Version 4.1 - 5.5.a RADIUS
The RADIUS protocol itself was covered in section 2.0 - so I won't repeat that info here.
Here's a Configuring RADIUS Guide.
So let's start with a basic configlet:
aaa new-model
radius-server host 10.45.1.2
radius-server key myRaDiUSpassWoRd
username myadmin password ALongPassword
aaa authentication ppp dialins group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa authentication login admins local
aaa authorization exec default local
Yeah, for most of us that's the easy part. Note that if multiple RADIUS servers are configured, the device will query each server starting from the top until it gets a response. If it gets an access-reject from the first server, it will not query the second server - since that is a response.
RADIUS Codes (decimal) are assigned as follows:
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server (experimental)
13 Status-Client (experimental)
255 Reserved
The Attribute format is made up of a Type - Length - Value tuple.
Some of the types include:
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
18 Reply-Message
19 Callback-Number
20 Callback-Id
26 Vendor-Specific
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
60 CHAP-Challenge
Notice that these are familiar if you've looked at the ISE material. Since these are items that are in the RADIUS packet, you can use these values to create policies.
Here is a Cisco Document on RADIUS Vendor-Specific Attributes (VSA). These are the values you will see in Attribute 26.
The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an Authentication, Authorization, and Accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server to reinitialize authentication and apply the new policy.
The following are some of the CoA request commands from the RADIUS server:
● Session reauthentication
● Session termination
● Session termination with port shutdown
● Session termination with port bounce
● Session Query
In response to a CoA request from the RADIUS server, the NAS can respond with either a CoA Acknowledgement [CoA-ACK] or a CoA Non-Acknowledgement [CoA-NAK] messages.
aaa server radius dynamic-author
client 172.20.254.4 server-key cisco
server-key cisco
The "dynamic-author" part of the config is what enables CoA. You will see more on this in later sections.
And with that, I'm going to end the RADIUS section. Studying for SIMOS and reading the AAA and ISE books (along with INE videos) I think has adequately prepared me for anything that could come from this section.