RADIUS - jibingl/CCNA-CCNP GitHub Wiki
|
Port |
Encryption |
Use Case |
| RADIUS |
UDP 1812/1813 |
Encrypt passwords only |
Network access control |
Extensions
| Extension |
Port |
Introduction |
| Change of Authorization (CoA) |
UDP 1700 |
Allow dynamically modify an active user or device's session permissions (e.g., VLAN, bandwidth, access level) in real-time without requiring re-authentication. |
Applications
| Feature |
Windows (NPS) |
Linux (FreeRADIUS) |
| Platform |
Windows Server only |
Most Linux distributions |
| GUI |
Yes |
No (CLI + config files) |
| AD Integration |
Native |
Possible (requires setup) |
| Customizability |
Limited |
Very high |
| Resource Usage |
Moderate to high |
Lightweight |
| Licensing |
Requires Windows Server license |
Free (open-source) |
| Use Case Fit |
Enterprise with AD |
ISP, universities, cloud, etc. |
Configuration Example
aaa new-model //AAA is required for 802.1x
!
radius server radius.lab.local //Define the radius server
address ipv4 10.0.0.18 auth-port 1812 acct-port 1813
aaa group server radius lab-radius //Add the defined radius server into a AAA group
server name radius.lab.local
!
aaa authentication dot1x default group lab-radius //Creates a series of auth methods used to determine user privilege
//so that the device can communicate with the AAA server.
!
dot1x system-auth-control //Globally enables 802.1X port-based authentication
!
interface GigabitEthernet2
ip address 172.16.101.1 255.255.255.0
authentication port-control auto //Enables 802.1X port-based authentication on the interface.
//auto - enable 802.1x auth and cause the port to begin in the unauthorized state;
//force-authorized - no 802.1x auth and port is always in authorized state;
//force-unauthorized - no 802.1x auth and port remains unauthorized state.