US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • How to configure RADIUS on Cisco switch (IOS)

    Design & Configure

    How to configure RADIUS on Cisco switch (IOS)

    Technology: Security
    Area: AAA
    Vendor: Cisco
    Software: AAA feature compatibility required
    Platform: Catalyst platforms, Routing platforms



    RADIUS is a security feature working in client/server mode. It provides authorization access to the network and combines the authentication and authorization processes. What’s essential, RADIUS cannot control the authorization level of users. Nowadays, all RADIUS server implementations are operating on port 1812. So UDP/1812 is the authentication and authorization port, and UDP/1813 is the accounting port. However, the historic RADIUS versions used UDP/1645 both for authentication and authorization, and UDP/1646 for accounting.

    Let’s take the following example network topology:

    network topology with RADIUS server



    To configure RADIUS correctly, you first need to create user accounts and add specific devices to the RADIUS server. If you have already done so, it is time to configure the AAA login authentication and authorization. Let’s assume that SW1 is an L3 switch, but it may be the router as well. Mind to globally enable the AAA first. To do so, use the “aaa new-model” command, as shown below. Moreover, the RADIUS server’s location must be configured, along with a shared encryption key agreed upon the client and server sites.

    Case 1:

    SW1(config)# aaa new-model
    SW1(config)# aaa authentication login default group radius local
    SW1(config)# aaa authorization exec default group radius local
    SW1(config)# radius server-host
    SW1(config)# radius server-host key zaq1@WSX

    Note that int the second line, the named list is default one (default), and there are two authentication methods (radius and local). It means the first authentication method is RADIUS, but if it doesn’t respond, then the local database is used (local devices’ user). It’s applied for tty, vty, console, and all the other login connections. There may be a situation where we do not include the word “local” in the command. In this case, if there is no connection to the RADIUS server, authentication will fail. The same applies to the authorization in the third line.

    Case 2:

    SW1(config)# aaa new-model
    SW1(config)# aaa authentication login CONSOLE line
    SW1(config)# aaa authorization exec default group radius local

    In this case, the CONSOLE list is defined, so if we apply this list to line con 0, we will obtain authentication using the password set on line con 0.

    SW1(config)# line con 0
    SW1(config-line)# exec timeout 0 0
    SW1(config-line)# password zaq1@WSX
    SW1(config-line)# login authentication CONSOLE

    You need to enter the password zaq1@WSX to get console access. If we change the “line” to “local”, the local user and password will be used again. By typing “none” instead of “line” or “local” we disable authentication.

    Case 3:

    SW1(config)# aaa new-model
    SW1(config)# aaa authentication enable default group radius enable
    SW1(config)# aaa authorization exec default group radius local

    In this last case, the device will request a password, but you’ll need to define the username on the RADIUS server. If the RADIUS server doesn’t reply, the local database is used (local devices’ user). There is one thing left to do to complete the basic RADIUS configuration.

    Depending on how you have configured RADIUS and added devices to the server, the source VLAN will be added to the switch. The host presented in the article belongs to VLAN 101, with its address added to RADIUS in the following form

    Therefore, you must enter on the switch:

    SW1(config)# ip radius source-interface Vlan601

    Configuring AAA Server Groups:

    We can also configure RADIUS differently. We can create server groups. To do this, you have to enter the following commands:

    SW1(config)# radius server someserver
    SW1(config)# aaa group server radius somegroup
    SW1(config-sg-radius)# server acct-port 1616
    SW1(config-sg-radius)# end

    Author: Karol Piatek

    Cisco SD-WAN Offer

    Grandmetric delivers Cisco SD-WAN
    and SD-WAN as a service.
    We provide full portfolio
    of Cisco sdwan routers from
    C1000, ISR and industrial series.

    Get a Quote