1799 1800
?1800 3600

Example: The maximum number of users supported by NAS is 700. The sending fee-counting update messages interval is set to 1200 seconds.

active500EM(config)#radius-server accounting-interim-update timeout 1200

 

9.7.18 show aaa authenticated-user

Command: show aaa authenticated-user
Function: Displays the online authenticated users.
Parameters: None.
Command mode: Admin and Configuration Mode
Default: None.
Usage guide: Usually used by administrators to verify information for the online users. Other information displayed is usually used for troubleshooting by technical support.
Example: Display the online authenticated users.

active500EM#show aaa authenticated-user
------------------------- authenticated users -------------------------------
 UserName  Retry RadID Port EapID ChapID OnTime    UserIP         MAC
-----------------------------------------------------------------------------
         --------------- total: 0 ---------------

 

9.7.19 show aaa authenticating-user

Command: show aaa authenticating-user
Function: Display the authenticating users.
Parameters: None.
Command mode: Admin and Configuration Mode
Default: None.
Usage guide: Usually used by administrators to verify information for the authenticated users. Other information displayed is usually used for troubleshooting by technical support.
Example: Display the authenticating users.

active500EM#show aaa authenticating-user
------------------------- authenticating users ------------------------------
 User-name   Retry-time  Radius-ID   Port  Eap-ID Chap-ID Mem-Addr   State
-----------------------------------------------------------------------------
          --------------- total: 0 ---------------

 

9.7.20 show aaa config

Command: show aaa config
Function: Displays the configured commands for the switch as a Radius client.
Parameters: None.
Command mode: Admin and Configuration Mode
Default: None.
Usage guide: Displays whether?AAA authentication and accounting are enabled and displays information for key, authentication, and accounting servers. For Boolean value, 1 stands for TRUE and 0 for FALSE.
Example: Displays the configured commands for the switch as a?Radius client.

active500EM#show aaa config
----------------- AAA config data ------------------
    Is Aaa Enabled = 1
    Is Account Enabled= 1
    Is Account DHCP-Binding Enabled = 0
    MD5 Server Key = yangshifeng
    authentication server sum = 2
    authentication server[0].sock-addr = 2:100.100.100.60.1812
                             .Is Primary = 1
                             .Is Server Dead = 0
                             .Socket No = 0
    authentication server[1].sock-addr = 10:2004:1:2::2.1812
                             .Is Primary = 0
                             .Is Server Dead = 0
                             .Socket No = 0
    accounting server sum = 2
    accounting server[0].sock-addr = 2:100.100.100.65.1813
                              .Is Primary = 1
                              .Is Server Dead = 0
                              .Socket No = 0
    accounting server[1].sock-addr = 10:2004::7.1813
                              .Is Primary = 0
                              .Is Server Dead = 0
                              .Socket No = 0
    Retransmit = 3
    Time Out = 5s
    Dead Time = 5min
    Account Time Interval = 0min
Displayed Information Explanation
Is Aaa Enabled = 1 1 means AAA authentication is enabled, 0 means it is not enabled
Is Account Enabled= 1 1 means AAA account is enabled, 0 means it is not enabled
MD5 Server Key = yangshifeng Authentication key
authentication server sum = 2 Configure the number of authentication servers
authentication server[0].sock-addr = 2:100.100.100.60.1812 The address protocol group, IP and interface number of the authentication server, (0) is the first server, (1) is the second server, etc.
accounting server sum = 2 Configure the number of accounting servers
accounting server[0].sock-addr = 2:100.100.100.65.1813 The address protocol group, IP and interface number of the accounting server, (0) is the first server, (1) is the second server, etc.
.Is Primary = 1 Primary server, 1 means yes, 0 means no
.Is Server Dead = 0 Dead?server indicator, 1 means yes, 0 means no
.Socket No = 0 Local socket number which?lead to this server
Time Out = 5s After sending the required packets, the time out period while waiting for a response
Retransmit = 3 The number of retransmits
Dead Time = 5min The tautology interval of the dead server
Account Time Interval = 0min The account time interval

 

9.7.21 show radius authenticated-user count

Command: show radius authenticated-user count
Function: Show the number of online users who have passed authentication.
Parameters: None.
Command mode: Admin and Configuration Mode
Default: None.
Usage guide: Shows the number of online users who have passed authentication.
Example: Show the number of online users who have passed authentication.

active500EM#show radius authenticated-user count
The authenticated online user num is: 105

 

9.7.22 show radius authenticating-user count

Command: show radius authenticating-user count
Function: Show the number of the authenticating users.
Parameters: None.
Command mode: Admin and Configuration Mode
Default: None.
Usage guide: Display the number of the authenticating users.
Example: Shows the number of the authenticating users.

active500EM#show radius authenticating-user count
The authenticating user num is: 10

 

9.7.23 show radius count

Command: show radius {authenticated-user|authenticating-user} count
Function: Displays the statistics for users for Radius authentication.
Parameters:

  • authenticated-user: displays the authenticated users online.
  • authenticating-user: displays the authenticating users.

Command mode: Admin and Configuration Mode
Default: None.
Usage guide: The statistics for?Radius authentication users can be displayed with the ?show radius count? command.
Examples: Display the statistics for?Radius authenticated users.

active500EM#show radius authenticated-user count
The authenticated online user num is:     0

Display the statistics for?Radius authenticating users.

active500EM#show radius authenticating-user count
The authenticating user num is:       0

 


Return to Controller Wired CLI Table of Contents