Overview
Use RADIUS Server to configure an external RADIUS authentication server for user sign-in. The RADIUS settings define the server address, authentication port, shared key, and local user group assigned to authenticated users.
The same settings are available from the CLI through:
config system auth radius
show system auth radius
Typical Uses
Use this topic when the appliance should authenticate users through RADIUS and then map them into a local user group for authorization.
Typical examples:
Show RADIUS settings: show system auth radius
Display from config: config system auth radius
Enable RADIUS:
config system auth radius enable true name corp_radius ip 10.0.0.30 port 1812 key radius_secret default_group administrator
Disable RADIUS:
config system auth radius enable false
Prerequisites
- Confirm that you have administrator permission to change authentication settings.
- Record the current settings with
show system auth radius. - Confirm the RADIUS server address, port, and shared key.
- Create or verify the local default user group before assigning it.
- Keep at least one local administrator account available in case the external server is unreachable.
- Treat the RADIUS shared key and test password as sensitive.
- Use quotes for values that contain spaces.
Workflow
- Open System Settings.
- Choose RADIUS Server.
- Review Enable RADIUS Authorization, server connection settings, shared key, and default group mapping.
- Enter optional one-time test credentials when needed.
- Apply the workflow.
- Verify the saved settings in the web view or with
show system auth radius.
Expected Behavior
The workflow displays the current RADIUS settings and applies the selected changes to the saved authentication configuration.
When Enable RADIUS Authorization is disabled, the configuration is retained but the server is not used for authentication. When enabled, RADIUS authentication depends on the configured server being reachable and accepting the shared key.
Username for Test and Password for Test User are one-time workflow inputs. They are cleared after the workflow completes and are not saved in the RADIUS configuration.
In The Web UI
Review RADIUS Settings
- Open System Settings.
- Choose RADIUS Server.
- Review server name, IP address, port, shared key, and default user group.
- Apply no changes if you only need to inspect the current settings.
Configure RADIUS Authentication
- Set Enable RADIUS Authorization.
- Enter Server Name.
- Enter Server IP Address.
- Set RADIUS Auth. Service Port.
- Enter Key to RADIUS Server.
- Select Default User Group.
- Enter optional one-time test credentials.
- Apply the workflow.
Check From The CLI
Use either command below to display the current RADIUS settings:
config system auth radius
show system auth radius
The config form without additional fields is display-only. It does not modify
the configuration.
CLI Help Reference
Display the RADIUS fields:
config system auth radius ?
Expected fields:
<Enter> - Display current settings
enable - Enable to use RADIUS server to authenticate user
name - Server name
ip - Server IP address
port - RADIUS authentication service port
key - Key used to communicate to RADIUS Service
default_group - Default user group name
test_username - Username for testing, one time usage only, not saved
test_password - Password for the test user
Change From The CLI
Enable RADIUS with a shared key and default group:
config system auth radius enable true name corp_radius ip 10.0.0.30 port 1812 key radius_secret default_group administrator
Change only the server port:
config system auth radius port 1812
Disable RADIUS authentication while retaining the saved server settings:
config system auth radius enable false
Field Reference
| CLI Field | UI Field | Type Or Values | Notes |
|---|---|---|---|
enable |
Enable RADIUS Authorization | Boolean | Enables or disables RADIUS authentication. |
name |
Server Name | String | Operator-facing name for the RADIUS server. |
ip |
Server IP Address | IP address or host string | RADIUS server address. |
port |
RADIUS Auth. Service Port | Integer from 1 to 65536 |
Common RADIUS authentication port is 1812. |
key |
Key to RADIUS Server | String | Shared secret used with the RADIUS server. |
default_group |
Default User Group | Existing local user group | Local authorization group assigned to RADIUS users. |
test_username |
Username for Test (Empty to skip) | String | One-time workflow input; not saved. |
test_password |
Password for Test User | Password string | One-time workflow input; not saved. |
Confirmation And Rollback
Applying the workflow saves the RADIUS configuration. To roll back, reapply the
previous values recorded from show system auth radius.
If RADIUS authentication prevents expected sign-in, use a local administrator account and disable RADIUS with:
config system auth radius enable false
Notes
- RADIUS authentication controls identity verification. Local user groups still control authorization.
test_groupis a workflow section label and is intentionally hidden from CLI help.- Test credentials are one-time values and are cleared after the workflow.
- Keep the shared key out of logs, support tickets, and shared terminal output.
Troubleshooting
RADIUS Users Cannot Sign In
Verify enable, ip, port, and key. Confirm the appliance can reach the
RADIUS server and that the shared key matches the server configuration.
Users Sign In But Have The Wrong Access
Review Default User Group and confirm that the target local user group has the intended workflow access.
The RADIUS Command Is Not Listed
Use config system auth ? and look for radius. The command path is
config system auth radius.
Related Tasks
- Use User Groups to configure authorization for RADIUS users.
- Use User Management to keep a local administrator account available.
- Use Password and Login Rules for local password and login lockout policy.