Setting up Radius using the old IOS cli
If you entered the following for setting up radius server,
radius-server host 192.168.1.1
you will get the following warning message informing you that you there is a new way of configuring radius authentication.
This cli will be deprecated soon. Use new server cli
The new way to setup Radius on IOS cli
The new way to setup radius authentication is to use the “aaa group server radius” command.
aaa group server radius RADIUSSERVERS server name SERVER1 server name SERVER2
You can now define more than one server in a group, so that if one is unreachable it automatically visits the next one that’s defined. You will need to define each server using the “radius server” command.
radius server SERVER1 address ipv4 192.168.1.1 auth-port 1812 acct-port 1813 timeout 10 retransmit 3 key 7 81349081902384091 ! radius server SERVER2 address ipv4 192.168.1.2 auth-port 1812 acct-port 1813 timeout 10 retransmit 3 key 7 81349081902384091
Each server can be setup with it’s own attributes.
Once you have setup the radius servers and server groups you can apply this server group in the authentication command.
aaa new-model aaa authentication login default group RADIUSSERVERS local
The above command will set the ‘default’ for login to use RADIUSSERVERS and fallback to local if connectivity fails.
How do you bypass Radius authentication for console login?
One common setup is to use radius for remote authentication but when you are on local console you may want to use an alternate type or local authentication.
If you have set login to use ‘default’ for radius you must make sure your console does not use default. First define a new method of authentication. I’m calling it NO_RADIUS.
aaa authentication login NO_RADIUS local
Then under line con 0, point your authentication to use NO_RADIUS
line con 0 login authentication NO_RADIUS
