106 BigIron RX Series Configuration Guide53-1001986-01Configuring RADIUS security4Specifying different servers for individual AAA functionsIn a RADIUS configuration, you can designate a server to handle a specific AAA task. For example,you can designate one RADIUS server to handle authorization and another RADIUS server tohandle accounting. You can specify individual servers for authentication and accounting, but notfor authorization. You can set the RADIUS key for each server.To specify different RADIUS servers for authentication, authorization, and accounting.BigIron RX(config)# radius-server host 1.2.3.4 authentication-only key abcBigIron RX(config)# radius-server host 1.2.3.5 authorization-only key defBigIron RX(config)# radius-server host 1.2.3.6 accounting-only key ghiSyntax: radius-server host | [auth-port acct-port [authentication-only | authorization-only | accounting-only | default] [key ]]The default parameter causes the server to be used for all AAA functions.After authentication takes place, the server that performed the authentication is used forauthorization or accounting. If the authenticating server cannot perform the requested function,then the next server in the configured list of servers is tried; this process repeats until a server thatcan perform the requested function is found, or every server in the configured list has been tried.Setting RADIUS parametersYou can set the following parameters in a RADIUS configuration:• RADIUS key – This parameter specifies the value that the BigIron RX sends to the RADIUSserver when trying to authenticate user access.• Retransmit interval – This parameter specifies how many times the BigIron RX will resend anauthentication request when the RADIUS server does not respond. The retransmit value can befrom 1 – 5 times. The default is 3 times.• Timeout – This parameter specifies how many seconds the BigIron RX waits for a responsefrom a RADIUS server before either retrying the authentication request, or determining that theRADIUS servers are unavailable and moving on to the next authentication method in theauthentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.Setting the RADIUS keyThe key parameter in the radius-server command is used to encrypt RADIUS packets before theyare sent over the network. The value for the key parameter on the BigIron RX should match the oneconfigured on the RADIUS server. The key can be from 1 – 32 characters in length and cannotinclude any space characters.Use the command to specify a RADIUS server key.BigIron RX(config)# radius-server key mirabeauSyntax: radius-server key [0 | 1] When you display the configuration of the BigIron RX, the RADIUS key is encrypted.BigIron RX(config)# radius-server key 1 abcBigIron RX(config)# write terminal...radius-server host 1.2.3.5radius key 1 $!2d