Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

radius-server

Syntax

Hierarchy Level

Description

Configure RADIUS for subscriber access management, L2TP, or PPP.

To configure multiple RADIUS servers, include multiple radius-server statements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached.

Options

server-address

IPv4 or IPv6 address of the RADIUS server.

accounting-port

Configure the port number on which to contact the RADIUS accounting server.

Note:

Specifying the accounting port is optional, and port 1813 is the default. However, we recommend that you configure it in order to avoid confusion, as some RADIUS servers might refer to an older default.

  • Values: port-number—Port number on which to contact the RADIUS accounting server. Most RADIUS servers use port 1813, as specified in RFC 2866.

  • Default: 1813

accounting-retry

Configure the number of times the device retransmits RADIUS accounting messages when no response is received from the server. When you do not configure this statement, the number of retry attempts is determined by the retry statement.

Note:

To successfully set a retry limit for the accounting servers different from the authentication servers, you must configure both the accounting-retry and accounting-timeout statements . If you configure only one of these statements, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.

Note:

The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

  • Values: number—Number of retry attempts.

  • Range: 0 through 100

  • Default: 0 (disabled)

accounting-timeout

Configure how long the local device waits to receive a response from a RADIUS accounting server before retransmitting the message. When you do not configure this statement, the length of the timeout is determined by the timeout statement.

Note:

To successfully set a timeout value for the accounting servers different from the authentication servers, you must configure both the accounting-retry and accounting-timeout statements . If you configure only one of these statements, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.

Note:

The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

  • Values: seconds—Duration of timeout period.

  • Range: 0 through 1000 seconds

  • Default: 0 (disabled)

dynamic-request-port

Specify the port that the router monitors for dynamic (CoA) requests from the specified RADIUS servers. You can configure a port globally or for a specific access profile.

You must either use the default port for all RADIUS servers or configure the same nondefault port for all RADIUS servers. This rule applies at both the global access and access profile levels.

Note:

Any other configuration results in a commit check failure. Multiple port numbers—that is, different port numbers for different servers—are not supported.

  • Values: port-number—Number of the monitored port.

  • Default: 3799 (as specified in RFC 5176)

max-outstanding-requests

Configure the maximum number of outstanding requests for this RADIUS server. An increase in this value is immediate while a decrease is more gradual if the current number of outstanding requests exceeds the new value.

  • Values: requests—Maximum number of outstanding requests for this RADIUS server.

  • Range: 0 through 2000 outstanding requests per server

  • Default: 1000 outstanding requests per server

port

Configure the port number on which to contact the RADIUS server.

  • Values: port-number—Port number on which to contact the RADIUS server.

  • Default: 1812 (as specified in RFC 2865)

preauthentication-port

Configure the port number on which to contact the RADIUS server for logical line identification (LLID) preauthentication requests. If you do not configure a separate UDP port for preauthentication purposes, the same UDP port that you configure for authentication messages by including the port port-number statement is used.

  • Values: port-number—Port number used for preauthentication requests to contact the RADIUS server.

preauthentication-secret

Configure the password to use with the RADIUS server for LLID preauthentication requests. If you do not configure a separate UDP password for preauthentication purposes, the same password that you configure for authentication messages by including the secret password statement is used. The secret password used by the local router must match that used by the server.

  • Values: password—Password to use. To include spaces enclose the character string in quotation marks.

retry

Specify the number of times that the device is allowed to attempt to contact a RADIUS authentication or accounting server. You can override the retry limit for accounting servers with the accounting-retry statement.

Note:

To successfully set a retry limit for the accounting servers different from the authentication servers, you must configure both the accounting-retry and accounting-timeout statements . If you configure only one of these statements, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.

Note:

The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

  • Values: attempts—Number of times that the router is allowed to attempt to contact a RADIUS server.

  • Range: 1 through 100

  • Default: 3

routing-instance

Configure the routing instance used to send RADIUS packets to the RADIUS server.

  • Values: routing-instance-name—Routing instance name.

source-address

Configure a source address for each configured RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. Support for IPv6 source-address was introduced in Junos OS Release 16.1.

  • Values: source-address—Valid IPv4 or IPv6 address configured on one of the router or switch interfaces. On M Series routers only, the source address can be an IPv6 address and the UDP source port is 514.

timeout

Configure the amount of time that the local device waits to receive a response from RADIUS authentication and accounting servers. You can override the timeout value for accounting servers with the accounting-timeout statement.

Note:

To successfully set a timeout value for the accounting servers different from the authentication servers, you must configure both the accounting-retry and accounting-timeout statements . If you configure only one of these statements, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.

Note:

The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

  • Values: seconds—Amount of time to wait.

  • Range: 1 through 1000 seconds

  • Default: 3 seconds

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced before Junos OS Release 7.4.

max-outstanding-requests introduced in Junos OS Release 11.4.

accounting-retry and accounting-timeout introduced in Junos OS Release 14.1.

dynamic-request-port option added in Junos OS Release 14.2R1 for MX Series routers.

preauthentication-port and preauthentication-secret options added in Junos OS Release 15.1 for MX Series routers.

accounting-port introduced in Junos OS Release 13.2X50-D10 for EX Series switches with support for Enhanced Layer 2 software (ELS). It was introduced in Junos OS without ELS in the following releases: Junos OS Releases 12.3R10, 14.1X53-D25, and 15.1R4 for EX Series switches.

Support for IPv6 server-address introduced in Junos OS Release 16.1.